ICANN Human Rights

Since its inception, the Internet has become a core delivery mechanism for human rights, particularly freedom of expression, but also the right to education, the right to association, and the right to political participation, among many others. As a steward over this global resource, ICANN plays a pivotal role in the exercise of these rights, and their policy decisions have profound impacts on the rights of billions of internet users. This gives rise to a novel conceptual challenge: what kind of human rights obligations attach to ICANN itself, and how should human rights be understood in the context of an organization which is not a government, nor an inter-governmental organization, nor a private sector corporation.

International human rights rules are primarily designed to bind States rather than private actors. There is, however, growing attention being paid to the human rights obligations that attach to corporations and other private sector entities. This is most prominently addressed in the UN’s Guiding Principles on Business and Human Rights, which formulates guidelines for avoiding private sector complicity in human rights violations. However, there is an increasing recognition that some private sector actors have a duty not just to avoid violating human rights, but that they also, in some circumstances, bear a responsibility to safeguard and even to promote human rights. This is particularly important to consider where the State has explicitly handed a key human rights oversight role to a non-State body, or where an entity effectively holds a monopoly position over a particular resource or function.

These conceptual challenges are in addition to the questions around whether and how human rights principles should be adapted to apply to online communications. Rather than creating a platform for an influential few, as newspapers or broadcasters do, the Internet facilitates speech directly by individuals, giving everyone a platform and access to a global audience. By the same token, however, this grants the intermediaries that facilitate online communication an unprecedented influence over individuals’ right to freedom of expression and access to information. This power has also attracted the attention of governments, which are placing increasing pressure on non-State actors to facilitate and/or participate in human rights violations, for example by acting to police particular user content, or handing over personal information about users.

All of this brings us back to ICANN, and its role in overseeing the domain name space, as well as in holding the ring between the different players that make online communication possible: including ISPs, registries, registrars, and other infrastructural components. Amending ICANN’s bylaws to ensure that the organization has a mandate to respect human rights is the first step, but it leads to far more challenging problems of defining what human rights mean in ICANN’s unique context. This is the conversation that the CCWP is helping to facilitate, as the diverse stakeholders in ICANN’s community come together to present their different visions of how human rights responsibilities apply to this novel ecosystem.

– Michael Karanicolas, CCWP-HR Chair

On 31 July 2018, the CCWP-HR held a special meeting to explore the concept of “Due Diligence and Why it Matters.” Several subject experts joined the conversation to present on their areas of expertise. They were:

• Michael Samway – President of the Business and Human Rights Group and veteran tech policy advisor
• Michele Neylon – CEO of Blacknight, Chair of the I2 Coalition, and GNSO Councillor
• Collin Kurre – CCWP-HR Co-chair and ARTICLE 19’s lead on developing impact assessments for internet providers
• Raphaël Beauregard-Lacroix – NCSG member and author of a recent CCWP-HR guest post on ICANN, GDPR, and human rights

The meeting drew two dozen community members from a range of stakeholder groups: commercial and non-commercial actors, registrars, registries, and even the ICANN Ombud. Topics discussed included ICANN’s human rights policy commitment, and the broader application of due diligence to the ICT sector. Speakers also presented various methodological approaches, a sample workflow, and updates on progress toward developing DNS-specific due diligence tools.

Following the guest presentations, a discussion kicked off on the UNGP concept of using leverage to encourage partners and suppliers to uphold human rights principles. Participants highlighted the need for clear context, scope, and definitions in order to ensure that ICANN upholds its human rights commitment without going beyond its limited mission and mandate.

Read minutes from the meeting here or by clicking the image below. Recordings, chat log, and other meeting notes can be found on the NCSG Wiki.

– Collin Kurre, CCWP-HR Chair

The European Data Protection Board certainly has been keeping its records straight. Its 27 May statement starts with the following:

“WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003.”

All internet users have dealings with the Internet Corporation for Assigned Names and Numbers, yet the vast majority have never heard of ICANN. Responsible for deciding how the Domain Name System (DNS) is run, ICANN may be a technical standard-setting body, but its policies and activities acquire political nuances more often than not. At its core, there is a distinction between ICANN the organisation, incorporated in California, and the ICANN community, a multistakeholder group of volunteers who develop the policies that are subsequently implemented by the organisation.

Fifteen years ago, and only a few years after ICANN was established, European data protection regulators had already spotted the flaws with ICANN’s WHOIS service, a public database of registrants’ contact details. At the end of 2017, mere months before European General Data Protection Regulation (GDPR) came into effect, ICANN had yet to devise a plan to make its WHOIS registrant database compliant. However, this is no longer the era of paltry fines for violating data protection laws, when compliance was at best facultative.

Data protection as a human right

Here it’s important to recall the diverse origins of data protection law. At the EU level, the 1995 Data Protection Directive aimed to harmonize the regulation of automated data processing in order to fulfill the EU’s goal of free movement of goods and services (see recitals 7 and 8). In parallel, data protection began to be conceived as a human right, a notion that reached a more concrete with the Treaty of Lisbon and the 2009 European Union Charter of Fundamental Rights. Today’s GDPR, which replaces the old directive, explicitly relies on the EU’s human rights framework for its rationale (see recital 1 and following).

Unlike traditional human rights legislation, the GDPR contains concrete provisions for direct enforcement. That is, it grants entitlements to individuals against other legal persons beyond the state, i.e. companies. In addition, the contemplation of hefty fines for violation (up to 4% of global annual turnover for business entities), which is not an enforcement mechanism usually associated with human rights. This stick is what triggered the compliance rush witnessed over the past year, and the numerous subscription confirmation emails received from organisations long forgotten.

The GDPR is also interesting in that it creates an extremely specific and detailed bundle of rights to the benefit of EU citizens and residents against any data controller and processor, wherever they may be located. The EU thus acted according to a highly pragmatic conceptualisation of “online jurisdiction” similar to that of the Canadian courts in the 2017 Equustek case. In this high-profile copyright infringement case, the Canadian Supreme Court ruled that Google had to delist the incriminated website from its search results on a worldwide basis, not only under the google.ca subdomain. If a full de-listing meant applying Canadian law beyond its borders, so be it (it is worth noting the order failed at the enforcement level in the US.) With the GDPR, the EU adopts a similar perspective: individuals must be protected, even if it means potentially reaching out to every single data controller and processor in the world.

Extraterritoriality in cyberspace?

The application of laws based on residency, citizenship, or other non-territorial bases isn’t new. Tax law, notably from the US, is often applied in a similar way. The internet makes such an application of law even more salient, as individuals create and manage legal relationships across territories at an unprecedented scale. This can be unsettling for the “territorial” states, hence the observed trend toward extraterritoriality. States seek to have their laws apply to individuals irrespective of their physical location, particularly when dealing with internet-related issues, as a means of obtaining immediate legal effectivity. Regardless of whether GDPR’s alleged extraterritoriality is good or bad, it can be said that states, the EU, and courts will most likely favour an interpretation of “online jurisdiction” which maximizes their power and their perceived efficiency at enforcing their own laws.

An overly cynical (and factually wrong) conclusion would be that ICANN, as a non-profit California corporation, is not subject to human rights law, as they only create legal relations between governments and individuals. This would stem from an understanding of human rights law as a solely vertical arrangement between states and individuals, which disregards how an entity like ICANN can interfere with “horizontal” human rights entitlements, like those put into place by the GDPR. Recent events show that enforcing corporate respect for human rights is not some civil society pipe dream: a German court already ruled that ICANN’s last-minute GDPR compliance plan is not quite compliant.

Human rights at ICANN, beyond the Bylaw

ICANN has found itself in a double bind: on one side, an expansive understanding of jurisdiction is gaining ground around the world; on the other, a set of human rights norms, previously constrained to treaties and the often staid world of public international law, is finding a new horizontality. The standard for personal data protection has been decidedly raised, prompting us to rethink what human rights compliance means. ICANN’s global mission is tied to the functioning of internet, but its operations can severely interfere with individuals’ exercise of human rights, as well as the commitments of governments to uphold these rights.

Developing a high-level commitment, as ICANN did with its 2017 Human Rights Bylaw, is a first step. However, viable solutions must, at the same time, go deeper. Indeed, the operationalisation of ICANN’s human rights bylaw must pass through a refocusing of the lens, away from international treaties and into the low-level application of human rights norms at the transnational and national level. Rather than biding time before fines mandate action, the ICANN community should carry out sustained research and documentation of ICANN’s concrete interference with human rights, both existent and potential. The multistakeholder community should also put in place the necessary efforts to go beyond the mere human rights bylaw and into real compliance assessment, an ever-evolving activity that requires constant attention and monitoring.

In a 17 May letter, European commissioners asked ICANN, through its CEO, to “show leadership and demonstrate that the multi-stakeholder model actually delivers.” Be it taunting or encouraging, this challenge underscores the current need for intentional, proactive leadership from both the ICANN organisation and its community. Beyond enhancing its accountability, proactively identifying and preventing human rights violations might just prevent further debacles the next time a human rights law (not so) suddenly becomes applicable to ICANN. As California adopts its own improved data protection law, that time may come sooner than expected.

– Raphaël Beauregard-Lacroix, CCWP-HR Member

This post originally appeared on CircleID. If you are interested in contributing a guest post to the CCWP-HR website, please contact us.