Since 2016 the ICANN community has been struggling with the relationship between its multistakeholder model and the reality of regulatory developments. Often these regulatory developments overrule the outcome of the multistakeholder discussions or impact its delicate status quo. A session at ICANN 71 on the impact of regulatory developments on ICANN policy topics touched on a number of aspects, but tip-toed around the really difficult questions.
I see three problems to this, with two possible solutions.
The problems
First, there is the issue of timing. The EU NIS 2 Directive proposal provides a perfect example here. Despite European legislators not being known for the high speed of their processes, the ICANN Community is struggling to keep up with the impact of finalised legislation. Where the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data is in essence a response to the 2016 GDPR, the ICANN Board is still considering the final report on phase 2 (the distinction between legal vs natural persons as registrants). However, in the meantime, the European Commission has published a proposal for an updated Network and Information Security Directive (NIS 2). This proposal includes an article that deals with data accuracy requirements for registries and registrars (i.e. Article 23). While it is tempting to see this as a solution in the current EPDP discussions, recent advice from the European Data Protection Supervisor (EDPS) signals it might not bring any relief. The key question is: should ICANN wait for the conclusion of this regional regulatory process or base its future discussions on the assumption that the draft proposal will stand the test of the trilogue?
Secondly, there is the issue of representation. ICANN’s multistakeholder community provides ICANN with its main strength: diversity-driven consensus. However, when ICANN consensus outcomes are fed into regulatory processes, they become just one of many different submissions. ICANN’s response to the Digital Services Act consultation was one of the whopping 2863 responses received. NIS 2 is currently being discussed in the European Parliament and is likely to raise a similar interest. At the same time, regional and national instruments might be of high relevance to the global ICANN community, but that interest might not be parallel to the interest of local ICANN community members (Law Enforcement, Governments or countrycode registries). So even if the ICANN community reaches a consensus, how is ICANN Org going to advocate that consensus in regional or national legislative processes?
Thirdly, different parts of the ICANN community are in rather a different shape when it comes to dealing with public interest issues. Let’s take the elephant in the room as an example: so-called DNS Abuse. As regulatory processes try to remedy regional or national issues, the way they target ‘the DNS’ or ‘domain name registries and registrars’ is often pretty blunt. In the - laudable - name of maintaining the level playing field, those parties with low DNS abuse stats will be affected in the same way as those with high stats. When the European Commission is aiming to “[contribute] to the security, stability and resilience of the DNS” by demanding data accuracy (NIS 2, art 23), it is unclear how additional requirements for registries and registrars with low DNS abuse stats would help achieve this.
The solutions
In the session, many participants identified the need to set up an early warning system for regulatory developments. This can only work as a joint effort. For example, CENTR publicly provides monthly regional updates (see e.g. for May 2021). Through the GAC (and ccNSO) ICANN has an incredible source for news about legislative initiatives at its fingertips. ICANN should further explore these avenues and provide a curated and regular feed to its community.
Legislative processes are best navigated after synchronisation with the local internet community and the local ICANN community participants. Before engaging in a process, ICANN should inform and sync with those entities. Here the GDPR provides an excellent example. European ccTLDs adapted pretty swiftly to the new circumstances, as they were compliant with their national data protection regimes long before the EU GDPR came into force. The change in accessibility of the WHOIS database has led to very few issues. Maybe more could have been learned from these local processes...
Think globally, but act locally in close partnership with the locals.
