Hi - I've inserted my para in the
document again
maybe an online document would help next time :)
thanks everyone for the comments
I am happy to endorse this
Regards
Joy
On 1/08/2014 6:27 a.m., Stephanie Perrin wrote:
[log in to unmask]" type="cite">Ok
folks, I think we have a draft (5) which is now ready for final
approval. I have taken Kathy's last draft, done a final edit
(unfortunately I cannot restrain my editing, each time I go
through the draft, as I find things I forgot to note the last
time. So there are a few changes.) In deference to Avri's strong
objection to the mention of multistakeholderism as being
subservient to adherance to law, I did an edit of that sentence.
It is unfortunate that Michele used the example of German law (as
the lander each have their own laws and Commissioners, and I am
quite unsure whose jurisdiction this issue would fall under)
however I left it in. I also tried to clarify the paragraph
where we discuss consultation on decisions regarding exemption. I
hope it is now clear and reflects all members views on the matter.
Rafik, I would recommend that when you digitally sign the clean
copy you save it as NCSG comments on the WHOIS conflicts
consultation, as the current title is messy (assuming we can now
get concensus on moving forward and filing this tomorrow).
Kind regards,
Stephanie
On 2014-07-31, 11:09, Kathy Kleiman wrote:
Hi Stephanie,
Tx for adding Avri's comments. I've reviewed all of the changes,
and also added one more to this most recent version. _Newest
version (NCSGEdits3) attached. _
**Due tomorrow**
Best,
Kathy
:
I also agreed with Avri and inserted a
few of her changes, Kathy did not get those edits....we need
to make sure we have a final copy that Rafik can sign, which
reflects all the agreed changes. Do you want me to have
another edit one last time, to make sure that Joy's comments
(which were on an earlier draft) and Avri's are all in there?
cheers stephanie
On 2014-07-31, 9:22, Amr Elsadr wrote:
There are parts I am uncomfortable
with, some of which I deleted and
some of which I left and still am uncomfortable with.
I do not think we should ever dismiss the Multistakeholder
model. I do
not wish to find ourselves in the situation of being
quoted for having
suggested that there are times when the model should be
superseded. That
would be a gold mine for some. I deleted those
references.
Fully agree. Although I don’t feel that was the intent, it
could certainly be perceived that way. No need to bring it
up.
I am also uncomfortable with saying
there are things that don't need
public comment on. To just have to take the legal staff
view on things
is dangerous. What if they say the law does not require
something when
someone knows better. Better to have a null review. I
have not,
however, removed these as they were an entire section.
I would like
to see that section reworded or removed before approving
the documents.
IMHO, I don’t see the need for a public comment period on
every time this policy might be used. If a new set of
policies and processes are adopted for handling WHOIS
conflicts with privacy laws, then they should be clear
enough during implementation to not require public comment,
right? Isn’t this the case with all policies? For instance,
is there a public comment period every time a new registrar
signs a contract with ICANN? Or will there be a public
comment period when implementation of the “thick” WHOIS
policy kicks in?
Another thought is that a public comment period will also
lengthen the period during which a registrar will
potentially be at risk for non-compliance with local laws.
Unless there is an important reason why there should be a
public comment for each of the resolution scenarios, then I
suggest we support Kathy’s recommendation to not have any.
Thanks.
Amr
I also removed a bunch of weasel
words like 'respectfully'
avri
On 30-Jul-14 14:28, Avri Doria wrote:
Hi,
Started reviewing them, actually Stephanie's comments.
They are written
from an NCUC perspective and need to be approved by
them, not us.
avri
On 30-Jul-14 11:36, Rafik Dammak wrote:
Hi everyone,
Kathy sent a draft comment to the whois conflict with
local laws. we
have a tight schedule and we should act quickly.
we are responding during the reply period which means
the last chance
for us to do so.
@Maria can you please follow-up with this request?
Stephanie put out a call for comments, and not seeing
any, I drafted
these. It has been dismayeding ever since ICANN
adopted its Consensus
Procedure for Handling WHOIS Conflicts with Privacy
law -- because it
basically requires that Registrars and Registries have
to be sued or
receive an official notice of violation before they
can ask ICANN for a
waiver of the Whois requirements. That always seemed
very unfair- that
you have to be exposed to allegation of illegal
activity in order to
protect yourself or your Registrants under your
national data protection
and privacy laws.
In the more recent Data Retention Specification, of
the 2013 RAA, ICANN
Staff and Lawyers saw this problem and corrected it --
now Registrars
can be much more pro-active in showing ICANN that a
certain clause in
their contract (e.g., extended data retention) is a
clear violation of
their national law (e.g., more limited data
retention).
So to this important comment proceeding, I drafted
these comments for us
to submit. As Reply Comments (during the Reply
Period), we are asked to
respond to other commenters. That's easy as the
European Commission and
Registrar Blacknight submitted useful comments.
Rafik, can we edit, finalize and submit by the
deadline on Friday?
Comments below and attached. If you have edits, in the
interest of time,
kindly suggest alternate language. Tx!!
The Noncommercial Stakeholders Group represents
noncommercial
organizations in their work in the policy and
proceedings of ICANN and
the GNSO. We respectfully submit as an opening premise
that every legal
business has the right and obligation to operate
within the bounds and
limits of its national laws and regulations. No legal
business
establishes itself to violate the law; and to do so is
an invitation to
civil and criminal penalties. ICANN Registries and
Registrars are no
different – they want and need to abide by their laws.
Thus, it is timely for ICANN to raise the questions of
this proceeding,
/Review of the ICANN Procedure for Handling WHOIS
Conflicts with Privacy
Law/(albeit at a busy time for the Community and at
the height of
summer; we expect to see more interest in this time
towards the Fall).
We submit these comments in response to the issues
raises and the
questions asked.
*Background*
The /ICANN Procedure for Handling Whois Conflicts with
Privacy Law /was
adopted in 2006 after years of debate on Whois issues.
This Consensus
Procedure was the first step of recognition that data
protection laws
and privacy law DO apply to the personal and sensitive
data being
collected by Registries and Registrars for the Whois
database.
But for those of us in the Noncommercial Users
Constituency (now part of
the Noncommercial Stakeholders Group/NCSG) who helped
debate, draft and
adopt this Consensus Procedure in the mid-2000s, we
were always shocked
that the ICANN Community did not do more. At the time,
multiple Whois
Task Forces were at work with multiple proposals which
include important
and pro-active suggestions to allow Registrars and
Registries to come
into compliance with their national data protection
and privacy laws.
At the time, we never expected this Consensus
Procedure to be an end
itself – but the first step of many steps. It was an
“end” for too long,
so we are glad the discussion is reopened and once
again we seek to
allow Registrars and Registries to be in full
compliance with their
national data protection and privacy laws – from the
moment they enter
into their contracts with ICANN.
*II. Data Protection and Privacy Laws – A Quick
Overview of the
Principles that Protect the Personal and Sensitive
Data of Individuals
and Organizations/Small Businesses *
**
/*[Stephanie, Tamir or Others with Expertise in
Canadian and European
Data Protection Laws may choose to add something
here]. */
III/*. */Questions asked of the Community in this
Proceeding
The ICANN Review Paper raised a number of excellent
questions. In
keeping with the requirements of a Reply Period, these
NCSG comments
will address both our comments and those comments we
particularly
support in this proceeding.
1.
Is it impractical for ICANN to require that a
contracted party
already has litigation or a government
proceeding initiated
against it prior to being able to invoke the
Whois Procedure?
1.1 Response: Yes, it is completely impractical (and
ill-advised) to
force a company to violate a national law as a
condition of complying
with that national law. Every lawyer advises
businesses to comply with
the laws and regulations of their field. To do
otherwise is to face
fines, penalties, loss of the business, even jail for
officers and
directors. Legal business strives to be law-abiding;
no officer or
director wants to go to jail for her company's
violations. It is the
essence of an attorney's advice to his/her clients to
fully comply with
the laws and operate clearly within the clear
boundaries and limits of
laws and regulations, both national, by province or
state and local.
In these Reply Comments, we support and encourage
ICANN to adopt
policies consistent with the initial comments
submitted by the European
Commission:
o
that the Whois Procedure be changed from
requiring specific
prosecutorial action instead to allowing
“demonstrating evidence
of a potential conflict widely and e.g.
accepting information on
the legislation imposing requirements that the
contractual
requirements would breach as sufficient
evidence.” (European
Commission comments)
We also agree with Blacknight:
o
“It's completely illogical for ICANN to require
that a
contracting party already has litigation before
they can use a
process. We would have loved to use a procedure
or process to
get exemptions, but expecting us to already be
litigating before
we can do so is, for lack of a better word,
nuts.” (Blacknight
comments in this proceeding).
1.1a How can the triggering event be meaningfully
defined?
1.1 a Response: This is an important question.
Rephrased, we might ask
together – what must a Registry or Registrar show
ICANN in support of
its claim that certain provisions involving Whois data
violate
provisions of national data protection and privacy
laws?
NCSG respectfully submits that there are at least four
“triggering
events” that ICANN should recognize:
o
Evidence from a national Data Protection
Commissioner or his/her
office (or from a internationally recognized
body of national
Data Protection Commissioners in a certain
region of the world,
including the Article 29 Working Party that
analyzes the
national data protection and privacy laws) that
ICANN's
contractual obligations for Registry and/or
Registrar contracts
violate the data protection laws of their
country or their group
of countries;
o
Evidence of legal and/or jurisdictional
conflict arising from
analysis performed by ICANN's legal department
or by national
legal experts hired by ICANN to evaluate the
Whois requirements
of the ICANN contracts for compliance and
conflicts with
national data protection laws and cross-border
transfer limits)
(similar to the process we understand was
undertaken for the
data retention issue);
o
Receipt of a written legal opinion from a
nationally recognized
law firm in the applicable jurisdiction that
states that the
collection, retention and/or transfer of
certain Whois data
elements as required by Registrar or Registry
Agreements is
“reasonably likely to violate the applicable
law” of the
Registry or Registrar (per the process allowed
in RAA Data
Retention Specification); or
o
An official opinion of any other governmental
body of competent
jurisdiction providing that compliance with the
data protection
requirements of the Registry/Registrar
contracts violates
applicable national law (although such
pro-active opinions may
not be the practice of the Data Protection
Commissioner's office).
The above list draws from the comments of the European
Commission, Data
Retention Specification of the 2013 Registrar
Accreditation Agreement,
and sound compliance and business practices for the
ICANN General
Counsel's office.
We further agree with Blacknight that the requirements
for triggering
any review and consideration by ICANN be: simple and
straightforward,
quick and easy to access.
1.3 Are there any components of the triggering
event/notification
portion of the RAA's Data Retention waiver process
that should be
considered as optional for incorporation into a
modified Whois Procedure?
1.3 Response: Absolutely, the full list in 1.1a above,
together with
other constructive contributions in the Comments and
Reply Comments of
this proceeding, should be strongly considered for
incorporation into a
modified Whois Procedure, or simply written into the
contracts of the
Registries and Registrars contractual language, or a
new Annex or
Specification.
We respectfully submit that the obligation of
Registries and Registrars
to comply with their national laws is not a matter of
multistakeholder
decision making, but a matter of law and compliance.
In this case, we
wholeheartedly embrace the concept of building a
process together that
will allow exceptions for data protection and privacy
laws to be adopted
quickly and easily.
1.4 Should parties be permitted to invoke the Whois
Procedure before
contracting with ICANN as a registrar or registry?
1.4 Response: Of course, Registries and Registrars
should be allowed to
invoke the Whois Procedure, or other appropriate
annexes and
specifications that may be added into Registry and
Registrar contracts
with ICANN. As discussed above, the right of a legal
company to enter
into a legal contracts is the most basic of
expectations under law.
2.1 Are there other relevant parties who should be
included in this
step?
2.1 Response: We agree with the EC that ICANN should
be working as
closely with National Data Protection Authorities as
they will allow. In
light of the overflow of work into these national
commissions, and the
availability of national experts at law firms, ICANN
should also turn to
the advice of private experts, such as well-respected
law firms who
specialize in national data protection laws. The law
firm's opinions on
these matters would help to guide ICANN's knowledge
and evaluation of
this important issue.
3.1 How is an agreement reached and published?
3.1 Response. As discussed above, compliance with
national law may not
be the best matter for negotiation within a
multistakeholder process. It
really should not be a chose for others to make
whether you comply with
your national data protection and privacy laws. That
said, the process
of refining the Consensus Procedure, and adopting new
policies and
procedures, or simply putting new contract provisions,
annexes or
specifications into the Registry and Registrar
contracts SHOULD be
subject to community discussion, notification and
review. But once the
new process is adopted, we think the new changes,
variations,
modifications or exceptions of Individual Registries
and Registrars need
go through a public review and process. The results,
however, Should be
published for Community notification and review.
We note that in conducting the discussion with the
Community on the
overall or general procedure, policy or contractual
changes, ICANN
should be assertive in its outreach to the Data
Protection
Commissioners. Individual and through their
organizations, they have
offered to help ICANN evaluate this issue numerous
times. The Whois
Review Team noted the inability of many external
bodies to monitor ICANN
regularly, but the need for outreach to them by ICANN
staff nonetheless:
*Recommendation 3: Outreach*
*ICANN should ensure that WHOIS policy issues are
accompanied by
cross-community*
*outreach, including outreach to the communities
outside of ICANN with a
specific*
*interest in the issues, and an ongoing program for
consumer awareness.*
This is a critical policy item for such outreach and
input.
3.2 If there is an agreed outcome among the
relevant parties, should
the Board be involved in this procedure?
3.2 Response: Clearly, the changing of the procedure,
or the adoption of
a new policy or new contractual language for
Registries and Registrars,
Board oversight and review should be involved. But
once the new
procedure, policy or contractual language is in place,
then subsequent
individual changes, variations, modifications or
exceptions should be
handled through the process and ICANN Staff – as the
Data Retention
Process is handled today.
4.1 Would it be fruitful to incorporate public
comment in each of
the resolution scenarios?
4.1 Response: We think this question means whether
there should be
public input on each and every exception? We
respectfully submit that
the answer is No. Once the new policy, procedure or
contractual language
is adopted, then the process should kick in and the
Registrar/Registry
should be allowed to apply for the waiver,
modification or revision
consistent with its data protection and privacy laws.
Of course, once
the waiver or modification is granted, the decision
should be matter of
public record so that other Registries and Registrars
in the
jurisdiction know and so that the ICANN Community as a
whole can monitor
this process' implementation and compliance.
Step Five: Public notice
5.2 Is the exemption or modification termed to the
length of the
agreement? Or is it indefinite as long as the
contracted party is
located in the jurisdiction in question, or so long as
the applicable
law is in force.
5.2 Response: We agree with the European Commission in
its response,
“/By logic the exemption or modification shall be in
place as long as
the party is subject to the jurisdiction in conflict
with ICANN rules.
If the applicable law was to change, or the contacted
party moved to a
different jurisdiction, the conditions should be
reviewed to assess if
the exemption is still justified.” But provided it is
the same parties,
operating under the same laws, the modification or
change should
continue through the duration of the relationship
between the
Registry/Registrar and ICANN. /
5.3 Should an exemption or modification based on
the same laws and
facts then be granted to other affected contracted
parties in the same
jurisdiction without invoking the Whois
Procedure
5.3 Response. The European Commission in its comments
wrote, and we
strongly agree: /“the same exception should apply to
others in the same
jurisdiction who can demonstrate that they are in the
same situation.”
/Further, Blacknight wrote and we support: /“if ANY
registrar in
Germany, for example, is granted a waiver based on
German law, than ALL
registrars based in Germany should receive the same
treatment.” /Once a
national data protection or privacy law is interpreted
as requiring and
exemption or modification, it should be available to
all
Registries/Registrars in that country.
Further, we recommend that ICANN should be required to
notify each gTLD
Registry and Registrar in the same jurisdiction as
that of the decision
so they will have notice of the change.
We thank ICANN staff for holding this comment period.