This summary has been made based on the submission uploaded on the ICANN website. The author and/or MediaNama have only produced a summary of this document and are not liable for the veracity of the said document.

The Internet Corporation for Assigned Names and Numbers (ICANN) wants the Personal Data Protection Bill to exempt activities related to registration of a domain name from user consent. In a letter to the Joint Parliamentary Committee, President and CEO of ICANN Göran Marby explained how the Bill would affect “the universal coordination of the Internet’s unique identifiers”. ICANN is a US-based non-profit organisation that coordinates the allocation of top-level domains and regulates the distribution of IP addresses.

Under the Bill, if the registrant/user of a domain does not consent to processing of personal data, domain name registries (like Internet Computer Bureau) and registrars (like GoDaddy) won’t be able to provide domain name registration services because of how the process works [Section 11]. Getting the consent of the user for each of the following data transfers “could be very challenging as they can be time sensitive”, ICANN said.

Domain name registries are databases of all domain names, such registries are used by registrars such as GoDaddy to let users purchase domain names. Both the registry and registrar have to maintain their own registration databases, which may include personal data. The registrar has to transfer this data to the registry or its service providers. Both the registry operator and the registrar transfer this data to a registrar data escrow agent (like Iron Mountain).

Registries and registrars may also transfer some registration data to ICANN (for compliance-related inquiries and to enforce ICANN’s agreements and policies), or to an Emergency Back-End Registry Operator (if there is a risk of failure of critical registry functions), and to third-parties such as law enforcement agencies and intellectual property holders. A delay in getting consent here could result in disruption of internet services to Indian users, ICANN said.

Recommendations

  1. ICANN has asked to expand the scope of existing exemptions under Section 13; this section allows processing of personal data without user consent only for certain employment-related purposes
  2. It has also asked the list of “reasonable purposes” for processing personal data without consent [Section 14] be expanded to include functions such as:
    1. Activities necessary to effect the registration of a domain name as “performance of a contract” between a user and a registrar,
    2. ICANN’s coordination of the unique identifiers of a domain name with an Internet Protocol address, and the
    3. Transfer of registration data to a third party with a legitimate interest for accessing such data.

Read all the other submissions made to the Joint Parliamentary Committee on the Personal Data Protection Bill, 2019, here.