I also agreed with Avri and inserted a few of her changes, Kathy did not 
get those edits....we need to make sure we have a final copy that Rafik 
can sign, which reflects all the agreed changes.  Do you want me to have 
another edit one last time, to make sure that Joy's comments (which were 
on an earlier draft) and Avri's are all in there?
cheers stephanie
On 2014-07-31, 9:22, Amr Elsadr wrote:
> Hi all,
>
> On Jul 30, 2014, at 2:57 PM, Avri Doria <[log in to unmask]> wrote:
>
>> hi,
>>
>> Reviewed the document.
>>
>> Made a change so it could be a NCSG document.
> Thanks.
>
>> There are parts I am uncomfortable with, some of which I deleted and
>> some of which I left and still am uncomfortable with.
>>
>> I do not think we should ever dismiss the Multistakeholder model.  I do
>> not wish to find ourselves in the situation of being quoted for having
>> suggested that there are times when the model should be superseded. That
>> would be a gold mine for some.  I deleted those references.
> Fully agree. Although I don’t feel that was the intent, it could certainly be perceived that way. No need to bring it up.
>
>> I am also uncomfortable with saying there are things that don't need
>> public comment on.  To just have to take the legal staff view on things
>> is dangerous.  What if they say the law does not require something when
>> someone knows better.  Better to have a null review.  I have not,
>> however, removed these as they were an entire section.    I would like
>> to see that section reworded or removed before approving the documents.
> IMHO, I don’t see the need for a public comment period on every time this policy might be used. If a new set of policies and processes are adopted for handling WHOIS conflicts with privacy laws, then they should be clear enough during implementation to not require public comment, right? Isn’t this the case with all policies? For instance, is there a public comment period every time a new registrar signs a contract with ICANN? Or will there be a public comment period when implementation of the “thick” WHOIS policy kicks in?
>
> Another thought is that a public comment period will also lengthen the period during which a registrar will potentially be at risk for non-compliance with local laws. Unless there is an important reason why there should be a public comment for each of the resolution scenarios, then I suggest we support Kathy’s recommendation to not have any.
>
> Thanks.
>
> Amr
>
>> I also removed a bunch of weasel words like 'respectfully'
>>
>> avri
>>
>>
>>
>>
>>
>>
>> On 30-Jul-14 14:28, Avri Doria wrote:
>>> Hi,
>>>
>>> Started reviewing them, actually Stephanie's comments.  They are written
>>> from an NCUC perspective and need to be approved by them, not us.
>>>
>>> avri
>>>
>>>
>>> On 30-Jul-14 11:36, Rafik Dammak wrote:
>>>> Hi everyone,
>>>>
>>>> Kathy sent a draft comment to the whois conflict with local laws. we
>>>> have a tight schedule and we should act quickly.
>>>> we are responding during the reply period which means the last chance
>>>> for us to do so.
>>>> @Maria can you please follow-up with this request?
>>>>
>>>> Best,
>>>>
>>>> Rafik
>>>>
>>>>
>>>>
>>>> ---------- Forwarded message ----------
>>>> From: *Kathy Kleiman* <[log in to unmask]
>>>> <mailto:[log in to unmask]>>
>>>> Date: 2014-07-30 2:44 GMT+09:00
>>>> Subject: Draft Comments for Whois Proceeding
>>>> To: Rafik Dammak <[log in to unmask]
>>>> <mailto:[log in to unmask]>>, [log in to unmask]
>>>> <mailto:[log in to unmask]>
>>>>
>>>>
>>>> To Rafik, NCSG Executive Committee and NCSG Membership,
>>>>
>>>> There is an important, but very quiet comment proceeding that has been
>>>> taking place this summer. It is the /Review of the ICANN Procedure for
>>>> Handling WHOIS Conflicts with Privacy Law///at
>>>> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>>>
>>>>
>>>> Stephanie put out a call for comments, and not seeing any, I drafted
>>>> these.  It has been dismayeding ever since ICANN adopted its Consensus
>>>> Procedure for Handling WHOIS Conflicts with Privacy law -- because it
>>>> basically requires that Registrars and Registries have to be sued or
>>>> receive an official notice of violation before they can ask ICANN for a
>>>> waiver of the Whois requirements. That always seemed very unfair- that
>>>> you have to be exposed to allegation of illegal activity in order to
>>>> protect yourself or your Registrants under your national data protection
>>>> and privacy laws.
>>>>
>>>> In the more recent Data Retention Specification, of the 2013 RAA, ICANN
>>>> Staff and Lawyers saw this problem and corrected it -- now Registrars
>>>> can be much more pro-active in showing ICANN that a certain clause in
>>>> their contract (e.g., extended data retention) is a clear violation of
>>>> their national law (e.g., more limited data retention).
>>>>
>>>> So to this important comment proceeding, I drafted these comments for us
>>>> to submit. As Reply Comments (during the Reply Period), we are asked to
>>>> respond to other commenters. That's easy as the European Commission and
>>>> Registrar Blacknight submitted useful comments.
>>>>
>>>> Rafik, can we edit, finalize and submit by the deadline on Friday?
>>>> Comments below and attached. If you have edits, in the interest of time,
>>>> kindly suggest alternate language. Tx!!
>>>>
>>>> Best,
>>>> Kathy
>>>> --------------------------------------------------------------------------------------------------------
>>>>
>>>> DRAFT NCSG Response to the Questions of the
>>>>
>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
>>>> Law//
>>>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>>>
>>>>
>>>> *Introduction*
>>>>
>>>> The Noncommercial Stakeholders Group represents noncommercial
>>>> organizations in their work in the policy and proceedings of ICANN and
>>>> the GNSO. We respectfully submit as an opening premise that every legal
>>>> business has the right and obligation to operate within the bounds and
>>>> limits of its national laws and regulations. No legal business
>>>> establishes itself to violate the law; and to do so is an invitation to
>>>> civil and criminal penalties. ICANN Registries and Registrars are no
>>>> different – they want and need to abide by their laws.
>>>>
>>>> Thus, it is timely for ICANN to raise the questions of this proceeding,
>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
>>>> Law/(albeit at a busy time for the Community and at the height of
>>>> summer; we expect to see more interest in this time towards the Fall).
>>>> We submit these comments in response to the issues raises and the
>>>> questions asked.
>>>>
>>>> *Background*
>>>>
>>>> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law /was
>>>> adopted in 2006 after years of debate on Whois issues. This Consensus
>>>> Procedure was the first step of recognition that data protection laws
>>>> and privacy law DO apply to the personal and sensitive data being
>>>> collected by Registries and Registrars for the Whois database.
>>>>
>>>> But for those of us in the Noncommercial Users Constituency (now part of
>>>> the Noncommercial Stakeholders Group/NCSG) who helped debate, draft and
>>>> adopt this Consensus Procedure in the mid-2000s, we were always shocked
>>>> that the ICANN Community did not do more. At the time, multiple Whois
>>>> Task Forces were at work with multiple proposals which include important
>>>> and pro-active suggestions to allow Registrars and Registries to come
>>>> into compliance with their national data protection and privacy laws.
>>>>
>>>> At the time, we never expected this Consensus Procedure to be an end
>>>> itself – but the first step of many steps. It was an “end” for too long,
>>>> so we are glad the discussion is reopened and once again we seek to
>>>> allow Registrars and Registries to be in full compliance with their
>>>> national data protection and privacy laws – from the moment they enter
>>>> into their contracts with ICANN.
>>>>
>>>> *II. Data Protection and Privacy Laws – A Quick Overview of the
>>>> Principles that Protect the Personal and Sensitive Data of Individuals
>>>> and Organizations/Small Businesses *
>>>>
>>>> **
>>>>
>>>> /*[Stephanie, Tamir or Others with Expertise in Canadian and European
>>>> Data Protection Laws may choose to add something here]. */
>>>>
>>>> III/*. */Questions asked of the Community in this Proceeding
>>>>
>>>> The ICANN Review Paper raised a number of excellent questions. In
>>>> keeping with the requirements of a Reply Period, these NCSG comments
>>>> will address both our comments and those comments we particularly
>>>> support in this proceeding.
>>>>
>>>>     1.
>>>>
>>>>        Is it impractical for ICANN to require that a contracted party
>>>>        already has litigation or a government proceeding initiated
>>>>        against it prior to being able to invoke the Whois Procedure?
>>>>
>>>> 1.1 Response: Yes, it is completely impractical (and ill-advised) to
>>>> force a company to violate a national law as a condition of complying
>>>> with that national law. Every lawyer advises businesses to comply with
>>>> the laws and regulations of their field. To do otherwise is to face
>>>> fines, penalties, loss of the business, even jail for officers and
>>>> directors. Legal business strives to be law-abiding; no officer or
>>>> director wants to go to jail for her company's violations. It is the
>>>> essence of an attorney's advice to his/her clients to fully comply with
>>>> the laws and operate clearly within the clear boundaries and limits of
>>>> laws and regulations, both national, by province or state and local.
>>>>
>>>> In these Reply Comments, we support and encourage ICANN to adopt
>>>> policies consistent with the initial comments submitted by the European
>>>> Commission:
>>>>
>>>>      o
>>>>
>>>>        that the Whois Procedure be changed from requiring specific
>>>>        prosecutorial action instead to allowing “demonstrating evidence
>>>>        of a potential conflict widely and e.g. accepting information on
>>>>        the legislation imposing requirements that the contractual
>>>>        requirements would breach as sufficient evidence.” (European
>>>>        Commission comments)
>>>>
>>>> We also agree with Blacknight:
>>>>
>>>>      o
>>>>
>>>>        “It's completely illogical for ICANN to require that a
>>>>        contracting party already has litigation before they can use a
>>>>        process. We would have loved to use a procedure or process to
>>>>        get exemptions, but expecting us to already be litigating before
>>>>        we can do so is, for lack of a better word, nuts.” (Blacknight
>>>>        comments in this proceeding).
>>>>
>>>>
>>>>    1.1a How can the triggering event be meaningfully defined?
>>>>
>>>> 1.1 a Response: This is an important question. Rephrased, we might ask
>>>> together – what must a Registry or Registrar show ICANN in support of
>>>> its claim that certain provisions involving Whois data violate
>>>> provisions of national data protection and privacy laws?
>>>>
>>>> NCSG respectfully submits that there are at least four “triggering
>>>> events” that ICANN should recognize:
>>>>
>>>>      o
>>>>
>>>>        Evidence from a national Data Protection Commissioner or his/her
>>>>        office (or from a internationally recognized body of national
>>>>        Data Protection Commissioners in a certain region of the world,
>>>>        including the Article 29 Working Party that analyzes the
>>>>        national data protection and privacy laws) that ICANN's
>>>>        contractual obligations for Registry and/or Registrar contracts
>>>>        violate the data protection laws of their country or their group
>>>>        of countries;
>>>>
>>>>      o
>>>>
>>>>        Evidence of legal and/or jurisdictional conflict arising from
>>>>        analysis performed by ICANN's legal department or by national
>>>>        legal experts hired by ICANN to evaluate the Whois requirements
>>>>        of the ICANN contracts for compliance and conflicts with
>>>>        national data protection laws and cross-border transfer limits)
>>>>        (similar to the process we understand was undertaken for the
>>>>        data retention issue);
>>>>
>>>>
>>>>      o
>>>>
>>>>        Receipt of a written legal opinion from a nationally recognized
>>>>        law firm in the applicable jurisdiction that states that the
>>>>        collection, retention and/or transfer of certain Whois data
>>>>        elements as required by Registrar or Registry Agreements is
>>>>        “reasonably likely to violate the applicable law” of the
>>>>        Registry or Registrar (per the process allowed in RAA Data
>>>>        Retention Specification); or
>>>>
>>>>
>>>>      o
>>>>
>>>>        An official opinion of any other governmental body of competent
>>>>        jurisdiction providing that compliance with the data protection
>>>>        requirements of the Registry/Registrar contracts violates
>>>>        applicable national law (although such pro-active opinions may
>>>>        not be the practice of the Data Protection Commissioner's office).
>>>>
>>>> The above list draws from the comments of the European Commission, Data
>>>> Retention Specification of the 2013 Registrar Accreditation Agreement,
>>>> and sound compliance and business practices for the ICANN General
>>>> Counsel's office.
>>>>
>>>> We further agree with Blacknight that the requirements for triggering
>>>> any review and consideration by ICANN be: simple and straightforward,
>>>> quick and easy to access.
>>>>
>>>>
>>>>    1.3 Are there any components of the triggering event/notification
>>>> portion of the RAA's Data Retention waiver process that should be
>>>> considered as optional for incorporation into a modified Whois Procedure?
>>>>
>>>>
>>>> 1.3 Response: Absolutely, the full list in 1.1a above, together with
>>>> other constructive contributions in the Comments and Reply Comments of
>>>> this proceeding, should be strongly considered for incorporation into a
>>>> modified Whois Procedure, or simply written into the contracts of the
>>>> Registries and Registrars contractual language, or a new Annex or
>>>> Specification.
>>>>
>>>> We respectfully submit that the obligation of Registries and Registrars
>>>> to comply with their national laws is not a matter of multistakeholder
>>>> decision making, but a matter of law and compliance. In this case, we
>>>> wholeheartedly embrace the concept of building a process together that
>>>> will allow exceptions for data protection and privacy laws to be adopted
>>>> quickly and easily.
>>>>
>>>>
>>>>    1.4 Should parties be permitted to invoke the Whois Procedure before
>>>> contracting with ICANN as a registrar or registry?
>>>>
>>>>
>>>> 1.4 Response: Of course, Registries and Registrars should be allowed to
>>>> invoke the Whois Procedure, or other appropriate annexes and
>>>> specifications that may be added into Registry and Registrar contracts
>>>> with ICANN. As discussed above, the right of a legal company to enter
>>>> into a legal contracts is the most basic of expectations under law.
>>>>
>>>>
>>>>    2.1 Are there other relevant parties who should be included in this
>>>> step?
>>>>
>>>>
>>>> 2.1 Response: We agree with the EC that ICANN should be working as
>>>> closely with National Data Protection Authorities as they will allow. In
>>>> light of the overflow of work into these national commissions, and the
>>>> availability of national experts at law firms, ICANN should also turn to
>>>> the advice of private experts, such as well-respected law firms who
>>>> specialize in national data protection laws. The law firm's opinions on
>>>> these matters would help to guide ICANN's knowledge and evaluation of
>>>> this important issue.
>>>>
>>>>
>>>>    3.1 How is an agreement reached and published?
>>>>
>>>> 3.1 Response. As discussed above, compliance with national law may not
>>>> be the best matter for negotiation within a multistakeholder process. It
>>>> really should not be a chose for others to make whether you comply with
>>>> your national data protection and privacy laws. That said, the process
>>>> of refining the Consensus Procedure, and adopting new policies and
>>>> procedures, or simply putting new contract provisions, annexes or
>>>> specifications into the Registry and Registrar contracts SHOULD be
>>>> subject to community discussion, notification and review. But once the
>>>> new process is adopted, we think the new changes, variations,
>>>> modifications or exceptions of Individual Registries and Registrars need
>>>> go through a public review and process. The results, however, Should be
>>>> published for Community notification and review.
>>>>
>>>>
>>>> We note that in conducting the discussion with the Community on the
>>>> overall or general procedure, policy or contractual changes, ICANN
>>>> should be assertive in its outreach to the Data Protection
>>>> Commissioners. Individual and through their organizations, they have
>>>> offered to help ICANN evaluate this issue numerous times. The Whois
>>>> Review Team noted the inability of many external bodies to monitor ICANN
>>>> regularly, but the need for outreach to them by ICANN staff nonetheless:
>>>>
>>>>
>>>> *Recommendation 3: Outreach*
>>>>
>>>> *ICANN should ensure that WHOIS policy issues are accompanied by
>>>> cross-community*
>>>>
>>>> *outreach, including outreach to the communities outside of ICANN with a
>>>> specific*
>>>>
>>>> *interest in the issues, and an ongoing program for consumer awareness.*
>>>>
>>>> This is a critical policy item for such outreach and input.
>>>>
>>>>
>>>>    3.2 If there is an agreed outcome among the relevant parties, should
>>>> the Board be involved in this procedure?
>>>>
>>>>
>>>> 3.2 Response: Clearly, the changing of the procedure, or the adoption of
>>>> a new policy or new contractual language for Registries and Registrars,
>>>> Board oversight and review should be involved. But once the new
>>>> procedure, policy or contractual language is in place, then subsequent
>>>> individual changes, variations, modifications or exceptions should be
>>>> handled through the process and ICANN Staff – as the Data Retention
>>>> Process is handled today.
>>>>
>>>>
>>>>    4.1 Would it be fruitful to incorporate public comment in each of
>>>> the resolution scenarios?
>>>>
>>>> 4.1 Response: We think this question means whether there should be
>>>> public input on each and every exception? We respectfully submit that
>>>> the answer is No. Once the new policy, procedure or contractual language
>>>> is adopted, then the process should kick in and the Registrar/Registry
>>>> should be allowed to apply for the waiver, modification or revision
>>>> consistent with its data protection and privacy laws. Of course, once
>>>> the waiver or modification is granted, the decision should be matter of
>>>> public record so that other Registries and Registrars in the
>>>> jurisdiction know and so that the ICANN Community as a whole can monitor
>>>> this process' implementation and compliance.
>>>>
>>>> Step Five: Public notice
>>>>
>>>>
>>>>    5.2 Is the exemption or modification termed to the length of the
>>>> agreement? Or is it indefinite as long as the contracted party is
>>>> located in the jurisdiction in question, or so long as the applicable
>>>> law is in force.
>>>>
>>>> 5.2 Response: We agree with the European Commission in its response,
>>>> “/By logic the exemption or modification shall be in place as long as
>>>> the party is subject to the jurisdiction in conflict with ICANN rules.
>>>> If the applicable law was to change, or the contacted party moved to a
>>>> different jurisdiction, the conditions should be reviewed to assess if
>>>> the exemption is still justified.” But provided it is the same parties,
>>>> operating under the same laws, the modification or change should
>>>> continue through the duration of the relationship between the
>>>> Registry/Registrar and ICANN. /
>>>>
>>>>
>>>>    5.3 Should an exemption or modification based on the same laws and
>>>> facts then be granted to other affected contracted parties in the same
>>>>        jurisdiction without invoking the Whois Procedure
>>>>
>>>> 5.3 Response. The European Commission in its comments wrote, and we
>>>> strongly agree: /“the same exception should apply to others in the same
>>>> jurisdiction who can demonstrate that they are in the same situation.”
>>>> /Further, Blacknight wrote and we support: /“if ANY registrar in
>>>> Germany, for example, is granted a waiver based on German law, than ALL
>>>> registrars based in Germany should receive the same treatment.” /Once a
>>>> national data protection or privacy law is interpreted as requiring and
>>>> exemption or modification, it should be available to all
>>>> Registries/Registrars in that country.
>>>>
>>>> Further, we recommend that ICANN should be required to notify each gTLD
>>>> Registry and Registrar in the same jurisdiction as that of the decision
>>>> so they will have notice of the change.
>>>>
>>>> We thank ICANN staff for holding this comment period.
>>>>
>>>> Respectfully submitted,
>>>>
>>>> NCSG
>>>>
>>>>
>>>> DRAFT
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> PC-NCSG mailing list
>>>> [log in to unmask]
>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>>
>>> _______________________________________________
>>> PC-NCSG mailing list
>>> [log in to unmask]
>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>
>>>
>> <NSCG DRAFT Comments for Review of WHOIS Consensus Proceduresp+ad.doc>_______________________________________________
>> PC-NCSG mailing list
>> [log in to unmask]
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>
> _______________________________________________
> PC-NCSG mailing list
> [log in to unmask]
> http://mailman.ipjustice.org/listinfo/pc-ncsg