2013 RAA is illegal, says EU privacy watchdog

European privacy regulators have slammed the new 2013 Registrar Accreditation Agreement, saying it would be illegal for registrars based in the EU to comply with it.

The Article 29 Working Party, which comprises privacy regulators from the 27 European Union nations, had harsh words for the part of the contract that requires registrars to store data about registrants for two years after their domains expire.

In a letter (pdf) to ICANN last month, Article 29 states plainly that such provisions would be illegal in the EU:

The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe.

The 2013 RAA allows any registrar to opt out of the data retention provisions if it can prove that to comply would be illegal its own jurisdiction.

The Article 29 letter has been sent to act as blanket proof of this for all EU-based registrars, but it’s not yet clear if ICANN will treat it as such.

The letter goes on to sharply criticize ICANN for allowing itself to be used by governments (and big copyright interests) to circumvent their own legislative processes. It says:

The fact that these data may be useful for law enforcement (including copyright enforcement by private parties) does not equal a necessity to retain these data after termination of the contract.

…

the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement.

If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation

So why is ICANN trying to get many of its registrars to break the law?

While it’s tempting to follow the Article 29 WP’s reasoning and blame law enforcement agencies and the Governmental Advisory Committee, whichpushed for the new RAA to be created in the first place, the illegal data retention provisions appear to be entirely ICANN’s handiwork.

The original law enforcement demands (pdf) say registrars should “securely collect and store” data about registrants, but there’s no mention of the period for which it should be stored.

And while the GAC has expressly supported the LEA recommendations since 2010, it has always said that ICANN should comply with privacy laws in their implementation.

The GAC does not appear to have added any of its own recommendations relating to data retention.

ICANN can’t claim it was unaware that the new RAA might be illegal for some registrars either. The Article 29 WP told it so last September, causing ICANN to introduce the idea of exemptions.

However, the European Commission’s GAC representative then seemed to dismiss the WP’s concerns during ICANN’s public meeting in Toronto last October.

Perhaps ICANN was justifiably confused by these mixed messages.

According to Michele Neylon, chair of the Registrars Stakeholder Group, it has yet to respond to European registrars’ inquiries about the Article 29 letter, which was sent June 6.

“We hope that ICANN staff will take the letter into consideration, as it is clear that the data protection authorities do not want create extra work either for themselves or for registrars,” Neylon said.

“For European registrars, and non-European registrars with a customer base in the EU, we look forward to ICANN staff providing us with clarity on how we can deal with this matter and respect EU and national law,” he said.