Hi Stephanie,
Tx for adding Avri's comments. I've reviewed all of the changes, and 
also added one more to this most recent version. _Newest version 
(NCSGEdits3) attached. _
**Due tomorrow**
Best,
Kathy
:
> I also agreed with Avri and inserted a few of her changes, Kathy did 
> not get those edits....we need to make sure we have a final copy that 
> Rafik can sign, which reflects all the agreed changes.  Do you want me 
> to have another edit one last time, to make sure that Joy's comments 
> (which were on an earlier draft) and Avri's are all in there?
> cheers stephanie
> On 2014-07-31, 9:22, Amr Elsadr wrote:
>> Hi all,
>>
>> On Jul 30, 2014, at 2:57 PM, Avri Doria <[log in to unmask]> wrote:
>>
>>> hi,
>>>
>>> Reviewed the document.
>>>
>>> Made a change so it could be a NCSG document.
>> Thanks.
>>
>>> There are parts I am uncomfortable with, some of which I deleted and
>>> some of which I left and still am uncomfortable with.
>>>
>>> I do not think we should ever dismiss the Multistakeholder model.  I do
>>> not wish to find ourselves in the situation of being quoted for having
>>> suggested that there are times when the model should be superseded. 
>>> That
>>> would be a gold mine for some.  I deleted those references.
>> Fully agree. Although I don’t feel that was the intent, it could 
>> certainly be perceived that way. No need to bring it up.
>>
>>> I am also uncomfortable with saying there are things that don't need
>>> public comment on.  To just have to take the legal staff view on things
>>> is dangerous.  What if they say the law does not require something when
>>> someone knows better.  Better to have a null review.  I have not,
>>> however, removed these as they were an entire section.    I would like
>>> to see that section reworded or removed before approving the documents.
>> IMHO, I don’t see the need for a public comment period on every time 
>> this policy might be used. If a new set of policies and processes are 
>> adopted for handling WHOIS conflicts with privacy laws, then they 
>> should be clear enough during implementation to not require public 
>> comment, right? Isn’t this the case with all policies? For instance, 
>> is there a public comment period every time a new registrar signs a 
>> contract with ICANN? Or will there be a public comment period when 
>> implementation of the “thick” WHOIS policy kicks in?
>>
>> Another thought is that a public comment period will also lengthen 
>> the period during which a registrar will potentially be at risk for 
>> non-compliance with local laws. Unless there is an important reason 
>> why there should be a public comment for each of the resolution 
>> scenarios, then I suggest we support Kathy’s recommendation to not 
>> have any.
>>
>> Thanks.
>>
>> Amr
>>
>>> I also removed a bunch of weasel words like 'respectfully'
>>>
>>> avri
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 30-Jul-14 14:28, Avri Doria wrote:
>>>> Hi,
>>>>
>>>> Started reviewing them, actually Stephanie's comments.  They are 
>>>> written
>>>> from an NCUC perspective and need to be approved by them, not us.
>>>>
>>>> avri
>>>>
>>>>
>>>> On 30-Jul-14 11:36, Rafik Dammak wrote:
>>>>> Hi everyone,
>>>>>
>>>>> Kathy sent a draft comment to the whois conflict with local laws. we
>>>>> have a tight schedule and we should act quickly.
>>>>> we are responding during the reply period which means the last chance
>>>>> for us to do so.
>>>>> @Maria can you please follow-up with this request?
>>>>>
>>>>> Best,
>>>>>
>>>>> Rafik
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: *Kathy Kleiman* <[log in to unmask]
>>>>> <mailto:[log in to unmask]>>
>>>>> Date: 2014-07-30 2:44 GMT+09:00
>>>>> Subject: Draft Comments for Whois Proceeding
>>>>> To: Rafik Dammak <[log in to unmask]
>>>>> <mailto:[log in to unmask]>>, [log in to unmask]
>>>>> <mailto:[log in to unmask]>
>>>>>
>>>>>
>>>>> To Rafik, NCSG Executive Committee and NCSG Membership,
>>>>>
>>>>> There is an important, but very quiet comment proceeding that has 
>>>>> been
>>>>> taking place this summer. It is the /Review of the ICANN Procedure 
>>>>> for
>>>>> Handling WHOIS Conflicts with Privacy Law///at
>>>>> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/ 
>>>>>
>>>>>
>>>>>
>>>>> Stephanie put out a call for comments, and not seeing any, I drafted
>>>>> these.  It has been dismayeding ever since ICANN adopted its 
>>>>> Consensus
>>>>> Procedure for Handling WHOIS Conflicts with Privacy law -- because it
>>>>> basically requires that Registrars and Registries have to be sued or
>>>>> receive an official notice of violation before they can ask ICANN 
>>>>> for a
>>>>> waiver of the Whois requirements. That always seemed very unfair- 
>>>>> that
>>>>> you have to be exposed to allegation of illegal activity in order to
>>>>> protect yourself or your Registrants under your national data 
>>>>> protection
>>>>> and privacy laws.
>>>>>
>>>>> In the more recent Data Retention Specification, of the 2013 RAA, 
>>>>> ICANN
>>>>> Staff and Lawyers saw this problem and corrected it -- now Registrars
>>>>> can be much more pro-active in showing ICANN that a certain clause in
>>>>> their contract (e.g., extended data retention) is a clear 
>>>>> violation of
>>>>> their national law (e.g., more limited data retention).
>>>>>
>>>>> So to this important comment proceeding, I drafted these comments 
>>>>> for us
>>>>> to submit. As Reply Comments (during the Reply Period), we are 
>>>>> asked to
>>>>> respond to other commenters. That's easy as the European 
>>>>> Commission and
>>>>> Registrar Blacknight submitted useful comments.
>>>>>
>>>>> Rafik, can we edit, finalize and submit by the deadline on Friday?
>>>>> Comments below and attached. If you have edits, in the interest of 
>>>>> time,
>>>>> kindly suggest alternate language. Tx!!
>>>>>
>>>>> Best,
>>>>> Kathy
>>>>> -------------------------------------------------------------------------------------------------------- 
>>>>>
>>>>>
>>>>> DRAFT NCSG Response to the Questions of the
>>>>>
>>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with 
>>>>> Privacy
>>>>> Law//
>>>>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/ 
>>>>>
>>>>>
>>>>>
>>>>> *Introduction*
>>>>>
>>>>> The Noncommercial Stakeholders Group represents noncommercial
>>>>> organizations in their work in the policy and proceedings of ICANN 
>>>>> and
>>>>> the GNSO. We respectfully submit as an opening premise that every 
>>>>> legal
>>>>> business has the right and obligation to operate within the bounds 
>>>>> and
>>>>> limits of its national laws and regulations. No legal business
>>>>> establishes itself to violate the law; and to do so is an 
>>>>> invitation to
>>>>> civil and criminal penalties. ICANN Registries and Registrars are no
>>>>> different – they want and need to abide by their laws.
>>>>>
>>>>> Thus, it is timely for ICANN to raise the questions of this 
>>>>> proceeding,
>>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with 
>>>>> Privacy
>>>>> Law/(albeit at a busy time for the Community and at the height of
>>>>> summer; we expect to see more interest in this time towards the 
>>>>> Fall).
>>>>> We submit these comments in response to the issues raises and the
>>>>> questions asked.
>>>>>
>>>>> *Background*
>>>>>
>>>>> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law 
>>>>> /was
>>>>> adopted in 2006 after years of debate on Whois issues. This Consensus
>>>>> Procedure was the first step of recognition that data protection laws
>>>>> and privacy law DO apply to the personal and sensitive data being
>>>>> collected by Registries and Registrars for the Whois database.
>>>>>
>>>>> But for those of us in the Noncommercial Users Constituency (now 
>>>>> part of
>>>>> the Noncommercial Stakeholders Group/NCSG) who helped debate, 
>>>>> draft and
>>>>> adopt this Consensus Procedure in the mid-2000s, we were always 
>>>>> shocked
>>>>> that the ICANN Community did not do more. At the time, multiple Whois
>>>>> Task Forces were at work with multiple proposals which include 
>>>>> important
>>>>> and pro-active suggestions to allow Registrars and Registries to come
>>>>> into compliance with their national data protection and privacy laws.
>>>>>
>>>>> At the time, we never expected this Consensus Procedure to be an end
>>>>> itself – but the first step of many steps. It was an “end” for too 
>>>>> long,
>>>>> so we are glad the discussion is reopened and once again we seek to
>>>>> allow Registrars and Registries to be in full compliance with their
>>>>> national data protection and privacy laws – from the moment they 
>>>>> enter
>>>>> into their contracts with ICANN.
>>>>>
>>>>> *II. Data Protection and Privacy Laws – A Quick Overview of the
>>>>> Principles that Protect the Personal and Sensitive Data of 
>>>>> Individuals
>>>>> and Organizations/Small Businesses *
>>>>>
>>>>> **
>>>>>
>>>>> /*[Stephanie, Tamir or Others with Expertise in Canadian and European
>>>>> Data Protection Laws may choose to add something here]. */
>>>>>
>>>>> III/*. */Questions asked of the Community in this Proceeding
>>>>>
>>>>> The ICANN Review Paper raised a number of excellent questions. In
>>>>> keeping with the requirements of a Reply Period, these NCSG comments
>>>>> will address both our comments and those comments we particularly
>>>>> support in this proceeding.
>>>>>
>>>>>     1.
>>>>>
>>>>>        Is it impractical for ICANN to require that a contracted party
>>>>>        already has litigation or a government proceeding initiated
>>>>>        against it prior to being able to invoke the Whois Procedure?
>>>>>
>>>>> 1.1 Response: Yes, it is completely impractical (and ill-advised) to
>>>>> force a company to violate a national law as a condition of complying
>>>>> with that national law. Every lawyer advises businesses to comply 
>>>>> with
>>>>> the laws and regulations of their field. To do otherwise is to face
>>>>> fines, penalties, loss of the business, even jail for officers and
>>>>> directors. Legal business strives to be law-abiding; no officer or
>>>>> director wants to go to jail for her company's violations. It is the
>>>>> essence of an attorney's advice to his/her clients to fully comply 
>>>>> with
>>>>> the laws and operate clearly within the clear boundaries and 
>>>>> limits of
>>>>> laws and regulations, both national, by province or state and local.
>>>>>
>>>>> In these Reply Comments, we support and encourage ICANN to adopt
>>>>> policies consistent with the initial comments submitted by the 
>>>>> European
>>>>> Commission:
>>>>>
>>>>>      o
>>>>>
>>>>>        that the Whois Procedure be changed from requiring specific
>>>>>        prosecutorial action instead to allowing “demonstrating 
>>>>> evidence
>>>>>        of a potential conflict widely and e.g. accepting 
>>>>> information on
>>>>>        the legislation imposing requirements that the contractual
>>>>>        requirements would breach as sufficient evidence.” (European
>>>>>        Commission comments)
>>>>>
>>>>> We also agree with Blacknight:
>>>>>
>>>>>      o
>>>>>
>>>>>        “It's completely illogical for ICANN to require that a
>>>>>        contracting party already has litigation before they can use a
>>>>>        process. We would have loved to use a procedure or process to
>>>>>        get exemptions, but expecting us to already be litigating 
>>>>> before
>>>>>        we can do so is, for lack of a better word, nuts.” (Blacknight
>>>>>        comments in this proceeding).
>>>>>
>>>>>
>>>>>    1.1a How can the triggering event be meaningfully defined?
>>>>>
>>>>> 1.1 a Response: This is an important question. Rephrased, we might 
>>>>> ask
>>>>> together – what must a Registry or Registrar show ICANN in support of
>>>>> its claim that certain provisions involving Whois data violate
>>>>> provisions of national data protection and privacy laws?
>>>>>
>>>>> NCSG respectfully submits that there are at least four “triggering
>>>>> events” that ICANN should recognize:
>>>>>
>>>>>      o
>>>>>
>>>>>        Evidence from a national Data Protection Commissioner or 
>>>>> his/her
>>>>>        office (or from a internationally recognized body of national
>>>>>        Data Protection Commissioners in a certain region of the 
>>>>> world,
>>>>>        including the Article 29 Working Party that analyzes the
>>>>>        national data protection and privacy laws) that ICANN's
>>>>>        contractual obligations for Registry and/or Registrar 
>>>>> contracts
>>>>>        violate the data protection laws of their country or their 
>>>>> group
>>>>>        of countries;
>>>>>
>>>>>      o
>>>>>
>>>>>        Evidence of legal and/or jurisdictional conflict arising from
>>>>>        analysis performed by ICANN's legal department or by national
>>>>>        legal experts hired by ICANN to evaluate the Whois 
>>>>> requirements
>>>>>        of the ICANN contracts for compliance and conflicts with
>>>>>        national data protection laws and cross-border transfer 
>>>>> limits)
>>>>>        (similar to the process we understand was undertaken for the
>>>>>        data retention issue);
>>>>>
>>>>>
>>>>>      o
>>>>>
>>>>>        Receipt of a written legal opinion from a nationally 
>>>>> recognized
>>>>>        law firm in the applicable jurisdiction that states that the
>>>>>        collection, retention and/or transfer of certain Whois data
>>>>>        elements as required by Registrar or Registry Agreements is
>>>>>        “reasonably likely to violate the applicable law” of the
>>>>>        Registry or Registrar (per the process allowed in RAA Data
>>>>>        Retention Specification); or
>>>>>
>>>>>
>>>>>      o
>>>>>
>>>>>        An official opinion of any other governmental body of 
>>>>> competent
>>>>>        jurisdiction providing that compliance with the data 
>>>>> protection
>>>>>        requirements of the Registry/Registrar contracts violates
>>>>>        applicable national law (although such pro-active opinions may
>>>>>        not be the practice of the Data Protection Commissioner's 
>>>>> office).
>>>>>
>>>>> The above list draws from the comments of the European Commission, 
>>>>> Data
>>>>> Retention Specification of the 2013 Registrar Accreditation 
>>>>> Agreement,
>>>>> and sound compliance and business practices for the ICANN General
>>>>> Counsel's office.
>>>>>
>>>>> We further agree with Blacknight that the requirements for triggering
>>>>> any review and consideration by ICANN be: simple and straightforward,
>>>>> quick and easy to access.
>>>>>
>>>>>
>>>>>    1.3 Are there any components of the triggering event/notification
>>>>> portion of the RAA's Data Retention waiver process that should be
>>>>> considered as optional for incorporation into a modified Whois 
>>>>> Procedure?
>>>>>
>>>>>
>>>>> 1.3 Response: Absolutely, the full list in 1.1a above, together with
>>>>> other constructive contributions in the Comments and Reply 
>>>>> Comments of
>>>>> this proceeding, should be strongly considered for incorporation 
>>>>> into a
>>>>> modified Whois Procedure, or simply written into the contracts of the
>>>>> Registries and Registrars contractual language, or a new Annex or
>>>>> Specification.
>>>>>
>>>>> We respectfully submit that the obligation of Registries and 
>>>>> Registrars
>>>>> to comply with their national laws is not a matter of 
>>>>> multistakeholder
>>>>> decision making, but a matter of law and compliance. In this case, we
>>>>> wholeheartedly embrace the concept of building a process together 
>>>>> that
>>>>> will allow exceptions for data protection and privacy laws to be 
>>>>> adopted
>>>>> quickly and easily.
>>>>>
>>>>>
>>>>>    1.4 Should parties be permitted to invoke the Whois Procedure 
>>>>> before
>>>>> contracting with ICANN as a registrar or registry?
>>>>>
>>>>>
>>>>> 1.4 Response: Of course, Registries and Registrars should be 
>>>>> allowed to
>>>>> invoke the Whois Procedure, or other appropriate annexes and
>>>>> specifications that may be added into Registry and Registrar 
>>>>> contracts
>>>>> with ICANN. As discussed above, the right of a legal company to enter
>>>>> into a legal contracts is the most basic of expectations under law.
>>>>>
>>>>>
>>>>>    2.1 Are there other relevant parties who should be included in 
>>>>> this
>>>>> step?
>>>>>
>>>>>
>>>>> 2.1 Response: We agree with the EC that ICANN should be working as
>>>>> closely with National Data Protection Authorities as they will 
>>>>> allow. In
>>>>> light of the overflow of work into these national commissions, and 
>>>>> the
>>>>> availability of national experts at law firms, ICANN should also 
>>>>> turn to
>>>>> the advice of private experts, such as well-respected law firms who
>>>>> specialize in national data protection laws. The law firm's 
>>>>> opinions on
>>>>> these matters would help to guide ICANN's knowledge and evaluation of
>>>>> this important issue.
>>>>>
>>>>>
>>>>>    3.1 How is an agreement reached and published?
>>>>>
>>>>> 3.1 Response. As discussed above, compliance with national law may 
>>>>> not
>>>>> be the best matter for negotiation within a multistakeholder 
>>>>> process. It
>>>>> really should not be a chose for others to make whether you comply 
>>>>> with
>>>>> your national data protection and privacy laws. That said, the 
>>>>> process
>>>>> of refining the Consensus Procedure, and adopting new policies and
>>>>> procedures, or simply putting new contract provisions, annexes or
>>>>> specifications into the Registry and Registrar contracts SHOULD be
>>>>> subject to community discussion, notification and review. But once 
>>>>> the
>>>>> new process is adopted, we think the new changes, variations,
>>>>> modifications or exceptions of Individual Registries and 
>>>>> Registrars need
>>>>> go through a public review and process. The results, however, 
>>>>> Should be
>>>>> published for Community notification and review.
>>>>>
>>>>>
>>>>> We note that in conducting the discussion with the Community on the
>>>>> overall or general procedure, policy or contractual changes, ICANN
>>>>> should be assertive in its outreach to the Data Protection
>>>>> Commissioners. Individual and through their organizations, they have
>>>>> offered to help ICANN evaluate this issue numerous times. The Whois
>>>>> Review Team noted the inability of many external bodies to monitor 
>>>>> ICANN
>>>>> regularly, but the need for outreach to them by ICANN staff 
>>>>> nonetheless:
>>>>>
>>>>>
>>>>> *Recommendation 3: Outreach*
>>>>>
>>>>> *ICANN should ensure that WHOIS policy issues are accompanied by
>>>>> cross-community*
>>>>>
>>>>> *outreach, including outreach to the communities outside of ICANN 
>>>>> with a
>>>>> specific*
>>>>>
>>>>> *interest in the issues, and an ongoing program for consumer 
>>>>> awareness.*
>>>>>
>>>>> This is a critical policy item for such outreach and input.
>>>>>
>>>>>
>>>>>    3.2 If there is an agreed outcome among the relevant parties, 
>>>>> should
>>>>> the Board be involved in this procedure?
>>>>>
>>>>>
>>>>> 3.2 Response: Clearly, the changing of the procedure, or the 
>>>>> adoption of
>>>>> a new policy or new contractual language for Registries and 
>>>>> Registrars,
>>>>> Board oversight and review should be involved. But once the new
>>>>> procedure, policy or contractual language is in place, then 
>>>>> subsequent
>>>>> individual changes, variations, modifications or exceptions should be
>>>>> handled through the process and ICANN Staff – as the Data Retention
>>>>> Process is handled today.
>>>>>
>>>>>
>>>>>    4.1 Would it be fruitful to incorporate public comment in each of
>>>>> the resolution scenarios?
>>>>>
>>>>> 4.1 Response: We think this question means whether there should be
>>>>> public input on each and every exception? We respectfully submit that
>>>>> the answer is No. Once the new policy, procedure or contractual 
>>>>> language
>>>>> is adopted, then the process should kick in and the 
>>>>> Registrar/Registry
>>>>> should be allowed to apply for the waiver, modification or revision
>>>>> consistent with its data protection and privacy laws. Of course, once
>>>>> the waiver or modification is granted, the decision should be 
>>>>> matter of
>>>>> public record so that other Registries and Registrars in the
>>>>> jurisdiction know and so that the ICANN Community as a whole can 
>>>>> monitor
>>>>> this process' implementation and compliance.
>>>>>
>>>>> Step Five: Public notice
>>>>>
>>>>>
>>>>>    5.2 Is the exemption or modification termed to the length of the
>>>>> agreement? Or is it indefinite as long as the contracted party is
>>>>> located in the jurisdiction in question, or so long as the applicable
>>>>> law is in force.
>>>>>
>>>>> 5.2 Response: We agree with the European Commission in its response,
>>>>> “/By logic the exemption or modification shall be in place as long as
>>>>> the party is subject to the jurisdiction in conflict with ICANN 
>>>>> rules.
>>>>> If the applicable law was to change, or the contacted party moved 
>>>>> to a
>>>>> different jurisdiction, the conditions should be reviewed to 
>>>>> assess if
>>>>> the exemption is still justified.” But provided it is the same 
>>>>> parties,
>>>>> operating under the same laws, the modification or change should
>>>>> continue through the duration of the relationship between the
>>>>> Registry/Registrar and ICANN. /
>>>>>
>>>>>
>>>>>    5.3 Should an exemption or modification based on the same laws and
>>>>> facts then be granted to other affected contracted parties in the 
>>>>> same
>>>>>        jurisdiction without invoking the Whois Procedure
>>>>>
>>>>> 5.3 Response. The European Commission in its comments wrote, and we
>>>>> strongly agree: /“the same exception should apply to others in the 
>>>>> same
>>>>> jurisdiction who can demonstrate that they are in the same 
>>>>> situation.”
>>>>> /Further, Blacknight wrote and we support: /“if ANY registrar in
>>>>> Germany, for example, is granted a waiver based on German law, 
>>>>> than ALL
>>>>> registrars based in Germany should receive the same treatment.” 
>>>>> /Once a
>>>>> national data protection or privacy law is interpreted as 
>>>>> requiring and
>>>>> exemption or modification, it should be available to all
>>>>> Registries/Registrars in that country.
>>>>>
>>>>> Further, we recommend that ICANN should be required to notify each 
>>>>> gTLD
>>>>> Registry and Registrar in the same jurisdiction as that of the 
>>>>> decision
>>>>> so they will have notice of the change.
>>>>>
>>>>> We thank ICANN staff for holding this comment period.
>>>>>
>>>>> Respectfully submitted,
>>>>>
>>>>> NCSG
>>>>>
>>>>>
>>>>> DRAFT
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PC-NCSG mailing list
>>>>> [log in to unmask]
>>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>>>
>>>> _______________________________________________
>>>> PC-NCSG mailing list
>>>> [log in to unmask]
>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>>
>>>>
>>> <NSCG DRAFT Comments for Review of WHOIS Consensus 
>>> Proceduresp+ad.doc>_______________________________________________
>>> PC-NCSG mailing list
>>> [log in to unmask]
>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> [log in to unmask]
>> http://mailman.ipjustice.org/listinfo/pc-ncsg