Dear Amr, Stephanie and Farrell,
Tx for a great conversation taking place. Amr, tx for laying out the
issues and EPDP discussions. Stephanie, tx for adding the civil law
perspective. It's fascinating to read what the EPDP is debating and
discussing. You are absolutely right that this is an issue in which
NCSG has been involved for years.
Whether it is on WHOIS teams or Proxy/Privacy
PDP Working Groups, we have shared that there is no bright line
between legal persons and natural persons -- a noncommercial
organization often starts as the collection of just a few individuals;
most mom-run and senior-run businesses I know are run by one person
from his/her home. Both groups would be exposed if forced to publish
their names and home addresses. My understanding was GDPR and laws
throughout the US and UK (common law countries) protect their privacy
in many circumstances. Of course, these privacy protections should be
embedded in the WHOIS/RDDS rules ICANN makes!
Thanks for laying out the special way in which the EPDP is approaching
this issue -- and the state of the discussion. The cost/benefit
analysis is fascinating and the liability of misjudging the right
protection could be enormous. I can see why registries and registrars
would want to be cautious.
The best news is that deadline for comment is still before us! (For
some reason I thought we were near a deadline.)
Amr, Stephanie, all of our EPDP members: thank you for your diligent
and endless work on the EPDP. We and the world deeply appreciate all
you are doing. Amr and Sephanie, thank you for taking the time to
answer questions too!
Best, Kathy
On 3/28/2020 11:44 AM, Stephanie E Perrin wrote:
> If I may jump in here Farell, you are asking good questions.
> There are a number of separate problems in attempting to
> differentiate between legal and natural persons, which we have
> of course been pointing out for a long time...the issue arose
> during the Privacy Proxy Accreditation Issues working group,
> where a lawyer acting for the IP constituency managed to get a
> legal study she had done (which supported the differentiation)
> included as a reference document even though we violently
> disagreed with it. It arose in the context of the RDS PDP as
> well. So you would think the topic might be exhausted by now,
> but no....
>
> 1. The concept of legal person is applied differently in
> different jurisdictions, particularly as between civil law and
> common law legal traditions. The definitions used in the GDPR
> rely heavily on civil law traditions.
>
> 2. The determination of how an entity that engages in business
> is registered tends to be done at a local level...municipal or
> provincial, rarely at federal level except with respect to
> taxation at the federal level. This makes things complex.
> Throw this into a global context, as a registrar may register a
> domain for all kinds of foreign entities, and it gets really
> difficult to ensure accuracy.
>
> 3. Small entrepreneurs in particular, if they have not
> incorporated, may be entitled in their jurisdiction to act as
> individuals and have privacy protection under local law. This
> is usually not well understood by the entrepreneur, whose
> expertise is not likely in data protection law. I am
> particularly concerned that individuals are not getting good
> advice and information from ICANN about how they register their
> domain names. You should register names in your own name, and
> lend them or rent them to the entity to use, not register them
> in the company name, if there is any risk that your organization
> might be closed down or go bankrupt. Unless you don't care
> about losing your names. (I am not a lawyer though, I stand
> ready to be corrected as I have asked this question numerous
> times and as usual never got an answer.)
>
> 4. In many jurisdictions employees are entitled to protection
> of their personal contact information as an employee within the
> company...so for instance in Germany, you could not force an
> employee to put their contact information on the net, even as
> abuse@ company.com or [log in to unmask] IN order to do this,
> in those jurisdictions, the company would need to obtain
> consent, and it would have to be free, manifest and informed
> consent, which is a high bar and not something the average
> registrar wants to be evaluating. A registrar could ask the
> registrant to attest to having obtained the consent of
> employees, but we know that will be a tick box and it might not
> survive a Court challenge. Labour laws might also be relevant
> here, if the company could be proven to be acting in violation
> of labour laws.
>
> 5. I have suggested many times that companies who want their
> data published (to help avoid trademark abuse and identity theft
> that happens with fake bank registrations or Facebook
> registrations, for instance) should develop an accreditation and
> authentication scheme based on business numbers or incorporation
> numbers, but noone has ever responded to that proposal. As for
> criminals, they are never going to give valid information,
> contact or otherwise, so why force small business owners to
> thread their way through this legal morass?
>
> 6. A further complication is the status of NGOS, not for
> profits, religious organizations, local children's soccer teams,
> which globally have different status under local laws.
>
> I hope that helps. The cost of addressing all these issues
> responsibly. and providing the missing explanatory information
> that we need to provide registrants in order to enable them to
> self identify, is absolutely daunting. I think the registrars
> have figured that one out.
>
> cheers Stephanie
>
> PS as a footnote (and further evidence that I can go on for
> hours on this topic) we were forced to provide an exemption
> under our definition of personal information in the Canadian
> law, in order for "business card contact information" to be
> released by commercial entities. It was that or not get the law
> through....however, it is a terrible way to provide for release
> of employee contact information. This information is still
> essentially personal information, particularly as we move into a
> world where more and more people work from home and may have
> cellphones that give up geo location and blue tooth
> information....these become important when we look at our
> expectations for constitutional protection of our personal space.
>
> On 2020-03-28 10:55 a.m., Farell FOLLY wrote:
>
>> Dear Amr,
>>
>> Thanks very well for this explanation which puts the a
>> brighter sport on that issue for me. However, I have two
>> questions for my own understanding.
>>
>>
>>
>> * What does it mean personnel information of a legal
>> person (I have found some definitions in literature but
>> not really sure what it means the same thing here.
>> * Secondly, I see in your first paragraph that Both the
>> NCSG and the contracted parties (Registries and
>> Registrars) advocated for the personal information to be
>> treated equally for both types of persons, therefore; what
>> justifies the bottleneck and the survey/study indicated
>> afterwards? Especially when the costs issues with no
>> benefit in return are added to..
>>
>> I am sorry if all answers are in your e-mail, but it does
>> not appear clearly to me.
>>
>> Thanks.
>>
>> @__f_f__
>>
>> Best Regards
>> ____________________________________
>>
>> (Ekue) Farell FOLLY
>> GNSO Councillor
>> linkedin.com/in/farellf[1]
>>
>>> On 28 Mar 2020, at 13:24, Amr Elsadr <[log in to unmask]>
>>> wrote:
>>>
>>> Hi Kathy,
>>>
>>> The topic of how to handle gTLD Registration Data
>>> of legal vs natural persons at ICANN was part of
>>> phase 1 of the EPDP, but was unresolved because of
>>> different groups within ICANN advocating for the
>>> Consensus Policy to treat the personal information
>>> of legal persons differently from that of natural
>>> persons. The NCSG, along with the Registrars
>>> Stakeholder Group and the Registries Stakeholder
>>> Group advocated for the personal information of
>>> legal persons to be treated the same as that of
>>> natural persons (that the requirements of
>>> redaction and processing be the same for both).
>>>
>>> We did make the arguments you outlined below, as
>>> well as others including that often, a Registrant
>>> identifying as a legal person is likely to have
>>> the personal information of a natural person
>>> included in its gTLD domain name registration data.
>>>
>>> Also, it is important to take in to consideration
>>> that the cost of implementation of the phase 1
>>> policy recommendations, and those of phase 2
>>> concerning the Standardized System for Access and
>>> Disclosure (SSAD) will likely be incredibly high
>>> with little to no benefit to any parties other than
>>> users of whois data (data requestors, or those who
>>> have normally engaged in whois lookups). The NCSG
>>> members of the EPDP Team did not believe that the
>>> cost of implementing differentiation of how legal
>>> and natural persons are treated is justifiable, we
>>> did not believe that natural persons would
>>> practically receive the protections they are
>>> afforded by law should differentiation take place,
>>> and therefore, we also did not believe that ICANN
>>> and its Contracted Parties would be protected
>>> against legal liability should a policy
>>> recommendation requiring differentiation be the
>>> status quo.
>>>
>>> These positions created a deadlock on the issue,
>>> as was the case with many topics…, well…, as is
>>> normally the case on any Policy Development
>>> Process Working Group. The compromise we reached in
>>> phase 1 was reflected in the final recommendation
>>> the EPDP Team made to the GNSO Council on this
>>> (check Recommendation 17 in the Phase 1 Final
>>> Report[2]):
>>>
>>>> /“1) THE EPDP TEAM RECOMMENDS THAT
>>>> REGISTRARS AND REGISTRY OPERATORS ARE
>>>> PERMITTED TO DIFFERENTIATE BETWEEN
>>>> REGISTRATIONS OF LEGAL AND NATURAL PERSONS,
>>>> BUT ARE NOT OBLIGATED TO DO SO./
>>>> /2) THE EPDP TEAM RECOMMENDS THAT AS SOON
>>>> AS POSSIBLE ICANN ORG UNDERTAKES A STUDY,
>>>> FOR WHICH THE TERMS OF REFERENCE ARE
>>>> DEVELOPED IN CONSULTATION WITH THE
>>>> COMMUNITY, THAT CONSIDERS:/
>>>> / • THE FEASIBILITY AND COSTS
>>>> INCLUDING BOTH IMPLEMENTATION AND
>>>> POTENTIAL LIABILITY COSTS OF
>>>> DIFFERENTIATING BETWEEN LEGAL AND
>>>> NATURAL PERSONS;/
>>>>
>>>>
>>>> *
>>>> /EXAMPLES OF INDUSTRIES
>>>> OR OTHER ORGANIZATIONS
>>>> THAT HAVE SUCCESSFULLY
>>>> DIFFERENTIATED BETWEEN
>>>> LEGAL AND NATURAL
>>>> PERSONS; /
>>>>
>>>> *
>>>> /PRIVACY RISKS TO
>>>> REGISTERED NAME HOLDERS OF
>>>> DIFFERENTIATING BETWEEN
>>>> LEGAL AND NATURAL PERSONS;
>>>> AND /
>>>>
>>>> *
>>>> /OTHER POTENTIAL RISKS
>>>> (IF ANY) TO REGISTRARS
>>>> AND REGISTRIES OF NOT
>>>> DIFFERENTIATING. /
>>>>
>>>> /3) THE EPDP TEAM WILL
>>>> DETERMINE AND RESOLVE THE
>>>> LEGAL VS. NATURAL ISSUE IN
>>>> PHASE 2.”/
>>>
>>> This compromise allows Contracted Parties to
>>> choose to differentiate between legal and
>>> natural persons, but does not obligate them to
>>> do so, pending the outcome in phase 2 of the EPDP,
>>> which is meant to also take in to consideration
>>> the study mentioned in the recommendation. This
>>> study has not yet been conducted, but ICANN org
>>> has stated that it plans on delivering the
>>> outcomes of this study sometime in May 2020. The
>>> outcome of the study is unlikely to change
>>> anything in terms of breaking the deadlock. There
>>> is no expectation that Contracted Parties will
>>> choose to differentiate, since this will present
>>> as a financial burden to them with no reward.
>>>
>>> To answer your question on when we need to
>>> comment on this, Kathy, the answer is now. Rafik
>>> just sent a notice of a public comment period
>>> opening 2-days ago (26 March, 2020) on the
>>> addendum to the phase 2 initial report. This is
>>> where the legal vs natural issue is going to be
>>> addressed. More details can be found
>>>
here: https://www.icann.org/public-comments/epdp-phase-2-addendum-2020-03-26-en
>>>
>>> I hope this was helpful. Please do keep the
>>> questions coming, if you have more, Kathy. This,
>>> of course applies to anyone here. We have a
>>> significantly large team of NCSG members working
>>> on the EPDP, and we’re happy to answer
questions
>>> or hold discussions as often as needed.
>>>
>>> Thanks.
>>>
>>> Amr
>>>
>>>> On Mar 26, 2020, at 4:39 AM, [log in to unmask]
>>>> <[log in to unmask]> wrote:
>>>>
>>>>
>>>> Hi Amr, Milton and Stephanie,
>>>>
>>>> In the midst of so many things changing and
>>>> taking place, it's hard to
>>>> track deadlines in ICANN. That said, I
>>>> think there was an important
>>>> EPDP question last week which may have been
>>>> extended to later this
>>>> week.
>>>>
>>>> Can you help point us to a) where we would
>>>> find the EPDP question
>>>> about legal and natural persons and their
>>>> privacy protection?
>>>>
>>>> b) whether there is still time to submit
>>>> comments and
>>>>
>>>> c) what you recommend (including what
>>>> positions may be consistent with
>>>> past/current NCSG positions)?
>>>>
>>>> Many thanks!
>>>>
>>>> In my experience many small noncommercial
>>>> organizations, including
>>>> political minority groups, are run by a few
>>>> individuals, have no
>>>> independent location, and would have to list
>>>> the home address of one
>>>> of their members in the WHOIS. Over the
>>>> years, individuals have
>>>> expressed concern to me that they may be
>>>> targeted due to their views
>>>> and the information or advocacy they are
>>>> sharing online (and fear they
>>>> may be exposing their families to
>>>> reprisals).
>>>>
>>>> I certainly support privacy for many types
>>>> of "legal persons,"
>>>> especially in the nonprofit and
>>>> organizational space.
>>>>
>>>> Best regards, Kathy
-- Kathy Kleiman President, Domain Name Rights Coalition
Links:
------
[1] http://linkedin.com/in/farellf
[2]
https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-gtld-registration-data-specs-final-20feb19-en.pdf
|
