ICANN adopts all of the “purposes" identified in the EPDP current draft version of Recommendation 1, [see below for reference to those purposes for processing registration data], which addresses processing for the benefit of registries, registrars, ICANN, and third parties, as part of a future Consensus Policy that updates the WHOIS policy to address GDPR concerns
These purposes become incorporated into the relevant registrar and registry agreements with ICANN
There is a prior consensus policy calling for THICK WHOIS that was adopted by the ICANN Board following the Bylaws, that requires the transfer of the WHOIS contact data from the registrars to the registries for reasons that are identified in the Final Report, including ICANN mission related, “substantial benefits from mandating thick instead of thin Whois, including enhanced accessibility and enhanced stability."

Question: Is there a legal basis under GDPR for a Controller or Processor to justify a transfer of data elements from registrars to registries to enable the processing called for in these purposes even though the processing and transfer of data may be to enable processing for the benefit of 3rd parties? I.e., should the resulting policy from the EPDP would continue the requirement for Thick WHOIS?

For supporting your work on this question, please take note of the Thick Whois Final Report (https://gnso.icann.org/en/issues/whois/thick-final-21oct13-en.pdf) that describes the policy reasons for the recommendations. See also, https://www.icann.org/resources/pages/thick-whois-2016-06-27-en.

If you believe that a portion of the meeting records might be helpful to understand the rationale behind the policy recommendations, ICANN will be able to help you with that research.

The current version of the EPDP report is attached and lists the purposes for processing registration data: see page 5, Section 2.1, Recommendation 1.

In discussion this issue among the Team we believe that, because of its complexity, there will be some iteration between the EPDP Legal Team and Bird and Bird before a final memo is delivered. Therefore, please feel free to contact us at any point during your research and analysis.

Final note: Please take note that your input ion these issues will affect Phase 2 or implementation discussions and are not on the critical path for the Final Report on Phase 1 of the EPDP. So while timely input is requested, we are not working against a hard and immediate deadline.

Please let us know if you have any questions.

Best regards,

Kurt