Hi All,
Attached is the revised version of the comments. It has the changes of
Stephanie and Ed incorporated (tx you!) I have drafted it for Rafik's
signature and submission on behalf of the NCSG (feel free to add an
electronic signature, Rafik!). (Track changes version showing edits
attached)
If you could please use _this version _of the revised comments for
review and submission, that would be great.
Best,
Kathy
-----------------------------------------------------------------------------------------------------------------------------------------------
NCSG Response to the Questions of the
/Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
Law /
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en//
**
The Noncommercial Stakeholders Group represents noncommercial
organizations and individual noncommercial users in their work in the
policy and proceedings of ICANN and the GNSO. We respectfully submit as
an opening premise that every legal business has the right and
obligation to operate within the bounds and limits of its national laws
and regulations. No legal business establishes itself to violate the
law; and to do so is an invitation to civil and criminal penalties, in
addition to reputational damage and a loss of the trust of their
customers and business partner. ICANN Registries and Registrars are no
different – they want and need to abide by their laws.
To that end, Registries and Registrars strive to comply with their
national and local laws.They strive affirmatively and proactively to
follow the laws and regulations under which they operate as legal
entities. To do otherwise is to violate the purpose of a legal regime,
to threaten the well being of the company, and to expose Directors,
Officers and Employees to fines, jail, or civil litigation. In the
matter of protection of personal and confidential information, which is
a very newsworthy issue in the 21^st century, privacy practices are a
matter of consumer trust, and therefore high risk for those operating an
Internet business.Even if customers have obediently complied with
demands for excessive collection and disclosure of personal information
up to this point, in the current news furor over Snowden and the
cooperation of business with national governments engaged in
surveillance, this could change with the next news story.The Internet
facilitates successful privacy campaigns.
Thus, it is wise and timely for ICANN to raise the questions of this
proceeding, /Review of the ICANN Procedure for Handling WHOIS Conflicts
with Privacy Law/ (albeit at a busy time for the Community and at the
height of summer; we expect to see more interest in this time towards
the Fall and recommend that ICANN not construe the small number of
comments received to date as a reflection of lack of interest). We
submit these comments in response to the issues raises and the questions
asked.
*Background*
The /ICANN Procedure for Handling Whois Conflicts with Privacy Law /was
adopted in 2006 after years of debate on Whois issues. This Consensus
Procedure was the first step of recognition that data protection laws
and privacy law DO apply to the personal and sensitive data being
collected by Registries and Registrars for the Whois database.
But for those of us in the Noncommercial Users Constituency (now part of
the Noncommercial Stakeholders Group/NCSG) who helped debate, draft and
adopt this Consensus Procedure in the mid-2000s, we were always shocked
that the ICANN Community did not do more. At the time, several Whois
Task Forces were at work with multiple proposals which include important
and pro-active suggestions to allow Registrars and Registries to come
into compliance with their national and local data protection and
privacy laws.
At the time, we never expected this Consensus Procedure to be an end
itself – but the first of many steps. We are glad the discussion is now
reopened and we support empowering Registrars and Registries to be in
full compliance with their national and local data protection, consumer
protection and privacy laws – from the moment they enter into their
contracts with ICANN.
We note there have been a number of recent decisions in higher courts in
various jurisdictions which impact the constitutional rights of citizens
to be free from warrantless disclosure and retention of their personal
information for law enforcement purposes.This reflects the time it takes
for data protection issues to wend their way to the high courts for a
ruling.We would urge ICANN, who otherwise sit on the cutting edge of
Internet technical issues, to reflect on their role as a key global
player in Internet governance.Do we lead or do we wait until we are
dragged into Court, to realize our responsibilities to protect the
fundamental rights of the citizens who depend on the Internet to
participate in modern society?//
II. Data Protection and Privacy Laws – A Quick Overview of the
Principles that Protect the Personal and Sensitive Data of Individuals
and Organizations/Small Businesses
It is important to stress that while the discourse about data protection
requirements at ICANN has tended to focus on the European Union and its
Data Commissioners, as represented in the Article 29 Working Party on
Data Protection, there are a great many countries which have data
protection law in place, including Canada, Mexico, much of South
America, Korea, Japan, Australia, New Zealand, Singapore, South Africa,
and many others.It is therefore quite puzzling that ICANN does not
assemble a working group to study the matter and develop a harmonized
approach to the issue, rather than take this rather odd approach of
forcing registrars and registries to break national and local law.
It is also important to note that there are many levels of data
protection law, from local municipal law to state and national law.There
is also sectoral law which applies to certain sectors.It would be a
reasonable approach to develop a policy that reflects harmonized best
practice, and abide by the policy rather than engage in this adversarial
approach to local law.Data protection law is overwhelmingly complaints
based, so it is inherently difficult for registrars and registries to
get a ruling from data protection commissioners absent a complaint and a
set of facts.
In this regard, we also find it puzzling that despite the fact that the
Article 29 Working Party wrote to ICANN senior management to indicate
that they have reviewed the matter and reached an opinion that the
practices involving WHOIS do indeed violate EU law, ICANN has not taken
that message and developed a policy that guides their data protection
practices, starting with a clear statement of limited purpose for the
collection, use, and disclosure of personal information.
The NCSG held a privacy meeting at the London ICANN 50 meeting, which
was quite well attended.While we did not specifically address or attempt
to brainstorm this particular problem, we feel it is safe to summarize
the following points:
·There is considerable interest, in civil society, in the protection of
personal information at ICANN.
·Policies and procedures such as were developed for the 2013 RAA are
very puzzling to those who are engaged in government and business in the
privacy field.This is not 1995, when the EU Directive on data protection
was passed and was still controversial.ICANN needs to catch up with
global business practice, preferably by developing binding corporate
rules which would take a harmonized approach to the differing local
laws. It is not appropriate for all data protection to fall away in
jurisdictions where there is not yet a data protection law that applies
to the provision of internet services, including domain name registration.
·NCSG is ramping up a team of volunteers to provide more detailed
expertise and input on a number of privacy and free speech issues.While
civil society is inherently stretched and short of resources, this is an
issue that they care deeply about, and our outreach has begun to bear
fruit in engaging others who are outside the immediate sphere of ICANN
membership.This is important as they are part of the constituency we
seek to represent.
ICANN spends considerable time on technical parameters, data accuracy,
and retention.More time needs to be spent on data protection policy.In
this respect, more expertise would be required as there is very little
evidence of privacy expertise in the ICANN community.
III*/./*Questions asked of the Community in this Proceeding
The ICANN Review Paper raised a number of excellent questions. In
keeping with the requirements of a Reply Period, these NCSG comments
will address both our comments and those comments we particularly
support in this proceeding.
However we would first like to note that the paper appears to start from
the position that the procedures involved in this waiver process simply
need to be tweaked.Operating under the first principle that all business
must comply with local law, there is a need for ICANN to embrace data
protection law as a well recognized branch of law which codifies well
recognized business best practices with respect to the confidentiality
of customer data.We respectfully submit that, if ICANN had a
professional privacy officer, it is highly unlikely that he/she would
recommend to senior management that the current approach be entertained
in 2014.
1.1Is it impractical for ICANN to require that a contracted party
already haslitigation or a government proceeding initiated against it
prior to being able to invoke the Whois Procedure?
1.1 Response: Yes, it is completely impractical (and ill-advised) to
force a company to violate a national law as a condition of complying
with their contract. Every lawyer advises businesses to comply with the
laws and regulations of their field. To do otherwise is to face fines,
penalties, loss of the business, even jail for officers and directors.
Legal business strives to be law-abiding; no officer or director wants
to go to jail for her company's violations. It is the essence of an
attorney's advice to his/her clients to fully comply with the laws and
operate clearly within the clear boundaries and limits of laws and
regulations, both national, by province or state and local.
In these Reply Comments, we support and encourage ICANN to adopt
policies consistent with the initial comments submitted by the European
Commission:
-that the Whois Procedure be changed from requiring specific
prosecutorial action instead to allowing “demonstrating evidence of a
potential conflict widely and e.g. accepting information on the
legislation imposing requirements that the contractual requirements
would breach as sufficient evidence.” (European Commission comments)
We also agree with Blacknight:
-“It's completely illogical for ICANN to require that a contracting
party already has litigation before they can use a process. We would
have loved to use a procedure or process to get exemptions, but
expecting us to already be litigating before we can do so is, for lack
of a better word, nuts.” (Blacknight comments in this proceeding).
-
1.1a How can the triggering event be meaningfully defined?
This is an important question. Rephrased, we might ask together –what
must a Registry or Registrar show ICANN in support of its claim that
certain provisions involving Whois data violate provisions of national
data protection and privacy laws?
NCSG respectfully submits that there are at least four “triggering
events” that ICANN should recognize:
-Evidence from a national Data Protection Commissioner or his/her office
(or from a internationally recognized body of national Data Protection
Commissioners in a certain region of the world, including the Article 29
Working Party that analyzes the national data protection and privacy
laws) that ICANN's contractual obligations for Registry and/or Registrar
contracts violate the data protection laws of their country or their
group of countries;
-Evidence of legal and/or jurisdictional conflict arising from analysis
performed by ICANN's legal department or by national legal experts hired
by ICANN to evaluate the Whois requirements of the ICANN contracts for
compliance and conflicts with national data protection laws and
cross-border transfer limits) (similar to the process we understand was
undertaken for the data retention issue);
-Receipt of a written legal opinion from a nationally recognized law
firm or qualified legal practitioner in the applicable jurisdiction that
states that the collection, retention and/or transfer of certain Whois
data elements as required by Registrar or Registry Agreements is
“reasonably likely to violate the applicable law” of the Registry or
Registrar (per the process allowed in RAA Data Retention Specification); or
-An official opinion of any other governmental body of competent
jurisdiction providing that compliance with the data protection
requirements of the Registry/Registrar contracts violates applicable
national law (although such pro-active opinions may not be the practice
of the Data Protection Commissioner's office).
The above list draws from the comments of the European Commission, Data
Retention Specification of the 2013Registrar Accreditation Agreement,
and sound compliance and business practices for the ICANN General
Counsel's office.
We further agree with Blacknight that the requirements for triggering
any review and consideration by ICANN be: simple and straightforward,
quick and easy to access.
1.3Are there any components of the triggering event/notification portion
of the RAA's Data Retention waiver process that should be considered as
optional for incorporation into a modified Whois Procedure?
1.3 Response:Absolutely, the full list in 1.1a above, together with
other constructive contributions in the Comments and Reply Comments of
this proceeding, should be strongly considered for incorporation into a
modified Whois Procedure, or simply written into the contracts of the
Registries and Registrars contractual language, or a new Annex or
Specification.
We respectfully submit that the obligation of Registries and Registrars
to comply with their national laws is not a matter of multistakeholder
decision making, but a matter of law and compliance. In this case, we
wholeheartedly embrace the concept of building a process together that
will allow exceptions for data protection and privacy laws to be adopted
quickly and easily.
1.4Should parties be permitted to invoke the Whois Procedure before
contracting with ICANN as a registrar or registry?
1.4 Response: Of course, Registries and Registrars should be allowed to
invoke the Whois Procedure, or other appropriate annexes and
specifications that may be added into Registry and Registrar contracts
with ICANN. As discussed above, the right of a legal company to enter
into a legal contracts is the most basic of expectations under law.
2.1Are there other relevant parties who should be included in this step?
2.1 Response: We agree with the EC that ICANN should be working as
closely with National Data Protection Authorities as they will allow. In
light of the overflow of work into these national commissions, and the
availability of national experts at law firms, ICANN should also turn to
the advice of private experts,such as well-respected law firms who
specialize in national data protection laws. The law firm's opinions on
these matters would help to guide ICANN's knowledge and evaluation of
this important issue.
3.1How is an agreement reached and published?
3.1 Response. As discussed above, compliance with national law may not
be the best matter for negotiation within a multistakeholder process. It
really should not be a chose for others to make whether you comply with
your national data protection and privacy laws. That said, the process
of refining the Consensus Procedure, and adopting new policies and
procedures, or simply putting new contract provisions, annexes or
specifications into the Registry and Registrar contracts SHOULD be
subject to community discussion, notification and review.But once the
new process is adopted, we think the new changes, variations,
modifications or exceptions of Individual Registries and Registrars need
go through a public review and process. The results, however, Should be
published for Community notification and review.
We note that in conducting the discussion with the Community on the
overall or general procedure, policy or contractual changes, ICANN
should be assertive in its outreach to the Data Protection
Commissioners. Individual and through their organizations, they have
offered to help ICANN evaluate this issue numerous times. The Whois
Review Team noted the inability of many external bodies to monitor ICANN
regularly, but the need for outreach to them by ICANN staff nonetheless:
*Recommendation 3:Outreach*
*ICANN should ensure that WHOIS policy issues are accompanied by
cross-community outreach, including outreach to the communities outside
of ICANN with a specific interest in the issues, and an ongoing program
for consumer awareness. (Whois Review Team Final Report)*
This is a critical policy item for such outreach and input.
3.2If there is an agreed outcome among the relevant parties, should the
Board be involved in this procedure?
3.2 Response: Clearly, the changing of the procedure, or the adoption of
a new policy or new contractual language for Registries and Registrars,
Board oversight and review should be involved. But once the new
procedure, policy or contractual language is in place, then subsequent
individual changes, variations, modifications or exceptions should be
handled through the process and ICANN Staff – as the Data Retention
Process is handled today.
4.1Would it be fruitful to incorporate public comment in each of the
resolution scenarios.
4.1 Response: We think this question means whether there should be
public input on each and every exception?We respectfully submit that the
answer is No. Once the new policy, procedure or contractual language is
adopted, then the process should kick in and the Registrar/Registry
should be allowed to apply for the waiver, modification or revision
consistent with its data protection and privacy laws.Of course, once the
waiver or modification is granted, the decision should be matter of
public record so that other Registries and Registrars in the
jurisdiction know and so that the ICANN Community as a whole can monitor
this process' implementation and compliance.
Step Five: Public notice
5.2Is the exemption or modification termed to the length of the
agreement? Or is it indefinite as long as the contracted party is
located in the jurisdiction in question, or so long as the applicable
law is in force.
5.2 Response:We agree with the European Commission in its response,
“/By logic the exemption or modification shall be in place as long as
the party is subject to the jurisdiction in conflict with ICANN rules.
If the applicable law was to change, or the contacted party moved to a
different jurisdiction, the conditions should be reviewed to assess if
the exemption is still justified.”/
//
But provided it is the same parties, operating under the same laws, the
modification or change should continue through the duration of the
relationship between the Registry/Registrar and ICANN.
5.3Should an exemption or modification based on the same laws and facts
then be granted to other affected contracted parties in the same
jurisdiction without invoking the Whois Procedure.
5.3 Response. The European Commission in its comments wrote, and we
strongly agree: /“the same exception should apply to others in the same
jurisdiction who can demonstrate that they are in the same situation.”
/Further, Blacknight wrote and we support: /“if ANY registrar in
Germany, for example, is granted a waiver based on German law, than ALL
registrars based in Germany should receive the same treatment.” /Once a
national data protection or privacy law is interpreted as requiring and
exemption or modification, it should be available to all
Registries/Registrars in that country.
Further, we recommend that ICANN should be required to notify each gTLD
Registry and Registrar in the same jurisdiction as that of the decision
so they will have notice of the change.
We thank ICANN staff for holding this comment period.
Respectfully submitted,
Rafik Dammak
Chairman, NCSG
On behalf of the Noncommercial Stakeholders Group
|