Kurt, I think the point is that these processing practices were not adequate.  The fact that ICANN got away with them should not be construed as an acceptance that they were legal.  We need to examine ICANN's scope and bylaws to determine how far they overreach.  Many actors on this EPDP are arguing that ICANN has a duty to support law enforcement access, for instance, and trademark enforcement.  This is a matter that a court would examine rather closely, it would not simply take ICANN's word for it that producing a repository of personal information for informal access is a role that ICANN properly plays. 

I attach two letters from the former Chair of the Article 29 Working Party, sent at the time of the consultation of the 2013 RAA consultations.  While they focus on the new data retention requirements, the reasoning still applies.  Please note the penultimate paragraph on page 4 of the 2012 letter.  Page two of the second letter specifically notes that law enforcement needs should be addressed through national law.

Stephanie Perrin

Given that we have existing data collection and processing practices that were adequate pre-GDPR, it seems better to weigh those practices against GDPR and see what remains.