[PC-NCSG] [urgent] Draft Comments for Whois Proceeding
Avri Doria
avri
Wed Jul 30 15:28:00 EEST 2014
Hi,
Started reviewing them, actually Stephanie's comments. They are written
from an NCUC perspective and need to be approved by them, not us.
avri
On 30-Jul-14 11:36, Rafik Dammak wrote:
> Hi everyone,
>
> Kathy sent a draft comment to the whois conflict with local laws. we
> have a tight schedule and we should act quickly.
> we are responding during the reply period which means the last chance
> for us to do so.
> @Maria can you please follow-up with this request?
>
> Best,
>
> Rafik
>
>
>
> ---------- Forwarded message ----------
> From: *Kathy Kleiman* <kathy at kathykleiman.com
> <mailto:kathy at kathykleiman.com>>
> Date: 2014-07-30 2:44 GMT+09:00
> Subject: Draft Comments for Whois Proceeding
> To: Rafik Dammak <rafik.dammak at gmail.com
> <mailto:rafik.dammak at gmail.com>>, NCSG-DISCUSS at listserv.syr.edu
> <mailto:NCSG-DISCUSS at listserv.syr.edu>
>
>
> To Rafik, NCSG Executive Committee and NCSG Membership,
>
> There is an important, but very quiet comment proceeding that has been
> taking place this summer. It is the /Review of the ICANN Procedure for
> Handling WHOIS Conflicts with Privacy Law///at
> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>
>
> Stephanie put out a call for comments, and not seeing any, I drafted
> these. It has been dismayeding ever since ICANN adopted its Consensus
> Procedure for Handling WHOIS Conflicts with Privacy law -- because it
> basically requires that Registrars and Registries have to be sued or
> receive an official notice of violation before they can ask ICANN for a
> waiver of the Whois requirements. That always seemed very unfair- that
> you have to be exposed to allegation of illegal activity in order to
> protect yourself or your Registrants under your national data protection
> and privacy laws.
>
> In the more recent Data Retention Specification, of the 2013 RAA, ICANN
> Staff and Lawyers saw this problem and corrected it -- now Registrars
> can be much more pro-active in showing ICANN that a certain clause in
> their contract (e.g., extended data retention) is a clear violation of
> their national law (e.g., more limited data retention).
>
> So to this important comment proceeding, I drafted these comments for us
> to submit. As Reply Comments (during the Reply Period), we are asked to
> respond to other commenters. That's easy as the European Commission and
> Registrar Blacknight submitted useful comments.
>
> Rafik, can we edit, finalize and submit by the deadline on Friday?
> Comments below and attached. If you have edits, in the interest of time,
> kindly suggest alternate language. Tx!!
>
> Best,
> Kathy
> --------------------------------------------------------------------------------------------------------
>
> DRAFT NCSG Response to the Questions of the
>
> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
> Law//
> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>
>
> *Introduction*
>
> The Noncommercial Stakeholders Group represents noncommercial
> organizations in their work in the policy and proceedings of ICANN and
> the GNSO. We respectfully submit as an opening premise that every legal
> business has the right and obligation to operate within the bounds and
> limits of its national laws and regulations. No legal business
> establishes itself to violate the law; and to do so is an invitation to
> civil and criminal penalties. ICANN Registries and Registrars are no
> different ? they want and need to abide by their laws.
>
> Thus, it is timely for ICANN to raise the questions of this proceeding,
> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
> Law/(albeit at a busy time for the Community and at the height of
> summer; we expect to see more interest in this time towards the Fall).
> We submit these comments in response to the issues raises and the
> questions asked.
>
> *Background*
>
> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law /was
> adopted in 2006 after years of debate on Whois issues. This Consensus
> Procedure was the first step of recognition that data protection laws
> and privacy law DO apply to the personal and sensitive data being
> collected by Registries and Registrars for the Whois database.
>
> But for those of us in the Noncommercial Users Constituency (now part of
> the Noncommercial Stakeholders Group/NCSG) who helped debate, draft and
> adopt this Consensus Procedure in the mid-2000s, we were always shocked
> that the ICANN Community did not do more. At the time, multiple Whois
> Task Forces were at work with multiple proposals which include important
> and pro-active suggestions to allow Registrars and Registries to come
> into compliance with their national data protection and privacy laws.
>
> At the time, we never expected this Consensus Procedure to be an end
> itself ? but the first step of many steps. It was an ?end? for too long,
> so we are glad the discussion is reopened and once again we seek to
> allow Registrars and Registries to be in full compliance with their
> national data protection and privacy laws ? from the moment they enter
> into their contracts with ICANN.
>
> *II. Data Protection and Privacy Laws ? A Quick Overview of the
> Principles that Protect the Personal and Sensitive Data of Individuals
> and Organizations/Small Businesses *
>
> **
>
> /*[Stephanie, Tamir or Others with Expertise in Canadian and European
> Data Protection Laws may choose to add something here]. */
>
> III/*. */Questions asked of the Community in this Proceeding
>
> The ICANN Review Paper raised a number of excellent questions. In
> keeping with the requirements of a Reply Period, these NCSG comments
> will address both our comments and those comments we particularly
> support in this proceeding.
>
> 1.
>
> Is it impractical for ICANN to require that a contracted party
> already has litigation or a government proceeding initiated
> against it prior to being able to invoke the Whois Procedure?
>
> 1.1 Response: Yes, it is completely impractical (and ill-advised) to
> force a company to violate a national law as a condition of complying
> with that national law. Every lawyer advises businesses to comply with
> the laws and regulations of their field. To do otherwise is to face
> fines, penalties, loss of the business, even jail for officers and
> directors. Legal business strives to be law-abiding; no officer or
> director wants to go to jail for her company's violations. It is the
> essence of an attorney's advice to his/her clients to fully comply with
> the laws and operate clearly within the clear boundaries and limits of
> laws and regulations, both national, by province or state and local.
>
> In these Reply Comments, we support and encourage ICANN to adopt
> policies consistent with the initial comments submitted by the European
> Commission:
>
> o
>
> that the Whois Procedure be changed from requiring specific
> prosecutorial action instead to allowing ?demonstrating evidence
> of a potential conflict widely and e.g. accepting information on
> the legislation imposing requirements that the contractual
> requirements would breach as sufficient evidence.? (European
> Commission comments)
>
> We also agree with Blacknight:
>
> o
>
> ?It's completely illogical for ICANN to require that a
> contracting party already has litigation before they can use a
> process. We would have loved to use a procedure or process to
> get exemptions, but expecting us to already be litigating before
> we can do so is, for lack of a better word, nuts.? (Blacknight
> comments in this proceeding).
>
>
> 1.1a How can the triggering event be meaningfully defined?
>
> 1.1 a Response: This is an important question. Rephrased, we might ask
> together ? what must a Registry or Registrar show ICANN in support of
> its claim that certain provisions involving Whois data violate
> provisions of national data protection and privacy laws?
>
> NCSG respectfully submits that there are at least four ?triggering
> events? that ICANN should recognize:
>
> o
>
> Evidence from a national Data Protection Commissioner or his/her
> office (or from a internationally recognized body of national
> Data Protection Commissioners in a certain region of the world,
> including the Article 29 Working Party that analyzes the
> national data protection and privacy laws) that ICANN's
> contractual obligations for Registry and/or Registrar contracts
> violate the data protection laws of their country or their group
> of countries;
>
> o
>
> Evidence of legal and/or jurisdictional conflict arising from
> analysis performed by ICANN's legal department or by national
> legal experts hired by ICANN to evaluate the Whois requirements
> of the ICANN contracts for compliance and conflicts with
> national data protection laws and cross-border transfer limits)
> (similar to the process we understand was undertaken for the
> data retention issue);
>
>
> o
>
> Receipt of a written legal opinion from a nationally recognized
> law firm in the applicable jurisdiction that states that the
> collection, retention and/or transfer of certain Whois data
> elements as required by Registrar or Registry Agreements is
> ?reasonably likely to violate the applicable law? of the
> Registry or Registrar (per the process allowed in RAA Data
> Retention Specification); or
>
>
> o
>
> An official opinion of any other governmental body of competent
> jurisdiction providing that compliance with the data protection
> requirements of the Registry/Registrar contracts violates
> applicable national law (although such pro-active opinions may
> not be the practice of the Data Protection Commissioner's office).
>
> The above list draws from the comments of the European Commission, Data
> Retention Specification of the 2013 Registrar Accreditation Agreement,
> and sound compliance and business practices for the ICANN General
> Counsel's office.
>
> We further agree with Blacknight that the requirements for triggering
> any review and consideration by ICANN be: simple and straightforward,
> quick and easy to access.
>
>
> 1.3 Are there any components of the triggering event/notification
> portion of the RAA's Data Retention waiver process that should be
> considered as optional for incorporation into a modified Whois Procedure?
>
>
> 1.3 Response: Absolutely, the full list in 1.1a above, together with
> other constructive contributions in the Comments and Reply Comments of
> this proceeding, should be strongly considered for incorporation into a
> modified Whois Procedure, or simply written into the contracts of the
> Registries and Registrars contractual language, or a new Annex or
> Specification.
>
> We respectfully submit that the obligation of Registries and Registrars
> to comply with their national laws is not a matter of multistakeholder
> decision making, but a matter of law and compliance. In this case, we
> wholeheartedly embrace the concept of building a process together that
> will allow exceptions for data protection and privacy laws to be adopted
> quickly and easily.
>
>
> 1.4 Should parties be permitted to invoke the Whois Procedure before
> contracting with ICANN as a registrar or registry?
>
>
> 1.4 Response: Of course, Registries and Registrars should be allowed to
> invoke the Whois Procedure, or other appropriate annexes and
> specifications that may be added into Registry and Registrar contracts
> with ICANN. As discussed above, the right of a legal company to enter
> into a legal contracts is the most basic of expectations under law.
>
>
> 2.1 Are there other relevant parties who should be included in this
> step?
>
>
> 2.1 Response: We agree with the EC that ICANN should be working as
> closely with National Data Protection Authorities as they will allow. In
> light of the overflow of work into these national commissions, and the
> availability of national experts at law firms, ICANN should also turn to
> the advice of private experts, such as well-respected law firms who
> specialize in national data protection laws. The law firm's opinions on
> these matters would help to guide ICANN's knowledge and evaluation of
> this important issue.
>
>
> 3.1 How is an agreement reached and published?
>
> 3.1 Response. As discussed above, compliance with national law may not
> be the best matter for negotiation within a multistakeholder process. It
> really should not be a chose for others to make whether you comply with
> your national data protection and privacy laws. That said, the process
> of refining the Consensus Procedure, and adopting new policies and
> procedures, or simply putting new contract provisions, annexes or
> specifications into the Registry and Registrar contracts SHOULD be
> subject to community discussion, notification and review. But once the
> new process is adopted, we think the new changes, variations,
> modifications or exceptions of Individual Registries and Registrars need
> go through a public review and process. The results, however, Should be
> published for Community notification and review.
>
>
> We note that in conducting the discussion with the Community on the
> overall or general procedure, policy or contractual changes, ICANN
> should be assertive in its outreach to the Data Protection
> Commissioners. Individual and through their organizations, they have
> offered to help ICANN evaluate this issue numerous times. The Whois
> Review Team noted the inability of many external bodies to monitor ICANN
> regularly, but the need for outreach to them by ICANN staff nonetheless:
>
>
> *Recommendation 3: Outreach*
>
> *ICANN should ensure that WHOIS policy issues are accompanied by
> cross-community*
>
> *outreach, including outreach to the communities outside of ICANN with a
> specific*
>
> *interest in the issues, and an ongoing program for consumer awareness.*
>
> This is a critical policy item for such outreach and input.
>
>
> 3.2 If there is an agreed outcome among the relevant parties, should
> the Board be involved in this procedure?
>
>
> 3.2 Response: Clearly, the changing of the procedure, or the adoption of
> a new policy or new contractual language for Registries and Registrars,
> Board oversight and review should be involved. But once the new
> procedure, policy or contractual language is in place, then subsequent
> individual changes, variations, modifications or exceptions should be
> handled through the process and ICANN Staff ? as the Data Retention
> Process is handled today.
>
>
> 4.1 Would it be fruitful to incorporate public comment in each of
> the resolution scenarios?
>
> 4.1 Response: We think this question means whether there should be
> public input on each and every exception? We respectfully submit that
> the answer is No. Once the new policy, procedure or contractual language
> is adopted, then the process should kick in and the Registrar/Registry
> should be allowed to apply for the waiver, modification or revision
> consistent with its data protection and privacy laws. Of course, once
> the waiver or modification is granted, the decision should be matter of
> public record so that other Registries and Registrars in the
> jurisdiction know and so that the ICANN Community as a whole can monitor
> this process' implementation and compliance.
>
> Step Five: Public notice
>
>
> 5.2 Is the exemption or modification termed to the length of the
> agreement? Or is it indefinite as long as the contracted party is
> located in the jurisdiction in question, or so long as the applicable
> law is in force.
>
> 5.2 Response: We agree with the European Commission in its response,
> ?/By logic the exemption or modification shall be in place as long as
> the party is subject to the jurisdiction in conflict with ICANN rules.
> If the applicable law was to change, or the contacted party moved to a
> different jurisdiction, the conditions should be reviewed to assess if
> the exemption is still justified.? But provided it is the same parties,
> operating under the same laws, the modification or change should
> continue through the duration of the relationship between the
> Registry/Registrar and ICANN. /
>
>
> 5.3 Should an exemption or modification based on the same laws and
> facts then be granted to other affected contracted parties in the same
> jurisdiction without invoking the Whois Procedure
>
> 5.3 Response. The European Commission in its comments wrote, and we
> strongly agree: /?the same exception should apply to others in the same
> jurisdiction who can demonstrate that they are in the same situation.?
> /Further, Blacknight wrote and we support: /?if ANY registrar in
> Germany, for example, is granted a waiver based on German law, than ALL
> registrars based in Germany should receive the same treatment.? /Once a
> national data protection or privacy law is interpreted as requiring and
> exemption or modification, it should be available to all
> Registries/Registrars in that country.
>
> Further, we recommend that ICANN should be required to notify each gTLD
> Registry and Registrar in the same jurisdiction as that of the decision
> so they will have notice of the change.
>
> We thank ICANN staff for holding this comment period.
>
> Respectfully submitted,
>
> NCSG
>
>
> DRAFT
>
>
>
>
>
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
More information about the NCSG-PC
mailing list