[PC-NCSG] [NCSG-Discuss] [urgent] Draft Comments for Whois Proceeding
Rafik Dammak
rafik.dammak
Thu Jul 31 19:00:05 EEST 2014
thanks Stephanie, I am attaching the latest version
Rafik
2014-08-01 0:56 GMT+09:00 Stephanie Perrin <
stephanie.perrin at mail.utoronto.ca>:
> So I vote yes, and am reviewing the last text Kathy sent right now...
> SP
>
> On 2014-07-31, 11:53, Rafik Dammak wrote:
>
> Hi Kathy,
>
> thank you for the changes, we should hear from other member of PC, Maria
> can make the last call and declare consensus.
> the deadline for sending the comment is 1 Aug 2014 23:59 UTC, so we need
> to get endorsement before that.
>
> Best,
> Rafik
>
>
> 2014-08-01 0:09 GMT+09:00 Kathy Kleiman <kathy at kathykleiman.com>:
>
>> Hi Stephanie,
>> Tx for adding Avri's comments. I've reviewed all of the changes, and also
>> added one more to this most recent version. *Newest version (NCSGEdits3)
>> attached. *
>> **Due tomorrow**
>> Best,
>> Kathy
>> :
>>
>> I also agreed with Avri and inserted a few of her changes, Kathy did not
>> get those edits....we need to make sure we have a final copy that Rafik can
>> sign, which reflects all the agreed changes. Do you want me to have
>> another edit one last time, to make sure that Joy's comments (which were on
>> an earlier draft) and Avri's are all in there?
>> cheers stephanie
>> On 2014-07-31, 9:22, Amr Elsadr wrote:
>>
>> Hi all,
>>
>> On Jul 30, 2014, at 2:57 PM, Avri Doria <avri at ACM.ORG> <avri at ACM.ORG>
>> wrote:
>>
>> hi,
>>
>> Reviewed the document.
>>
>> Made a change so it could be a NCSG document.
>>
>> Thanks.
>>
>> There are parts I am uncomfortable with, some of which I deleted and
>> some of which I left and still am uncomfortable with.
>>
>> I do not think we should ever dismiss the Multistakeholder model. I do
>> not wish to find ourselves in the situation of being quoted for having
>> suggested that there are times when the model should be superseded. That
>> would be a gold mine for some. I deleted those references.
>>
>> Fully agree. Although I don?t feel that was the intent, it could
>> certainly be perceived that way. No need to bring it up.
>>
>> I am also uncomfortable with saying there are things that don't need
>> public comment on. To just have to take the legal staff view on things
>> is dangerous. What if they say the law does not require something when
>> someone knows better. Better to have a null review. I have not,
>> however, removed these as they were an entire section. I would like
>> to see that section reworded or removed before approving the documents.
>>
>> IMHO, I don?t see the need for a public comment period on every time this
>> policy might be used. If a new set of policies and processes are adopted
>> for handling WHOIS conflicts with privacy laws, then they should be clear
>> enough during implementation to not require public comment, right? Isn?t
>> this the case with all policies? For instance, is there a public comment
>> period every time a new registrar signs a contract with ICANN? Or will
>> there be a public comment period when implementation of the ?thick? WHOIS
>> policy kicks in?
>>
>> Another thought is that a public comment period will also lengthen the
>> period during which a registrar will potentially be at risk for
>> non-compliance with local laws. Unless there is an important reason why
>> there should be a public comment for each of the resolution scenarios, then
>> I suggest we support Kathy?s recommendation to not have any.
>>
>> Thanks.
>>
>> Amr
>>
>> I also removed a bunch of weasel words like 'respectfully'
>>
>> avri
>>
>>
>>
>>
>>
>>
>> On 30-Jul-14 14:28, Avri Doria wrote:
>>
>> Hi,
>>
>> Started reviewing them, actually Stephanie's comments. They are written
>> from an NCUC perspective and need to be approved by them, not us.
>>
>> avri
>>
>>
>> On 30-Jul-14 11:36, Rafik Dammak wrote:
>>
>> Hi everyone,
>>
>> Kathy sent a draft comment to the whois conflict with local laws. we
>> have a tight schedule and we should act quickly.
>> we are responding during the reply period which means the last chance
>> for us to do so.
>> @Maria can you please follow-up with this request?
>>
>> Best,
>>
>> Rafik
>>
>>
>>
>> ---------- Forwarded message ----------
>> From: *Kathy Kleiman* <kathy at kathykleiman.com
>> <mailto:kathy at kathykleiman.com> <kathy at kathykleiman.com>>
>> Date: 2014-07-30 2:44 GMT+09:00
>> Subject: Draft Comments for Whois Proceeding
>> To: Rafik Dammak <rafik.dammak at gmail.com
>> <mailto:rafik.dammak at gmail.com> <rafik.dammak at gmail.com>>,
>> NCSG-DISCUSS at listserv.syr.edu
>> <mailto:NCSG-DISCUSS at listserv.syr.edu> <NCSG-DISCUSS at listserv.syr.edu>
>>
>>
>> To Rafik, NCSG Executive Committee and NCSG Membership,
>>
>> There is an important, but very quiet comment proceeding that has been
>> taking place this summer. It is the /Review of the ICANN Procedure for
>> Handling WHOIS Conflicts with Privacy Law///at
>> /
>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>
>>
>> Stephanie put out a call for comments, and not seeing any, I drafted
>> these. It has been dismayeding ever since ICANN adopted its Consensus
>> Procedure for Handling WHOIS Conflicts with Privacy law -- because it
>> basically requires that Registrars and Registries have to be sued or
>> receive an official notice of violation before they can ask ICANN for a
>> waiver of the Whois requirements. That always seemed very unfair- that
>> you have to be exposed to allegation of illegal activity in order to
>> protect yourself or your Registrants under your national data protection
>> and privacy laws.
>>
>> In the more recent Data Retention Specification, of the 2013 RAA, ICANN
>> Staff and Lawyers saw this problem and corrected it -- now Registrars
>> can be much more pro-active in showing ICANN that a certain clause in
>> their contract (e.g., extended data retention) is a clear violation of
>> their national law (e.g., more limited data retention).
>>
>> So to this important comment proceeding, I drafted these comments for us
>> to submit. As Reply Comments (during the Reply Period), we are asked to
>> respond to other commenters. That's easy as the European Commission and
>> Registrar Blacknight submitted useful comments.
>>
>> Rafik, can we edit, finalize and submit by the deadline on Friday?
>> Comments below and attached. If you have edits, in the interest of time,
>> kindly suggest alternate language. Tx!!
>>
>> Best,
>> Kathy
>> --------------------------------------------------------------------------------------------------------
>>
>>
>> DRAFT NCSG Response to the Questions of the
>>
>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
>> Law//
>>
>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>
>>
>> *Introduction*
>>
>> The Noncommercial Stakeholders Group represents noncommercial
>> organizations in their work in the policy and proceedings of ICANN and
>> the GNSO. We respectfully submit as an opening premise that every legal
>> business has the right and obligation to operate within the bounds and
>> limits of its national laws and regulations. No legal business
>> establishes itself to violate the law; and to do so is an invitation to
>> civil and criminal penalties. ICANN Registries and Registrars are no
>> different ? they want and need to abide by their laws.
>>
>> Thus, it is timely for ICANN to raise the questions of this proceeding,
>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
>> Law/(albeit at a busy time for the Community and at the height of
>> summer; we expect to see more interest in this time towards the Fall).
>> We submit these comments in response to the issues raises and the
>> questions asked.
>>
>> *Background*
>>
>> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law /was
>> adopted in 2006 after years of debate on Whois issues. This Consensus
>> Procedure was the first step of recognition that data protection laws
>> and privacy law DO apply to the personal and sensitive data being
>> collected by Registries and Registrars for the Whois database.
>>
>> But for those of us in the Noncommercial Users Constituency (now part of
>> the Noncommercial Stakeholders Group/NCSG) who helped debate, draft and
>> adopt this Consensus Procedure in the mid-2000s, we were always shocked
>> that the ICANN Community did not do more. At the time, multiple Whois
>> Task Forces were at work with multiple proposals which include important
>> and pro-active suggestions to allow Registrars and Registries to come
>> into compliance with their national data protection and privacy laws.
>>
>> At the time, we never expected this Consensus Procedure to be an end
>> itself ? but the first step of many steps. It was an ?end? for too long,
>> so we are glad the discussion is reopened and once again we seek to
>> allow Registrars and Registries to be in full compliance with their
>> national data protection and privacy laws ? from the moment they enter
>> into their contracts with ICANN.
>>
>> *II. Data Protection and Privacy Laws ? A Quick Overview of the
>> Principles that Protect the Personal and Sensitive Data of Individuals
>> and Organizations/Small Businesses *
>>
>> **
>>
>> /*[Stephanie, Tamir or Others with Expertise in Canadian and European
>> Data Protection Laws may choose to add something here]. */
>>
>> III/*. */Questions asked of the Community in this Proceeding
>>
>> The ICANN Review Paper raised a number of excellent questions. In
>> keeping with the requirements of a Reply Period, these NCSG comments
>> will address both our comments and those comments we particularly
>> support in this proceeding.
>>
>> 1.
>>
>> Is it impractical for ICANN to require that a contracted party
>> already has litigation or a government proceeding initiated
>> against it prior to being able to invoke the Whois Procedure?
>>
>> 1.1 Response: Yes, it is completely impractical (and ill-advised) to
>> force a company to violate a national law as a condition of complying
>> with that national law. Every lawyer advises businesses to comply with
>> the laws and regulations of their field. To do otherwise is to face
>> fines, penalties, loss of the business, even jail for officers and
>> directors. Legal business strives to be law-abiding; no officer or
>> director wants to go to jail for her company's violations. It is the
>> essence of an attorney's advice to his/her clients to fully comply with
>> the laws and operate clearly within the clear boundaries and limits of
>> laws and regulations, both national, by province or state and local.
>>
>> In these Reply Comments, we support and encourage ICANN to adopt
>> policies consistent with the initial comments submitted by the European
>> Commission:
>>
>> o
>>
>> that the Whois Procedure be changed from requiring specific
>> prosecutorial action instead to allowing ?demonstrating evidence
>> of a potential conflict widely and e.g. accepting information on
>> the legislation imposing requirements that the contractual
>> requirements would breach as sufficient evidence.? (European
>> Commission comments)
>>
>> We also agree with Blacknight:
>>
>> o
>>
>> ?It's completely illogical for ICANN to require that a
>> contracting party already has litigation before they can use a
>> process. We would have loved to use a procedure or process to
>> get exemptions, but expecting us to already be litigating before
>> we can do so is, for lack of a better word, nuts.? (Blacknight
>> comments in this proceeding).
>>
>>
>> 1.1a How can the triggering event be meaningfully defined?
>>
>> 1.1 a Response: This is an important question. Rephrased, we might ask
>> together ? what must a Registry or Registrar show ICANN in support of
>> its claim that certain provisions involving Whois data violate
>> provisions of national data protection and privacy laws?
>>
>> NCSG respectfully submits that there are at least four ?triggering
>> events? that ICANN should recognize:
>>
>> o
>>
>> Evidence from a national Data Protection Commissioner or his/her
>> office (or from a internationally recognized body of national
>> Data Protection Commissioners in a certain region of the world,
>> including the Article 29 Working Party that analyzes the
>> national data protection and privacy laws) that ICANN's
>> contractual obligations for Registry and/or Registrar contracts
>> violate the data protection laws of their country or their group
>> of countries;
>>
>> o
>>
>> Evidence of legal and/or jurisdictional conflict arising from
>> analysis performed by ICANN's legal department or by national
>> legal experts hired by ICANN to evaluate the Whois requirements
>> of the ICANN contracts for compliance and conflicts with
>> national data protection laws and cross-border transfer limits)
>> (similar to the process we understand was undertaken for the
>> data retention issue);
>>
>>
>> o
>>
>> Receipt of a written legal opinion from a nationally recognized
>> law firm in the applicable jurisdiction that states that the
>> collection, retention and/or transfer of certain Whois data
>> elements as required by Registrar or Registry Agreements is
>> ?reasonably likely to violate the applicable law? of the
>> Registry or Registrar (per the process allowed in RAA Data
>> Retention Specification); or
>>
>>
>> o
>>
>> An official opinion of any other governmental body of competent
>> jurisdiction providing that compliance with the data protection
>> requirements of the Registry/Registrar contracts violates
>> applicable national law (although such pro-active opinions may
>> not be the practice of the Data Protection Commissioner's office).
>>
>> The above list draws from the comments of the European Commission, Data
>> Retention Specification of the 2013 Registrar Accreditation Agreement,
>> and sound compliance and business practices for the ICANN General
>> Counsel's office.
>>
>> We further agree with Blacknight that the requirements for triggering
>> any review and consideration by ICANN be: simple and straightforward,
>> quick and easy to access.
>>
>>
>> 1.3 Are there any components of the triggering event/notification
>> portion of the RAA's Data Retention waiver process that should be
>> considered as optional for incorporation into a modified Whois Procedure?
>>
>>
>> 1.3 Response: Absolutely, the full list in 1.1a above, together with
>> other constructive contributions in the Comments and Reply Comments of
>> this proceeding, should be strongly considered for incorporation into a
>> modified Whois Procedure, or simply written into the contracts of the
>> Registries and Registrars contractual language, or a new Annex or
>> Specification.
>>
>> We respectfully submit that the obligation of Registries and Registrars
>> to comply with their national laws is not a matter of multistakeholder
>> decision making, but a matter of law and compliance. In this case, we
>> wholeheartedly embrace the concept of building a process together that
>> will allow exceptions for data protection and privacy laws to be adopted
>> quickly and easily.
>>
>>
>> 1.4 Should parties be permitted to invoke the Whois Procedure before
>> contracting with ICANN as a registrar or registry?
>>
>>
>> 1.4 Response: Of course, Registries and Registrars should be allowed to
>> invoke the Whois Procedure, or other appropriate annexes and
>> specifications that may be added into Registry and Registrar contracts
>> with ICANN. As discussed above, the right of a legal company to enter
>> into a legal contracts is the most basic of expectations under law.
>>
>>
>> 2.1 Are there other relevant parties who should be included in this
>> step?
>>
>>
>> 2.1 Response: We agree with the EC that ICANN should be working as
>> closely with National Data Protection Authorities as they will allow. In
>> light of the overflow of work into these national commissions, and the
>> availability of national experts at law firms, ICANN should also turn to
>> the advice of private experts, such as well-respected law firms who
>> specialize in national data protection laws. The law firm's opinions on
>> these matters would help to guide ICANN's knowledge and evaluation of
>> this important issue.
>>
>>
>> 3.1 How is an agreement reached and published?
>>
>> 3.1 Response. As discussed above, compliance with national law may not
>> be the best matter for negotiation within a multistakeholder process. It
>> really should not be a chose for others to make whether you comply with
>> your national data protection and privacy laws. That said, the process
>> of refining the Consensus Procedure, and adopting new policies and
>> procedures, or simply putting new contract provisions, annexes or
>> specifications into the Registry and Registrar contracts SHOULD be
>> subject to community discussion, notification and review. But once the
>> new process is adopted, we think the new changes, variations,
>> modifications or exceptions of Individual Registries and Registrars need
>> go through a public review and process. The results, however, Should be
>> published for Community notification and review.
>>
>>
>> We note that in conducting the discussion with the Community on the
>> overall or general procedure, policy or contractual changes, ICANN
>> should be assertive in its outreach to the Data Protection
>> Commissioners. Individual and through their organizations, they have
>> offered to help ICANN evaluate this issue numerous times. The Whois
>> Review Team noted the inability of many external bodies to monitor ICANN
>> regularly, but the need for outreach to them by ICANN staff nonetheless:
>>
>>
>> *Recommendation 3: Outreach*
>>
>> *ICANN should ensure that WHOIS policy issues are accompanied by
>> cross-community*
>>
>> *outreach, including outreach to the communities outside of ICANN with a
>> specific*
>>
>> *interest in the issues, and an ongoing program for consumer awareness.*
>>
>> This is a critical policy item for such outreach and input.
>>
>>
>> 3.2 If there is an agreed outcome among the relevant parties, should
>> the Board be involved in this procedure?
>>
>>
>> 3.2 Response: Clearly, the changing of the procedure, or the adoption of
>> a new policy or new contractual language for Registries and Registrars,
>> Board oversight and review should be involved. But once the new
>> procedure, policy or contractual language is in place, then subsequent
>> individual changes, variations, modifications or exceptions should be
>> handled through the process and ICANN Staff ? as the Data Retention
>> Process is handled today.
>>
>>
>> 4.1 Would it be fruitful to incorporate public comment in each of
>> the resolution scenarios?
>>
>> 4.1 Response: We think this question means whether there should be
>> public input on each and every exception? We respectfully submit that
>> the answer is No. Once the new policy, procedure or contractual language
>> is adopted, then the process should kick in and the Registrar/Registry
>> should be allowed to apply for the waiver, modification or revision
>> consistent with its data protection and privacy laws. Of course, once
>> the waiver or modification is granted, the decision should be matter of
>> public record so that other Registries and Registrars in the
>> jurisdiction know and so that the ICANN Community as a whole can monitor
>> this process' implementation and compliance.
>>
>> Step Five: Public notice
>>
>>
>> 5.2 Is the exemption or modification termed to the length of the
>> agreement? Or is it indefinite as long as the contracted party is
>> located in the jurisdiction in question, or so long as the applicable
>> law is in force.
>>
>> 5.2 Response: We agree with the European Commission in its response,
>> ?/By logic the exemption or modification shall be in place as long as
>> the party is subject to the jurisdiction in conflict with ICANN rules.
>> If the applicable law was to change, or the contacted party moved to a
>> different jurisdiction, the conditions should be reviewed to assess if
>> the exemption is still justified.? But provided it is the same parties,
>> operating under the same laws, the modification or change should
>> continue through the duration of the relationship between the
>> Registry/Registrar and ICANN. /
>>
>>
>> 5.3 Should an exemption or modification based on the same laws and
>> facts then be granted to other affected contracted parties in the same
>> jurisdiction without invoking the Whois Procedure
>>
>> 5.3 Response. The European Commission in its comments wrote, and we
>> strongly agree: /?the same exception should apply to others in the same
>> jurisdiction who can demonstrate that they are in the same situation.?
>> /Further, Blacknight wrote and we support: /?if ANY registrar in
>> Germany, for example, is granted a waiver based on German law, than ALL
>> registrars based in Germany should receive the same treatment.? /Once a
>> national data protection or privacy law is interpreted as requiring and
>> exemption or modification, it should be available to all
>> Registries/Registrars in that country.
>>
>> Further, we recommend that ICANN should be required to notify each gTLD
>> Registry and Registrar in the same jurisdiction as that of the decision
>> so they will have notice of the change.
>>
>> We thank ICANN staff for holding this comment period.
>>
>> Respectfully submitted,
>>
>> NCSG
>>
>>
>> DRAFT
>>
>>
>>
>>
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>>
>> <NSCG DRAFT Comments for Review of WHOIS Consensus
>> Proceduresp+ad.doc>_______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> PC-NCSG at ipjustice.org
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>>
>>
>
>
> _______________________________________________
> PC-NCSG mailing listPC-NCSG at ipjustice.orghttp://mailman.ipjustice.org/listinfo/pc-ncsg
>
>
>
> _______________________________________________
> PC-NCSG mailing list
> PC-NCSG at ipjustice.org
> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.ipjustice.org/pipermail/pc-ncsg/attachments/20140801/d51e5702/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: NSCG Draft Comments for Review of WHOIS Consensus Procedure NCSG Edits3 (00690163).DOC
Type: application/msword
Size: 67072 bytes
Desc: not available
URL: <http://mailman.ipjustice.org/pipermail/pc-ncsg/attachments/20140801/d51e5702/attachment-0001.doc>
More information about the NCSG-PC
mailing list