Hi Stephanie,
Tx for adding Avri's comments. I've reviewed all of the changes, and
also added one more to this most recent version. _Newest version
(NCSGEdits3) attached. _
**Due tomorrow**
Best,
Kathy
:
> I also agreed with Avri and inserted a few of her changes, Kathy did
> not get those edits....we need to make sure we have a final copy that
> Rafik can sign, which reflects all the agreed changes. Do you want me
> to have another edit one last time, to make sure that Joy's comments
> (which were on an earlier draft) and Avri's are all in there?
> cheers stephanie
> On 2014-07-31, 9:22, Amr Elsadr wrote:
>> Hi all,
>>
>> On Jul 30, 2014, at 2:57 PM, Avri Doria <[log in to unmask]> wrote:
>>
>>> hi,
>>>
>>> Reviewed the document.
>>>
>>> Made a change so it could be a NCSG document.
>> Thanks.
>>
>>> There are parts I am uncomfortable with, some of which I deleted and
>>> some of which I left and still am uncomfortable with.
>>>
>>> I do not think we should ever dismiss the Multistakeholder model. I do
>>> not wish to find ourselves in the situation of being quoted for having
>>> suggested that there are times when the model should be superseded.
>>> That
>>> would be a gold mine for some. I deleted those references.
>> Fully agree. Although I don’t feel that was the intent, it could
>> certainly be perceived that way. No need to bring it up.
>>
>>> I am also uncomfortable with saying there are things that don't need
>>> public comment on. To just have to take the legal staff view on things
>>> is dangerous. What if they say the law does not require something when
>>> someone knows better. Better to have a null review. I have not,
>>> however, removed these as they were an entire section. I would like
>>> to see that section reworded or removed before approving the documents.
>> IMHO, I don’t see the need for a public comment period on every time
>> this policy might be used. If a new set of policies and processes are
>> adopted for handling WHOIS conflicts with privacy laws, then they
>> should be clear enough during implementation to not require public
>> comment, right? Isn’t this the case with all policies? For instance,
>> is there a public comment period every time a new registrar signs a
>> contract with ICANN? Or will there be a public comment period when
>> implementation of the “thick” WHOIS policy kicks in?
>>
>> Another thought is that a public comment period will also lengthen
>> the period during which a registrar will potentially be at risk for
>> non-compliance with local laws. Unless there is an important reason
>> why there should be a public comment for each of the resolution
>> scenarios, then I suggest we support Kathy’s recommendation to not
>> have any.
>>
>> Thanks.
>>
>> Amr
>>
>>> I also removed a bunch of weasel words like 'respectfully'
>>>
>>> avri
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 30-Jul-14 14:28, Avri Doria wrote:
>>>> Hi,
>>>>
>>>> Started reviewing them, actually Stephanie's comments. They are
>>>> written
>>>> from an NCUC perspective and need to be approved by them, not us.
>>>>
>>>> avri
>>>>
>>>>
>>>> On 30-Jul-14 11:36, Rafik Dammak wrote:
>>>>> Hi everyone,
>>>>>
>>>>> Kathy sent a draft comment to the whois conflict with local laws. we
>>>>> have a tight schedule and we should act quickly.
>>>>> we are responding during the reply period which means the last chance
>>>>> for us to do so.
>>>>> @Maria can you please follow-up with this request?
>>>>>
>>>>> Best,
>>>>>
>>>>> Rafik
>>>>>
>>>>>
>>>>>
>>>>> ---------- Forwarded message ----------
>>>>> From: *Kathy Kleiman* <[log in to unmask]
>>>>> <mailto:[log in to unmask]>>
>>>>> Date: 2014-07-30 2:44 GMT+09:00
>>>>> Subject: Draft Comments for Whois Proceeding
>>>>> To: Rafik Dammak <[log in to unmask]
>>>>> <mailto:[log in to unmask]>>, [log in to unmask]
>>>>> <mailto:[log in to unmask]>
>>>>>
>>>>>
>>>>> To Rafik, NCSG Executive Committee and NCSG Membership,
>>>>>
>>>>> There is an important, but very quiet comment proceeding that has
>>>>> been
>>>>> taking place this summer. It is the /Review of the ICANN Procedure
>>>>> for
>>>>> Handling WHOIS Conflicts with Privacy Law///at
>>>>> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>>>>
>>>>>
>>>>>
>>>>> Stephanie put out a call for comments, and not seeing any, I drafted
>>>>> these. It has been dismayeding ever since ICANN adopted its
>>>>> Consensus
>>>>> Procedure for Handling WHOIS Conflicts with Privacy law -- because it
>>>>> basically requires that Registrars and Registries have to be sued or
>>>>> receive an official notice of violation before they can ask ICANN
>>>>> for a
>>>>> waiver of the Whois requirements. That always seemed very unfair-
>>>>> that
>>>>> you have to be exposed to allegation of illegal activity in order to
>>>>> protect yourself or your Registrants under your national data
>>>>> protection
>>>>> and privacy laws.
>>>>>
>>>>> In the more recent Data Retention Specification, of the 2013 RAA,
>>>>> ICANN
>>>>> Staff and Lawyers saw this problem and corrected it -- now Registrars
>>>>> can be much more pro-active in showing ICANN that a certain clause in
>>>>> their contract (e.g., extended data retention) is a clear
>>>>> violation of
>>>>> their national law (e.g., more limited data retention).
>>>>>
>>>>> So to this important comment proceeding, I drafted these comments
>>>>> for us
>>>>> to submit. As Reply Comments (during the Reply Period), we are
>>>>> asked to
>>>>> respond to other commenters. That's easy as the European
>>>>> Commission and
>>>>> Registrar Blacknight submitted useful comments.
>>>>>
>>>>> Rafik, can we edit, finalize and submit by the deadline on Friday?
>>>>> Comments below and attached. If you have edits, in the interest of
>>>>> time,
>>>>> kindly suggest alternate language. Tx!!
>>>>>
>>>>> Best,
>>>>> Kathy
>>>>> --------------------------------------------------------------------------------------------------------
>>>>>
>>>>>
>>>>> DRAFT NCSG Response to the Questions of the
>>>>>
>>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with
>>>>> Privacy
>>>>> Law//
>>>>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
>>>>>
>>>>>
>>>>>
>>>>> *Introduction*
>>>>>
>>>>> The Noncommercial Stakeholders Group represents noncommercial
>>>>> organizations in their work in the policy and proceedings of ICANN
>>>>> and
>>>>> the GNSO. We respectfully submit as an opening premise that every
>>>>> legal
>>>>> business has the right and obligation to operate within the bounds
>>>>> and
>>>>> limits of its national laws and regulations. No legal business
>>>>> establishes itself to violate the law; and to do so is an
>>>>> invitation to
>>>>> civil and criminal penalties. ICANN Registries and Registrars are no
>>>>> different – they want and need to abide by their laws.
>>>>>
>>>>> Thus, it is timely for ICANN to raise the questions of this
>>>>> proceeding,
>>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with
>>>>> Privacy
>>>>> Law/(albeit at a busy time for the Community and at the height of
>>>>> summer; we expect to see more interest in this time towards the
>>>>> Fall).
>>>>> We submit these comments in response to the issues raises and the
>>>>> questions asked.
>>>>>
>>>>> *Background*
>>>>>
>>>>> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law
>>>>> /was
>>>>> adopted in 2006 after years of debate on Whois issues. This Consensus
>>>>> Procedure was the first step of recognition that data protection laws
>>>>> and privacy law DO apply to the personal and sensitive data being
>>>>> collected by Registries and Registrars for the Whois database.
>>>>>
>>>>> But for those of us in the Noncommercial Users Constituency (now
>>>>> part of
>>>>> the Noncommercial Stakeholders Group/NCSG) who helped debate,
>>>>> draft and
>>>>> adopt this Consensus Procedure in the mid-2000s, we were always
>>>>> shocked
>>>>> that the ICANN Community did not do more. At the time, multiple Whois
>>>>> Task Forces were at work with multiple proposals which include
>>>>> important
>>>>> and pro-active suggestions to allow Registrars and Registries to come
>>>>> into compliance with their national data protection and privacy laws.
>>>>>
>>>>> At the time, we never expected this Consensus Procedure to be an end
>>>>> itself – but the first step of many steps. It was an “end” for too
>>>>> long,
>>>>> so we are glad the discussion is reopened and once again we seek to
>>>>> allow Registrars and Registries to be in full compliance with their
>>>>> national data protection and privacy laws – from the moment they
>>>>> enter
>>>>> into their contracts with ICANN.
>>>>>
>>>>> *II. Data Protection and Privacy Laws – A Quick Overview of the
>>>>> Principles that Protect the Personal and Sensitive Data of
>>>>> Individuals
>>>>> and Organizations/Small Businesses *
>>>>>
>>>>> **
>>>>>
>>>>> /*[Stephanie, Tamir or Others with Expertise in Canadian and European
>>>>> Data Protection Laws may choose to add something here]. */
>>>>>
>>>>> III/*. */Questions asked of the Community in this Proceeding
>>>>>
>>>>> The ICANN Review Paper raised a number of excellent questions. In
>>>>> keeping with the requirements of a Reply Period, these NCSG comments
>>>>> will address both our comments and those comments we particularly
>>>>> support in this proceeding.
>>>>>
>>>>> 1.
>>>>>
>>>>> Is it impractical for ICANN to require that a contracted party
>>>>> already has litigation or a government proceeding initiated
>>>>> against it prior to being able to invoke the Whois Procedure?
>>>>>
>>>>> 1.1 Response: Yes, it is completely impractical (and ill-advised) to
>>>>> force a company to violate a national law as a condition of complying
>>>>> with that national law. Every lawyer advises businesses to comply
>>>>> with
>>>>> the laws and regulations of their field. To do otherwise is to face
>>>>> fines, penalties, loss of the business, even jail for officers and
>>>>> directors. Legal business strives to be law-abiding; no officer or
>>>>> director wants to go to jail for her company's violations. It is the
>>>>> essence of an attorney's advice to his/her clients to fully comply
>>>>> with
>>>>> the laws and operate clearly within the clear boundaries and
>>>>> limits of
>>>>> laws and regulations, both national, by province or state and local.
>>>>>
>>>>> In these Reply Comments, we support and encourage ICANN to adopt
>>>>> policies consistent with the initial comments submitted by the
>>>>> European
>>>>> Commission:
>>>>>
>>>>> o
>>>>>
>>>>> that the Whois Procedure be changed from requiring specific
>>>>> prosecutorial action instead to allowing “demonstrating
>>>>> evidence
>>>>> of a potential conflict widely and e.g. accepting
>>>>> information on
>>>>> the legislation imposing requirements that the contractual
>>>>> requirements would breach as sufficient evidence.” (European
>>>>> Commission comments)
>>>>>
>>>>> We also agree with Blacknight:
>>>>>
>>>>> o
>>>>>
>>>>> “It's completely illogical for ICANN to require that a
>>>>> contracting party already has litigation before they can use a
>>>>> process. We would have loved to use a procedure or process to
>>>>> get exemptions, but expecting us to already be litigating
>>>>> before
>>>>> we can do so is, for lack of a better word, nuts.” (Blacknight
>>>>> comments in this proceeding).
>>>>>
>>>>>
>>>>> 1.1a How can the triggering event be meaningfully defined?
>>>>>
>>>>> 1.1 a Response: This is an important question. Rephrased, we might
>>>>> ask
>>>>> together – what must a Registry or Registrar show ICANN in support of
>>>>> its claim that certain provisions involving Whois data violate
>>>>> provisions of national data protection and privacy laws?
>>>>>
>>>>> NCSG respectfully submits that there are at least four “triggering
>>>>> events” that ICANN should recognize:
>>>>>
>>>>> o
>>>>>
>>>>> Evidence from a national Data Protection Commissioner or
>>>>> his/her
>>>>> office (or from a internationally recognized body of national
>>>>> Data Protection Commissioners in a certain region of the
>>>>> world,
>>>>> including the Article 29 Working Party that analyzes the
>>>>> national data protection and privacy laws) that ICANN's
>>>>> contractual obligations for Registry and/or Registrar
>>>>> contracts
>>>>> violate the data protection laws of their country or their
>>>>> group
>>>>> of countries;
>>>>>
>>>>> o
>>>>>
>>>>> Evidence of legal and/or jurisdictional conflict arising from
>>>>> analysis performed by ICANN's legal department or by national
>>>>> legal experts hired by ICANN to evaluate the Whois
>>>>> requirements
>>>>> of the ICANN contracts for compliance and conflicts with
>>>>> national data protection laws and cross-border transfer
>>>>> limits)
>>>>> (similar to the process we understand was undertaken for the
>>>>> data retention issue);
>>>>>
>>>>>
>>>>> o
>>>>>
>>>>> Receipt of a written legal opinion from a nationally
>>>>> recognized
>>>>> law firm in the applicable jurisdiction that states that the
>>>>> collection, retention and/or transfer of certain Whois data
>>>>> elements as required by Registrar or Registry Agreements is
>>>>> “reasonably likely to violate the applicable law” of the
>>>>> Registry or Registrar (per the process allowed in RAA Data
>>>>> Retention Specification); or
>>>>>
>>>>>
>>>>> o
>>>>>
>>>>> An official opinion of any other governmental body of
>>>>> competent
>>>>> jurisdiction providing that compliance with the data
>>>>> protection
>>>>> requirements of the Registry/Registrar contracts violates
>>>>> applicable national law (although such pro-active opinions may
>>>>> not be the practice of the Data Protection Commissioner's
>>>>> office).
>>>>>
>>>>> The above list draws from the comments of the European Commission,
>>>>> Data
>>>>> Retention Specification of the 2013 Registrar Accreditation
>>>>> Agreement,
>>>>> and sound compliance and business practices for the ICANN General
>>>>> Counsel's office.
>>>>>
>>>>> We further agree with Blacknight that the requirements for triggering
>>>>> any review and consideration by ICANN be: simple and straightforward,
>>>>> quick and easy to access.
>>>>>
>>>>>
>>>>> 1.3 Are there any components of the triggering event/notification
>>>>> portion of the RAA's Data Retention waiver process that should be
>>>>> considered as optional for incorporation into a modified Whois
>>>>> Procedure?
>>>>>
>>>>>
>>>>> 1.3 Response: Absolutely, the full list in 1.1a above, together with
>>>>> other constructive contributions in the Comments and Reply
>>>>> Comments of
>>>>> this proceeding, should be strongly considered for incorporation
>>>>> into a
>>>>> modified Whois Procedure, or simply written into the contracts of the
>>>>> Registries and Registrars contractual language, or a new Annex or
>>>>> Specification.
>>>>>
>>>>> We respectfully submit that the obligation of Registries and
>>>>> Registrars
>>>>> to comply with their national laws is not a matter of
>>>>> multistakeholder
>>>>> decision making, but a matter of law and compliance. In this case, we
>>>>> wholeheartedly embrace the concept of building a process together
>>>>> that
>>>>> will allow exceptions for data protection and privacy laws to be
>>>>> adopted
>>>>> quickly and easily.
>>>>>
>>>>>
>>>>> 1.4 Should parties be permitted to invoke the Whois Procedure
>>>>> before
>>>>> contracting with ICANN as a registrar or registry?
>>>>>
>>>>>
>>>>> 1.4 Response: Of course, Registries and Registrars should be
>>>>> allowed to
>>>>> invoke the Whois Procedure, or other appropriate annexes and
>>>>> specifications that may be added into Registry and Registrar
>>>>> contracts
>>>>> with ICANN. As discussed above, the right of a legal company to enter
>>>>> into a legal contracts is the most basic of expectations under law.
>>>>>
>>>>>
>>>>> 2.1 Are there other relevant parties who should be included in
>>>>> this
>>>>> step?
>>>>>
>>>>>
>>>>> 2.1 Response: We agree with the EC that ICANN should be working as
>>>>> closely with National Data Protection Authorities as they will
>>>>> allow. In
>>>>> light of the overflow of work into these national commissions, and
>>>>> the
>>>>> availability of national experts at law firms, ICANN should also
>>>>> turn to
>>>>> the advice of private experts, such as well-respected law firms who
>>>>> specialize in national data protection laws. The law firm's
>>>>> opinions on
>>>>> these matters would help to guide ICANN's knowledge and evaluation of
>>>>> this important issue.
>>>>>
>>>>>
>>>>> 3.1 How is an agreement reached and published?
>>>>>
>>>>> 3.1 Response. As discussed above, compliance with national law may
>>>>> not
>>>>> be the best matter for negotiation within a multistakeholder
>>>>> process. It
>>>>> really should not be a chose for others to make whether you comply
>>>>> with
>>>>> your national data protection and privacy laws. That said, the
>>>>> process
>>>>> of refining the Consensus Procedure, and adopting new policies and
>>>>> procedures, or simply putting new contract provisions, annexes or
>>>>> specifications into the Registry and Registrar contracts SHOULD be
>>>>> subject to community discussion, notification and review. But once
>>>>> the
>>>>> new process is adopted, we think the new changes, variations,
>>>>> modifications or exceptions of Individual Registries and
>>>>> Registrars need
>>>>> go through a public review and process. The results, however,
>>>>> Should be
>>>>> published for Community notification and review.
>>>>>
>>>>>
>>>>> We note that in conducting the discussion with the Community on the
>>>>> overall or general procedure, policy or contractual changes, ICANN
>>>>> should be assertive in its outreach to the Data Protection
>>>>> Commissioners. Individual and through their organizations, they have
>>>>> offered to help ICANN evaluate this issue numerous times. The Whois
>>>>> Review Team noted the inability of many external bodies to monitor
>>>>> ICANN
>>>>> regularly, but the need for outreach to them by ICANN staff
>>>>> nonetheless:
>>>>>
>>>>>
>>>>> *Recommendation 3: Outreach*
>>>>>
>>>>> *ICANN should ensure that WHOIS policy issues are accompanied by
>>>>> cross-community*
>>>>>
>>>>> *outreach, including outreach to the communities outside of ICANN
>>>>> with a
>>>>> specific*
>>>>>
>>>>> *interest in the issues, and an ongoing program for consumer
>>>>> awareness.*
>>>>>
>>>>> This is a critical policy item for such outreach and input.
>>>>>
>>>>>
>>>>> 3.2 If there is an agreed outcome among the relevant parties,
>>>>> should
>>>>> the Board be involved in this procedure?
>>>>>
>>>>>
>>>>> 3.2 Response: Clearly, the changing of the procedure, or the
>>>>> adoption of
>>>>> a new policy or new contractual language for Registries and
>>>>> Registrars,
>>>>> Board oversight and review should be involved. But once the new
>>>>> procedure, policy or contractual language is in place, then
>>>>> subsequent
>>>>> individual changes, variations, modifications or exceptions should be
>>>>> handled through the process and ICANN Staff – as the Data Retention
>>>>> Process is handled today.
>>>>>
>>>>>
>>>>> 4.1 Would it be fruitful to incorporate public comment in each of
>>>>> the resolution scenarios?
>>>>>
>>>>> 4.1 Response: We think this question means whether there should be
>>>>> public input on each and every exception? We respectfully submit that
>>>>> the answer is No. Once the new policy, procedure or contractual
>>>>> language
>>>>> is adopted, then the process should kick in and the
>>>>> Registrar/Registry
>>>>> should be allowed to apply for the waiver, modification or revision
>>>>> consistent with its data protection and privacy laws. Of course, once
>>>>> the waiver or modification is granted, the decision should be
>>>>> matter of
>>>>> public record so that other Registries and Registrars in the
>>>>> jurisdiction know and so that the ICANN Community as a whole can
>>>>> monitor
>>>>> this process' implementation and compliance.
>>>>>
>>>>> Step Five: Public notice
>>>>>
>>>>>
>>>>> 5.2 Is the exemption or modification termed to the length of the
>>>>> agreement? Or is it indefinite as long as the contracted party is
>>>>> located in the jurisdiction in question, or so long as the applicable
>>>>> law is in force.
>>>>>
>>>>> 5.2 Response: We agree with the European Commission in its response,
>>>>> “/By logic the exemption or modification shall be in place as long as
>>>>> the party is subject to the jurisdiction in conflict with ICANN
>>>>> rules.
>>>>> If the applicable law was to change, or the contacted party moved
>>>>> to a
>>>>> different jurisdiction, the conditions should be reviewed to
>>>>> assess if
>>>>> the exemption is still justified.” But provided it is the same
>>>>> parties,
>>>>> operating under the same laws, the modification or change should
>>>>> continue through the duration of the relationship between the
>>>>> Registry/Registrar and ICANN. /
>>>>>
>>>>>
>>>>> 5.3 Should an exemption or modification based on the same laws and
>>>>> facts then be granted to other affected contracted parties in the
>>>>> same
>>>>> jurisdiction without invoking the Whois Procedure
>>>>>
>>>>> 5.3 Response. The European Commission in its comments wrote, and we
>>>>> strongly agree: /“the same exception should apply to others in the
>>>>> same
>>>>> jurisdiction who can demonstrate that they are in the same
>>>>> situation.”
>>>>> /Further, Blacknight wrote and we support: /“if ANY registrar in
>>>>> Germany, for example, is granted a waiver based on German law,
>>>>> than ALL
>>>>> registrars based in Germany should receive the same treatment.”
>>>>> /Once a
>>>>> national data protection or privacy law is interpreted as
>>>>> requiring and
>>>>> exemption or modification, it should be available to all
>>>>> Registries/Registrars in that country.
>>>>>
>>>>> Further, we recommend that ICANN should be required to notify each
>>>>> gTLD
>>>>> Registry and Registrar in the same jurisdiction as that of the
>>>>> decision
>>>>> so they will have notice of the change.
>>>>>
>>>>> We thank ICANN staff for holding this comment period.
>>>>>
>>>>> Respectfully submitted,
>>>>>
>>>>> NCSG
>>>>>
>>>>>
>>>>> DRAFT
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> PC-NCSG mailing list
>>>>> [log in to unmask]
>>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>>>
>>>> _______________________________________________
>>>> PC-NCSG mailing list
>>>> [log in to unmask]
>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>>>
>>>>
>>> <NSCG DRAFT Comments for Review of WHOIS Consensus
>>> Proceduresp+ad.doc>_______________________________________________
>>> PC-NCSG mailing list
>>> [log in to unmask]
>>> http://mailman.ipjustice.org/listinfo/pc-ncsg
>>
>> _______________________________________________
>> PC-NCSG mailing list
>> [log in to unmask]
>> http://mailman.ipjustice.org/listinfo/pc-ncsg
|