Many thanks to Thomas for the notes. Adam <http://log.does-not-exist.org/archives/2004/03/02/1405_registrars_and_ncuc_discussing_whois_and_privacy_laws.html#more> No Such Weblog Thomas Roessler's notes on ICANN, the GNSO, the ALAC, and less virtual topics. March 02, 2004 Registrars and NCUC discussing WHOIS and privacy laws. The non-commercial constituency is visiting the registrars; the meeting is joined by George Papapavlou from the European Commission. Papapavlou tries to explain main legal conocepts that determine European approach to WHOIS. One of the task forces of GNSO has asked GAC some questions. Papapavlou will try to give replies in this meeting. Main starting point for European thinking on WHOIS: "What is the purpose of WHOIS?" Answer this question, then you can answer second question: "What data are we talking about?" In European legal framework, processing of personal data is possible for specific purpose. Once purpose has been defined, you know what data is relevant. Purpose of WHOIS is not really clear. Initial idea: Need contact data on specific domain names in case something gets wrong -- reach technical contact point. If this is purpose of WHOIS, that's good starting point. After intro remark, can answer to TF2 questions. First question: Consent? Consent is not the only condition. Sufficient condition, but other possibilities. Processing due to contract. Processing necessary for complying with legal obligation of data controller, that's possible. Processing in vital interest of data subject -- think of unconscious victim of car accident. Processing in public interest. Legitimate interest of data controller or third party, except when overridden by data subject. If data subject objects, data protection authority, possibility to go to court. But specific conditions about processing. Fairly and lawfully. Collect for specific purposes. Don't process for purposes that are incompatible to original purpose. Must data subject consent to disclosure? Not a necessary condition, if disclosure was part of processing purpose of which data subject has been informed. Data subject must be informed about recipients or categories of recipients at time of collection. Can data subject withdraw consent? In principle he can, but not an absolute right. Room for judging legitimate interests. If it can be shown -- to appropriate authority, or to court -- that data is necessary for legitimate purpose that overrides data subject interests, data can be processed against consent. No complaints to authorities known. Marketing does not override! Right to anonymity? There is right not to be included in directories. Arguably, WHOIS is directory. Again, have to weigh legitimate interests. Judgment to what extent data subjects can ask to remain anonymous in WHOIS has not been made. In principle, right to anonymity. When there are various options to achieve a purpose, priority must be given to least privacy-intrusive option. If legitimate interest wants information about somebody, don't obtain entire database, but go to relevant entity and ask for information. Rather than having access to entire database, give access to specific data provided they explain what they need access for. Access is form of processing. Access needs justifiable reason. Regulation on transmittal to other countries that is applicable in connection with domain name registration? No specific regulation speaking about domain name registration. But there is directive which covers domain name registration, 95/46/EC. Has articles dealing with transfers. Adequate data protection level in recipient country. Member states have national law. But supervisory authorities have been estabilishing opinions on data protection levels in countries. General principle: Adequate data protection. But, exceptions. If there is consent, transfer is possible. But has to be informed consent. Data subject must know what happens. If there is contract involved, processing necessary to fulfill contract, processing allowed. Public interest involved? Public information registers --may be relevant!-- can be transferred. Final question: Does applicability of law depend on location etc.? In Europe, law of data controller's country applies. Registrar in European member state, registry in European member state -- applicable. Registrar or registry outside Union, processing happens inside Union, law of that member state applies. Concluding remarks: Accuracy. Should data be more accurate? Yes. Framework includes accuracy principle. Not going into details. Bulk Access? No. Disproportionate and privacy-infringing step unless there is convincing specific case for bulk access -- and then there needs to be due process. If there is good evidence that a certain TLD is used by several criminals, LE could get court warrant and receive bulk data that way. Bulk access excessive not just for marketing, but also for other purposes. Searching possibilities according to certain criteria? Not just details about one domain, but find out how many domain names individual owns, etc.? No. Privacy-infringing, disproportionate, general presumption of guilt, excessive. Exception: Appropriate permission by due process. Point made by data-protection authorities: WHOIS is not tool for self-policing. Questions? Ross Rader, on accuracy: 1. Not clear whether or not there is presumption of verification? Pass on what data subject provides? 2. Canada has own policy. Differences and contrasts? George, second question first. When last dealt with this, no dramatic differences. But several years ago. Canada has adequate protection level . First question, when law speaks of accuracy, it means that data subject has right to correct their data. Not automatically obligation to data controller to take proactive role in verifying data. Data subject has right of access to data, correction of inaccurate data. ... Papapavlou in reply to Broitman: Evaluation of implementation of directive; some member states late. Evaluation process should lead to decision on amendments. Not aware of any amendments being on the table. Criticism of some points, but haven't seen proposals for amending. Specific directive on telecommunications includes right not to be included in directory. ... Discussion of directories and telecommunications privacy directive: Right not to be included in directory flows from general principles, is just spelled out in telecommunications directive. Accuracy: Purpose has to be clear. Elana: Balance may be blocking access to public, making information available on right kind of request? Yes. ... NCUC's take on WHOIS purpose? Milton: Technical coordination; put due process guarantees in place. Too much stuff in there. --