The European Data Protection Board certainly has been keeping its records straight. Its 27 May statement starts with the following:

“WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.”

All internet users have dealings with the Internet Corporation for Assigned Names and Numbers, yet the vast majority have never heard of ICANN. Responsible for deciding how the Domain Name System (DNS) is run, ICANN may be a technical standard-setting body, but its policies and activities acquire political nuances more often than not. At its core, there is a distinction between ICANN the organisation, incorporated in California, and the ICANN community, a multistakeholder group of volunteers who develop the policies that are subsequently implemented by the organisation.

Fifteen years ago, and only a few years after ICANN was established, European data protection regulators had already spotted the flaws with ICANN’s WHOIS service, a public database of registrants’ contact details. At the end of 2017, mere months before European General Data Protection Regulation (GDPR) came into effect, ICANN had yet to devise a plan to make its WHOIS registrant database compliant. However, this is no longer the era of paltry fines for violating data protection laws, when compliance was at best facultative.

Data protection as a human right

Here it’s important to recall the diverse origins of data protection law. At the EU level, the 1995 Data Protection Directive aimed to harmonize the regulation of automated data processing in order to fulfill the EU’s goal of free movement of goods and services (see recitals 7 and 8). In parallel, data protection began to be conceived as a human right, a notion that reached a more concrete with the Treaty of Lisbon and the 2009 European Union Charter of Fundamental Rights. Today’s GDPR, which replaces the old directive, explicitly relies on the EU’s human rights framework for its rationale (see recital 1 and following).

Unlike traditional human rights legislation, the GDPR contains concrete provisions for direct enforcement. That is, it grants entitlements to individuals against other legal persons beyond the state, i.e. companies. In addition, the contemplation of hefty fines for violation (up to 4% of global annual turnover for business entities), which is not an enforcement mechanism usually associated with human rights. This stick is what triggered the compliance rush witnessed over the past year, and the numerous subscription confirmation emails received from organisations long forgotten.

The GDPR is also interesting in that it creates an extremely specific and detailed bundle of rights to the benefit of EU citizens and residents against any data controller and processor, wherever they may be located. The EU thus acted according to a highly pragmatic conceptualisation of “online jurisdiction” similar to that of the Canadian courts in the 2017 Equustek case. In this high-profile copyright infringement case, the Canadian Supreme Court ruled that Google had to delist the incriminated website from its search results on a worldwide basis, not only under the google.ca subdomain. If a full de-listing meant applying Canadian law beyond its borders, so be it (it is worth noting the order failed at the enforcement level in the US.) With the GDPR, the EU adopts a similar perspective: individuals must be protected, even if it means potentially reaching out to every single data controller and processor in the world.

Extraterritoriality in cyberspace?

The application of laws based on residency, citizenship, or other non-territorial bases isn’t new. Tax law, notably from the US, is often applied in a similar way. The internet makes such an application of law even more salient, as individuals create and manage legal relationships across territories at an unprecedented scale. This can be unsettling for the “territorial” states, hence the observed trend toward extraterritoriality. States seek to have their laws apply to individuals irrespective of their physical location, particularly when dealing with internet-related issues, as a means of obtaining immediate legal effectivity. Regardless of whether GDPR’s alleged extraterritoriality is good or bad, it can be said that states, the EU, and courts will most likely favour an interpretation of “online jurisdiction” which maximizes their power and their perceived efficiency at enforcing their own laws.

An overly cynical (and factually wrong) conclusion would be that ICANN, as a non-profit California corporation, is not subject to human rights law, as they only create legal relations between governments and individuals. This would stem from an understanding of human rights law as a solely vertical arrangement between states and individuals, which disregards how an entity like ICANN can interfere with “horizontal” human rights entitlements, like those put into place by the GDPR. Recent events show that enforcing corporate respect for human rights is not some civil society pipe dream: a German court already ruled that ICANN’s last-minute GDPR compliance plan is not quite compliant.

Human rights at ICANN, beyond the Bylaw

ICANN has found itself in a double bind: on one side, an expansive understanding of jurisdiction is gaining ground around the world; on the other, a set of human rights norms, previously constrained to treaties and the often staid world of public international law, is finding a new horizontality. The standard for personal data protection has been decidedly raised, prompting us to rethink what human rights compliance means. ICANN’s global mission is tied to the functioning of internet, but its operations can severely interfere with individuals’ exercise of human rights, as well as the commitments of governments to uphold these rights.

Developing a high-level commitment, as ICANN did with its 2017 Human Rights Bylaw, is a first step. However, viable solutions must, at the same time, go deeper. Indeed, the operationalisation of ICANN’s human rights bylaw must pass through a refocusing of the lens, away from international treaties and into the low-level application of human rights norms at the transnational and national level. Rather than biding time before fines mandate action, the ICANN community should carry out sustained research and documentation of ICANN’s concrete interference with human rights, both existent and potential. The multistakeholder community should also put in place the necessary efforts to go beyond the mere human rights bylaw and into real compliance assessment, an ever-evolving activity that requires constant attention and monitoring.

In a 17 May letter, European commissioners asked ICANN, through its CEO, to “show leadership and demonstrate that the multi-stakeholder model actually delivers.” Be it taunting or encouraging, this challenge underscores the current need for intentional, proactive leadership from both the ICANN organisation and its community. Beyond enhancing its accountability, proactively identifying and preventing human rights violations might just prevent further debacles the next time a human rights law (not so) suddenly becomes applicable to ICANN. As California adopts its own improved data protection law, that time may come sooner than expected.

– Raphaël Beauregard-Lacroix, CCWP-HR Member

This post originally appeared on CircleID. If you are interested in contributing a guest post to the CCWP-HR website, please contact us.