[PC-NCSG] Fwd: Re: [NCSG-Discuss] Draft Comments for Whois Proceeding
Rafik Dammak
rafik.dammak
Mon Aug 4 15:05:43 EEST 2014
Hi Maria,
Thank you for the confirmation, I submitted the comments in time last
friday.
thanks for everybody for the hardwork in such tight schedule
Rafik
2014-08-02 18:37 GMT+09:00 Maria Farrell <maria.farrell at gmail.com>:
> Hi Rafik,
>
> Yes, these comments have achieved consensus and can be submitted on behalf
> of ncsg.
>
> Cheers, m
>
> Sent from my iPhone
>
> On 1 Aug 2014, at 19:34, Rafik Dammak <rafik.dammak at gmail.com> wrote:
>
> Hi Maria,
>
> thank you, I think we already passed the deadline for comment, can we
> consider that the comments are endorsed and ready to be submitted?
>
> Best,
>
> Rafik
>
>
> 2014-08-01 20:27 GMT+09:00 Maria Farrell <maria.farrell at gmail.com>:
>
>> My apologies, I made the call for consensus on the next-to-final draft.
>>
>> Draft 6, what should be the final draft, closes for comments at 1500 UTC
>> today.
>>
>> Speak now or hold your peace, colleagues.
>>
>> All the best, Maria
>>
>>
>> On 1 August 2014 12:20, Rafik Dammak <rafik.dammak at gmail.com> wrote:
>>
>>> Thanks Stephanie for the edits and merging the comments.
>>> @Maria can you please make the call for consensus. I think Avri agrees
>>> with the changes but she will confirm that.
>>> we have less than 12 hours to submit the comments.
>>>
>>> Rafik
>>>
>>> 2014-08-01 19:24 GMT+09:00 Stephanie Perrin <
>>> stephanie.perrin at mail.utoronto.ca>:
>>>
>>> Thanks for sending, I am having trouble with attachments but I got
>>>> it. I think I have made all the corrections now, here is the amended
>>>> version 6, I believe you can post it.
>>>> cheers Stephanie
>>>>
>>>> On 2014-08-01, 6:11, Rafik Dammak wrote:
>>>>
>>>> Hi Stephanie,
>>>>
>>>> I think joy included her language in the attached document, can you
>>>> please merge that with the latest draft you circulated?
>>>> Lesson learned: using a shared online document and avoid the word
>>>> document versioning nightmare.
>>>>
>>>> Best,
>>>>
>>>> Rafik
>>>> ---------- Forwarded message ----------
>>>> From: "joy" <joy at apc.org>
>>>> Date: Jul 31, 2014 3:05 AM
>>>> Subject: Re: [NCSG-Discuss] Draft Comments for Whois Proceeding
>>>> To: <NCSG-DISCUSS at listserv.syr.edu>
>>>> Cc:
>>>>
>>>> Hi - thanks everyone for the effort on this
>>>> I have also added some information on the recent report of the UN High
>>>> Commissioner for Human Rights on the right to privacy in the digital age
>>>> - which includes aspects relevant for companies - plus one or two other
>>>> minor comments
>>>> Hope you get these in time!
>>>> Joy
>>>>
>>>> On 31/07/2014 4:17 a.m., Kathy Kleiman wrote:
>>>> > Hi All,
>>>> > Attached is the revised version of the comments. It has the changes of
>>>> > Stephanie and Ed incorporated (tx you!) I have drafted it for Rafik's
>>>> > signature and submission on behalf of the NCSG (feel free to add an
>>>> > electronic signature, Rafik!). (Track changes version showing edits
>>>> > attached)
>>>> >
>>>> > If you could please use _this version _of the revised comments for
>>>> > review and submission, that would be great.
>>>> > Best,
>>>> > Kathy
>>>> >
>>>> >
>>>> >
>>>> -----------------------------------------------------------------------------------------------------------------------------------------------
>>>> >
>>>> > NCSG Response to the Questions of the
>>>> >
>>>> > /Review of the ICANN Procedure for Handling WHOIS Conflicts with
>>>> > Privacy Law /
>>>> >
>>>> >
>>>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en//
>>>> >
>>>> >
>>>> > **
>>>> >
>>>> > The Noncommercial Stakeholders Group represents noncommercial
>>>> > organizations and individual noncommercial users in their work in the
>>>> > policy and proceedings of ICANN and the GNSO. We respectfully submit
>>>> > as an opening premise that every legal business has the right and
>>>> > obligation to operate within the bounds and limits of its national
>>>> > laws and regulations. No legal business establishes itself to violate
>>>> > the law; and to do so is an invitation to civil and criminal
>>>> > penalties, in addition to reputational damage and a loss of the trust
>>>> > of their customers and business partner. ICANN Registries and
>>>> > Registrars are no different ? they want and need to abide by their
>>>> laws.
>>>> >
>>>> > To that end, Registries and Registrars strive to comply with their
>>>> > national and local laws.They strive affirmatively and proactively to
>>>> > follow the laws and regulations under which they operate as legal
>>>> > entities. To do otherwise is to violate the purpose of a legal regime,
>>>> > to threaten the well being of the company, and to expose Directors,
>>>> > Officers and Employees to fines, jail, or civil litigation. In the
>>>> > matter of protection of personal and confidential information, which
>>>> > is a very newsworthy issue in the 21^st century, privacy practices are
>>>> > a matter of consumer trust, and therefore high risk for those
>>>> > operating an Internet business.Even if customers have obediently
>>>> > complied with demands for excessive collection and disclosure of
>>>> > personal information up to this point, in the current news furor over
>>>> > Snowden and the cooperation of business with national governments
>>>> > engaged in surveillance, this could change with the next news
>>>> > story.The Internet facilitates successful privacy campaigns.
>>>> >
>>>> > Thus, it is wise and timely for ICANN to raise the questions of this
>>>> > proceeding, /Review of the ICANN Procedure for Handling WHOIS
>>>> > Conflicts with Privacy Law/ (albeit at a busy time for the Community
>>>> > and at the height of summer; we expect to see more interest in this
>>>> > time towards the Fall and recommend that ICANN not construe the small
>>>> > number of comments received to date as a reflection of lack of
>>>> > interest). We submit these comments in response to the issues raises
>>>> > and the questions asked.
>>>> >
>>>> > *Background*
>>>> >
>>>> > The /ICANN Procedure for Handling Whois Conflicts with Privacy Law
>>>> > /was adopted in 2006 after years of debate on Whois issues. This
>>>> > Consensus Procedure was the first step of recognition that data
>>>> > protection laws and privacy law DO apply to the personal and sensitive
>>>> > data being collected by Registries and Registrars for the Whois
>>>> database.
>>>> >
>>>> > But for those of us in the Noncommercial Users Constituency (now part
>>>> > of the Noncommercial Stakeholders Group/NCSG) who helped debate, draft
>>>> > and adopt this Consensus Procedure in the mid-2000s, we were always
>>>> > shocked that the ICANN Community did not do more. At the time, several
>>>> > Whois Task Forces were at work with multiple proposals which include
>>>> > important and pro-active suggestions to allow Registrars and
>>>> > Registries to come into compliance with their national and local data
>>>> > protection and privacy laws.
>>>> >
>>>> > At the time, we never expected this Consensus Procedure to be an end
>>>> > itself ? but the first of many steps. We are glad the discussion is
>>>> > now reopened and we support empowering Registrars and Registries to be
>>>> > in full compliance with their national and local data protection,
>>>> > consumer protection and privacy laws ? from the moment they enter into
>>>> > their contracts with ICANN.
>>>> >
>>>> > We note there have been a number of recent decisions in higher courts
>>>> > in various jurisdictions which impact the constitutional rights of
>>>> > citizens to be free from warrantless disclosure and retention of their
>>>> > personal information for law enforcement purposes.This reflects the
>>>> > time it takes for data protection issues to wend their way to the high
>>>> > courts for a ruling.We would urge ICANN, who otherwise sit on the
>>>> > cutting edge of Internet technical issues, to reflect on their role as
>>>> > a key global player in Internet governance.Do we lead or do we wait
>>>> > until we are dragged into Court, to realize our responsibilities to
>>>> > protect the fundamental rights of the citizens who depend on the
>>>> > Internet to participate in modern society?//
>>>> >
>>>> > II. Data Protection and Privacy Laws ? A Quick Overview of the
>>>> > Principles that Protect the Personal and Sensitive Data of Individuals
>>>> > and Organizations/Small Businesses
>>>> >
>>>> > It is important to stress that while the discourse about data
>>>> > protection requirements at ICANN has tended to focus on the European
>>>> > Union and its Data Commissioners, as represented in the Article 29
>>>> > Working Party on Data Protection, there are a great many countries
>>>> > which have data protection law in place, including Canada, Mexico,
>>>> > much of South America, Korea, Japan, Australia, New Zealand,
>>>> > Singapore, South Africa, and many others.It is therefore quite
>>>> > puzzling that ICANN does not assemble a working group to study the
>>>> > matter and develop a harmonized approach to the issue, rather than
>>>> > take this rather odd approach of forcing registrars and registries to
>>>> > break national and local law.
>>>> >
>>>> > It is also important to note that there are many levels of data
>>>> > protection law, from local municipal law to state and national
>>>> > law.There is also sectoral law which applies to certain sectors.It
>>>> > would be a reasonable approach to develop a policy that reflects
>>>> > harmonized best practice, and abide by the policy rather than engage
>>>> > in this adversarial approach to local law.Data protection law is
>>>> > overwhelmingly complaints based, so it is inherently difficult for
>>>> > registrars and registries to get a ruling from data protection
>>>> > commissioners absent a complaint and a set of facts.
>>>> >
>>>> > In this regard, we also find it puzzling that despite the fact that
>>>> > the Article 29 Working Party wrote to ICANN senior management to
>>>> > indicate that they have reviewed the matter and reached an opinion
>>>> > that the practices involving WHOIS do indeed violate EU law, ICANN has
>>>> > not taken that message and developed a policy that guides their data
>>>> > protection practices, starting with a clear statement of limited
>>>> > purpose for the collection, use, and disclosure of personal
>>>> information.
>>>> >
>>>> > The NCSG held a privacy meeting at the London ICANN 50 meeting, which
>>>> > was quite well attended.While we did not specifically address or
>>>> > attempt to brainstorm this particular problem, we feel it is safe to
>>>> > summarize the following points:
>>>> >
>>>> > ?There is considerable interest, in civil society, in the protection
>>>> > of personal information at ICANN.
>>>> >
>>>> > ?Policies and procedures such as were developed for the 2013 RAA are
>>>> > very puzzling to those who are engaged in government and business in
>>>> > the privacy field.This is not 1995, when the EU Directive on data
>>>> > protection was passed and was still controversial.ICANN needs to catch
>>>> > up with global business practice, preferably by developing binding
>>>> > corporate rules which would take a harmonized approach to the
>>>> > differing local laws. It is not appropriate for all data protection to
>>>> > fall away in jurisdictions where there is not yet a data protection
>>>> > law that applies to the provision of internet services, including
>>>> > domain name registration.
>>>> >
>>>> > ?NCSG is ramping up a team of volunteers to provide more detailed
>>>> > expertise and input on a number of privacy and free speech
>>>> > issues.While civil society is inherently stretched and short of
>>>> > resources, this is an issue that they care deeply about, and our
>>>> > outreach has begun to bear fruit in engaging others who are outside
>>>> > the immediate sphere of ICANN membership.This is important as they are
>>>> > part of the constituency we seek to represent.
>>>> >
>>>> > ICANN spends considerable time on technical parameters, data accuracy,
>>>> > and retention.More time needs to be spent on data protection policy.In
>>>> > this respect, more expertise would be required as there is very little
>>>> > evidence of privacy expertise in the ICANN community.
>>>> >
>>>> > III*/./*Questions asked of the Community in this Proceeding
>>>> >
>>>> > The ICANN Review Paper raised a number of excellent questions. In
>>>> > keeping with the requirements of a Reply Period, these NCSG comments
>>>> > will address both our comments and those comments we particularly
>>>> > support in this proceeding.
>>>> >
>>>> > However we would first like to note that the paper appears to start
>>>> > from the position that the procedures involved in this waiver process
>>>> > simply need to be tweaked.Operating under the first principle that all
>>>> > business must comply with local law, there is a need for ICANN to
>>>> > embrace data protection law as a well recognized branch of law which
>>>> > codifies well recognized business best practices with respect to the
>>>> > confidentiality of customer data.We respectfully submit that, if ICANN
>>>> > had a professional privacy officer, it is highly unlikely that he/she
>>>> > would recommend to senior management that the current approach be
>>>> > entertained in 2014.
>>>> >
>>>> > 1.1Is it impractical for ICANN to require that a contracted party
>>>> > already haslitigation or a government proceeding initiated against it
>>>> > prior to being able to invoke the Whois Procedure?
>>>> >
>>>> > 1.1 Response: Yes, it is completely impractical (and ill-advised) to
>>>> > force a company to violate a national law as a condition of complying
>>>> > with their contract. Every lawyer advises businesses to comply with
>>>> > the laws and regulations of their field. To do otherwise is to face
>>>> > fines, penalties, loss of the business, even jail for officers and
>>>> > directors. Legal business strives to be law-abiding; no officer or
>>>> > director wants to go to jail for her company's violations. It is the
>>>> > essence of an attorney's advice to his/her clients to fully comply
>>>> > with the laws and operate clearly within the clear boundaries and
>>>> > limits of laws and regulations, both national, by province or state
>>>> > and local.
>>>> >
>>>> > In these Reply Comments, we support and encourage ICANN to adopt
>>>> > policies consistent with the initial comments submitted by the
>>>> > European Commission:
>>>> >
>>>> > -that the Whois Procedure be changed from requiring specific
>>>> > prosecutorial action instead to allowing ?demonstrating evidence of a
>>>> > potential conflict widely and e.g. accepting information on the
>>>> > legislation imposing requirements that the contractual requirements
>>>> > would breach as sufficient evidence.? (European Commission comments)
>>>> >
>>>> > We also agree with Blacknight:
>>>> >
>>>> > -?It's completely illogical for ICANN to require that a contracting
>>>> > party already has litigation before they can use a process. We would
>>>> > have loved to use a procedure or process to get exemptions, but
>>>> > expecting us to already be litigating before we can do so is, for lack
>>>> > of a better word, nuts.? (Blacknight comments in this proceeding).
>>>> >
>>>> > -
>>>> >
>>>> > 1.1a How can the triggering event be meaningfully defined?
>>>> >
>>>> > This is an important question. Rephrased, we might ask together ?what
>>>> > must a Registry or Registrar show ICANN in support of its claim that
>>>> > certain provisions involving Whois data violate provisions of national
>>>> > data protection and privacy laws?
>>>> >
>>>> > NCSG respectfully submits that there are at least four ?triggering
>>>> > events? that ICANN should recognize:
>>>> >
>>>> > -Evidence from a national Data Protection Commissioner or his/her
>>>> > office (or from a internationally recognized body of national Data
>>>> > Protection Commissioners in a certain region of the world, including
>>>> > the Article 29 Working Party that analyzes the national data
>>>> > protection and privacy laws) that ICANN's contractual obligations for
>>>> > Registry and/or Registrar contracts violate the data protection laws
>>>> > of their country or their group of countries;
>>>> >
>>>> > -Evidence of legal and/or jurisdictional conflict arising from
>>>> > analysis performed by ICANN's legal department or by national legal
>>>> > experts hired by ICANN to evaluate the Whois requirements of the ICANN
>>>> > contracts for compliance and conflicts with national data protection
>>>> > laws and cross-border transfer limits) (similar to the process we
>>>> > understand was undertaken for the data retention issue);
>>>> >
>>>> > -Receipt of a written legal opinion from a nationally recognized law
>>>> > firm or qualified legal practitioner in the applicable jurisdiction
>>>> > that states that the collection, retention and/or transfer of certain
>>>> > Whois data elements as required by Registrar or Registry Agreements is
>>>> > ?reasonably likely to violate the applicable law? of the Registry or
>>>> > Registrar (per the process allowed in RAA Data Retention
>>>> > Specification); or
>>>> >
>>>> > -An official opinion of any other governmental body of competent
>>>> > jurisdiction providing that compliance with the data protection
>>>> > requirements of the Registry/Registrar contracts violates applicable
>>>> > national law (although such pro-active opinions may not be the
>>>> > practice of the Data Protection Commissioner's office).
>>>> >
>>>> > The above list draws from the comments of the European Commission,
>>>> > Data Retention Specification of the 2013Registrar Accreditation
>>>> > Agreement, and sound compliance and business practices for the ICANN
>>>> > General Counsel's office.
>>>> >
>>>> > We further agree with Blacknight that the requirements for triggering
>>>> > any review and consideration by ICANN be: simple and straightforward,
>>>> > quick and easy to access.
>>>> >
>>>> > 1.3Are there any components of the triggering event/notification
>>>> > portion of the RAA's Data Retention waiver process that should be
>>>> > considered as optional for incorporation into a modified Whois
>>>> Procedure?
>>>> >
>>>> > 1.3 Response:Absolutely, the full list in 1.1a above, together with
>>>> > other constructive contributions in the Comments and Reply Comments of
>>>> > this proceeding, should be strongly considered for incorporation into
>>>> > a modified Whois Procedure, or simply written into the contracts of
>>>> > the Registries and Registrars contractual language, or a new Annex or
>>>> > Specification.
>>>> >
>>>> > We respectfully submit that the obligation of Registries and
>>>> > Registrars to comply with their national laws is not a matter of
>>>> > multistakeholder decision making, but a matter of law and compliance.
>>>> > In this case, we wholeheartedly embrace the concept of building a
>>>> > process together that will allow exceptions for data protection and
>>>> > privacy laws to be adopted quickly and easily.
>>>> >
>>>> > 1.4Should parties be permitted to invoke the Whois Procedure before
>>>> > contracting with ICANN as a registrar or registry?
>>>> >
>>>> > 1.4 Response: Of course, Registries and Registrars should be allowed
>>>> > to invoke the Whois Procedure, or other appropriate annexes and
>>>> > specifications that may be added into Registry and Registrar contracts
>>>> > with ICANN. As discussed above, the right of a legal company to enter
>>>> > into a legal contracts is the most basic of expectations under law.
>>>> >
>>>> > 2.1Are there other relevant parties who should be included in this
>>>> step?
>>>> >
>>>> > 2.1 Response: We agree with the EC that ICANN should be working as
>>>> > closely with National Data Protection Authorities as they will allow.
>>>> > In light of the overflow of work into these national commissions, and
>>>> > the availability of national experts at law firms, ICANN should also
>>>> > turn to the advice of private experts,such as well-respected law firms
>>>> > who specialize in national data protection laws. The law firm's
>>>> > opinions on these matters would help to guide ICANN's knowledge and
>>>> > evaluation of this important issue.
>>>> >
>>>> > 3.1How is an agreement reached and published?
>>>> >
>>>> > 3.1 Response. As discussed above, compliance with national law may not
>>>> > be the best matter for negotiation within a multistakeholder process.
>>>> > It really should not be a chose for others to make whether you comply
>>>> > with your national data protection and privacy laws. That said, the
>>>> > process of refining the Consensus Procedure, and adopting new policies
>>>> > and procedures, or simply putting new contract provisions, annexes or
>>>> > specifications into the Registry and Registrar contracts SHOULD be
>>>> > subject to community discussion, notification and review.But once the
>>>> > new process is adopted, we think the new changes, variations,
>>>> > modifications or exceptions of Individual Registries and Registrars
>>>> > need go through a public review and process. The results, however,
>>>> > Should be published for Community notification and review.
>>>> >
>>>> > We note that in conducting the discussion with the Community on the
>>>> > overall or general procedure, policy or contractual changes, ICANN
>>>> > should be assertive in its outreach to the Data Protection
>>>> > Commissioners. Individual and through their organizations, they have
>>>> > offered to help ICANN evaluate this issue numerous times. The Whois
>>>> > Review Team noted the inability of many external bodies to monitor
>>>> > ICANN regularly, but the need for outreach to them by ICANN staff
>>>> > nonetheless:
>>>> >
>>>> > *Recommendation 3:Outreach*
>>>> >
>>>> > *ICANN should ensure that WHOIS policy issues are accompanied by
>>>> > cross-community outreach, including outreach to the communities
>>>> > outside of ICANN with a specific interest in the issues, and an
>>>> > ongoing program for consumer awareness. (Whois Review Team Final
>>>> Report)*
>>>> >
>>>> > This is a critical policy item for such outreach and input.
>>>> >
>>>> > 3.2If there is an agreed outcome among the relevant parties, should
>>>> > the Board be involved in this procedure?
>>>> >
>>>> > 3.2 Response: Clearly, the changing of the procedure, or the adoption
>>>> > of a new policy or new contractual language for Registries and
>>>> > Registrars, Board oversight and review should be involved. But once
>>>> > the new procedure, policy or contractual language is in place, then
>>>> > subsequent individual changes, variations, modifications or exceptions
>>>> > should be handled through the process and ICANN Staff ? as the Data
>>>> > Retention Process is handled today.
>>>> >
>>>> > 4.1Would it be fruitful to incorporate public comment in each of the
>>>> > resolution scenarios.
>>>> >
>>>> > 4.1 Response: We think this question means whether there should be
>>>> > public input on each and every exception?We respectfully submit that
>>>> > the answer is No. Once the new policy, procedure or contractual
>>>> > language is adopted, then the process should kick in and the
>>>> > Registrar/Registry should be allowed to apply for the waiver,
>>>> > modification or revision consistent with its data protection and
>>>> > privacy laws.Of course, once the waiver or modification is granted,
>>>> > the decision should be matter of public record so that other
>>>> > Registries and Registrars in the jurisdiction know and so that the
>>>> > ICANN Community as a whole can monitor this process' implementation
>>>> > and compliance.
>>>> >
>>>> > Step Five: Public notice
>>>> >
>>>> > 5.2Is the exemption or modification termed to the length of the
>>>> > agreement? Or is it indefinite as long as the contracted party is
>>>> > located in the jurisdiction in question, or so long as the applicable
>>>> > law is in force.
>>>> >
>>>> > 5.2 Response:We agree with the European Commission in its response,
>>>> >
>>>> > ?/By logic the exemption or modification shall be in place as long as
>>>> > the party is subject to the jurisdiction in conflict with ICANN rules.
>>>> > If the applicable law was to change, or the contacted party moved to a
>>>> > different jurisdiction, the conditions should be reviewed to assess if
>>>> > the exemption is still justified.?/
>>>> >
>>>> > //
>>>> >
>>>> > But provided it is the same parties, operating under the same laws,
>>>> > the modification or change should continue through the duration of the
>>>> > relationship between the Registry/Registrar and ICANN.
>>>> >
>>>> > 5.3Should an exemption or modification based on the same laws and
>>>> > facts then be granted to other affected contracted parties in the same
>>>> > jurisdiction without invoking the Whois Procedure.
>>>> >
>>>> > 5.3 Response. The European Commission in its comments wrote, and we
>>>> > strongly agree: /?the same exception should apply to others in the
>>>> > same jurisdiction who can demonstrate that they are in the same
>>>> > situation.? /Further, Blacknight wrote and we support: /?if ANY
>>>> > registrar in Germany, for example, is granted a waiver based on German
>>>> > law, than ALL registrars based in Germany should receive the same
>>>> > treatment.? /Once a national data protection or privacy law is
>>>> > interpreted as requiring and exemption or modification, it should be
>>>> > available to all Registries/Registrars in that country.
>>>> >
>>>> > Further, we recommend that ICANN should be required to notify each
>>>> > gTLD Registry and Registrar in the same jurisdiction as that of the
>>>> > decision so they will have notice of the change.
>>>> >
>>>> > We thank ICANN staff for holding this comment period.
>>>> >
>>>> > Respectfully submitted,
>>>> >
>>>> > Rafik Dammak
>>>> >
>>>> > Chairman, NCSG
>>>> >
>>>> > On behalf of the Noncommercial Stakeholders Group
>>>> >
>>>> >
>>>> >
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> PC-NCSG mailing list
>>> PC-NCSG at ipjustice.org
>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>
>>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ipjustice.org/pipermail/pc-ncsg/attachments/20140804/e1429be2/attachment-0001.html>
More information about the NCSG-PC
mailing list