Fantastic work Kathy! Surely we don’t want to introduce the
‘ICANN defense’ into the international legal vernacular
(‘Sorry your honour, ICANN made me do it!’).
1. The NCSG is much more than mere organizations; we’re also the
home of individual noncommercial users within the GNSO. Perhaps we could
reflect that in the introduction, such as:
2. As the third “triggering event” you have, in part,
“Receipt of a written legal opinion from a nationally recognized law
firm in the applicable jurisdiction”.
Here in the United Kingdom some of the most prominent solicitors
practicing in both the cyber and privacy realms are solo practitioners,
often practicing in combination with a part time lecturing career. Think of,
for example, Jeremy Phillips. I’d hate to give the big law firms any
advantage over the equally qualified solicitor or barrister who does not
belong to a firm. Consider, perhaps amending the statement, as such:
-----Original
Message-----
From: Kathy Kleiman <[log in to unmask]>
To: [log in to unmask]
Date: Tue, 29 Jul 2014 13:44:44 -0400
Subject: Draft Comments for Whois Proceeding
To Rafik, NCSG Executive Committee and NCSG
Membership,
Stephanie put out a call for comments, and
not seeing any, I drafted these. It has been dismayeding ever since
ICANN adopted its Consensus Procedure for Handling WHOIS Conflicts with
Privacy law -- because it basically requires that Registrars and Registries
have to be sued or receive an official notice of violation before they can
ask ICANN for a waiver of the Whois requirements. That always seemed very
unfair- that you have to be exposed to allegation of illegal activity in
order to protect yourself or your Registrants under your national data
protection and privacy laws.
In the more recent Data Retention
Specification, of the 2013 RAA, ICANN Staff and Lawyers saw this problem and
corrected it -- now Registrars can be much more pro-active in showing ICANN
that a certain clause in their contract (e.g., extended data retention) is a
clear violation of their national law (e.g., more limited data
retention).
So to this important comment proceeding, I
drafted these comments for us to submit. As Reply Comments (during the Reply
Period), we are asked to respond to other commenters. That's easy as the
European Commission and Registrar Blacknight submitted useful comments.
Rafik, can we edit, finalize and submit by the
deadline on Friday? Comments below and attached. If you have edits, in
the interest of time, kindly suggest alternate language. Tx!!
Best,
Kathy
--------------------------------------------------------------------------------------------------------
DRAFT NCSG Response to the Questions of the
Review of the ICANN
Procedure for Handling WHOIS Conflicts with Privacy Law
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
Introduction
The Noncommercial Stakeholders Group represents noncommercial
organizations in their work in the policy and proceedings of ICANN and the
GNSO. We respectfully submit as an opening premise that every legal business
has the right and obligation to operate within the bounds and limits of its
national laws and regulations. No legal business establishes itself to
violate the law; and to do so is an invitation to civil and criminal
penalties. ICANN Registries and Registrars are no different – they
want and need to abide by their laws.
Thus, it is timely for ICANN to raise the questions of this
proceeding,
Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy
Law (albeit at a busy time for the
Community and at the height of summer; we expect to see more interest in
this time towards the Fall). We submit these comments in response to the
issues raises and the questions asked.
Background
The
ICANN Procedure for Handling Whois Conflicts with Privacy Law
was adopted in 2006
after years of debate on Whois issues. This Consensus Procedure was the
first step of recognition that data protection laws and privacy law DO apply
to the personal and sensitive data being collected by Registries and
Registrars for the Whois database.
But for those of us in the Noncommercial Users Constituency (now
part of the Noncommercial Stakeholders Group/NCSG) who helped debate, draft
and adopt this Consensus Procedure in the mid-2000s, we were always shocked
that the ICANN Community did not do more. At the time, multiple Whois Task
Forces were at work with multiple proposals which include important and
pro-active suggestions to allow Registrars and Registries to come into
compliance with their national data protection and privacy laws.
At the time, we never expected this Consensus Procedure to be an
end itself – but the first step of many steps. It was an
“end” for too long, so we are glad the discussion is reopened
and once again we seek to allow Registrars and Registries to be in full
compliance with their national data protection and privacy laws – from
the moment they enter into their contracts with ICANN.
II. Data Protection and Privacy Laws – A Quick Overview of
the Principles that Protect the Personal and Sensitive Data of Individuals
and Organizations/Small Businesses
[Stephanie, Tamir or Others with Expertise
in Canadian and European Data Protection Laws may choose to add something
here].
III. Questions asked of the Community in this
Proceeding
The ICANN Review Paper raised a number of excellent questions. In
keeping with the requirements of a Reply Period, these NCSG comments will
address both our comments and those comments we particularly support in this
proceeding.
-
-
Is it impractical for ICANN to
require that a contracted party already has litigation or a government
proceeding initiated against it prior to being able to invoke the Whois
Procedure?
1.1 Response: Yes, it is completely impractical (and ill-advised)
to force a company to violate a national law as a condition of complying
with that national law. Every lawyer advises businesses to comply with the
laws and regulations of their field. To do otherwise is to face fines,
penalties, loss of the business, even jail for officers and directors. Legal
business strives to be law-abiding; no officer or director wants to go to
jail for her company's violations. It is the essence of an
attorney's advice to his/her clients to fully comply with the laws and
operate clearly within the clear boundaries and limits of laws and
regulations, both national, by province or state and local.
In these Reply Comments, we support and encourage ICANN to adopt
policies consistent with the initial comments submitted by the European
Commission:
We also agree with Blacknight:
-
-
“It's completely illogical for
ICANN to require that a contracting party already has litigation before they
can use a process. We would have loved to use a procedure or process to get
exemptions, but expecting us to already be litigating before we can do so
is, for lack of a better word, nuts.” (Blacknight comments in this
proceeding).
1.1a How can the triggering event be
meaningfully defined?
1.1 a Response: This is an important question. Rephrased, we might
ask together – what must a Registry or Registrar show ICANN in support
of its claim that certain provisions involving Whois data violate provisions
of national data protection and privacy laws?
NCSG respectfully submits that there are at least four
“triggering events” that ICANN should recognize:
-
-
Evidence from a national Data
Protection Commissioner or his/her office (or from a internationally
recognized body of national Data Protection Commissioners in a certain
region of the world, including the Article 29 Working Party that analyzes
the national data protection and privacy laws) that ICANN's contractual
obligations for Registry and/or Registrar contracts violate the data
protection laws of their country or their group of countries;
-
Evidence of legal and/or
jurisdictional conflict arising from analysis performed by ICANN's legal
department or by national legal experts hired by ICANN to evaluate the Whois
requirements of the ICANN contracts for compliance and conflicts with
national data protection laws and cross-border transfer limits) (similar to
the process we understand was undertaken for the data retention issue);
-
-
Receipt of a written legal
opinion from a nationally recognized law firm in the applicable jurisdiction
that states that the collection, retention and/or transfer of certain Whois
data elements as required by Registrar or Registry Agreements is
“reasonably likely to violate the applicable law” of the
Registry or Registrar (per the process allowed in RAA Data Retention
Specification); or
The above list draws from the comments of the European Commission,
Data Retention Specification of the 2013 Registrar Accreditation Agreement,
and sound compliance and business practices for the ICANN General
Counsel's office.
We further agree with Blacknight that the requirements for
triggering any review and consideration by ICANN be: simple and
straightforward, quick and easy to access.
1.3 Are
there any components of the triggering event/notification portion of the
RAA's Data Retention waiver process that should be considered as
optional for incorporation into a modified Whois Procedure?
1.3 Response: Absolutely, the full list in 1.1a above, together
with other constructive contributions in the Comments and Reply Comments of
this proceeding, should be strongly considered for incorporation into a
modified Whois Procedure, or simply written into the contracts of the
Registries and Registrars contractual language, or a new Annex or
Specification.
We respectfully submit that the obligation of Registries and
Registrars to comply with their national laws is not a matter of
multistakeholder decision making, but a matter of law and compliance. In
this case, we wholeheartedly embrace the concept of building a process
together that will allow exceptions for data protection and privacy laws to
be adopted quickly and easily.
1.4
Should parties be permitted to invoke the Whois Procedure before contracting
with ICANN as a registrar or registry?
1.4 Response: Of course, Registries and Registrars should be
allowed to invoke the Whois Procedure, or other appropriate annexes and
specifications that may be added into Registry and Registrar contracts with
ICANN. As discussed above, the right of a legal company to enter into a
legal contracts is the most basic of expectations under law.
2.1 Are
there other relevant parties who should be included in this step?
2.1 Response: We agree with the EC that ICANN should be working as
closely with National Data Protection Authorities as they will allow. In
light of the overflow of work into these national commissions, and the
availability of national experts at law firms, ICANN should also turn to the
advice of private experts, such as well-respected law firms who specialize
in national data protection laws. The law firm's opinions on these
matters would help to guide ICANN's knowledge and evaluation of this
important issue.
3.1 How
is an agreement reached and published?
3.1 Response. As discussed above, compliance with national law may
not be the best matter for negotiation within a multistakeholder process. It
really should not be a chose for others to make whether you comply with your
national data protection and privacy laws. That said, the process of
refining the Consensus Procedure, and adopting new policies and procedures,
or simply putting new contract provisions, annexes or specifications into
the Registry and Registrar contracts SHOULD be subject to community
discussion, notification and review. But once the new process is adopted, we
think the new changes, variations, modifications or exceptions of Individual
Registries and Registrars need go through a public review and process. The
results, however, Should be published for Community notification and review.
We note that in conducting the discussion with the Community on the
overall or general procedure, policy or contractual changes, ICANN should be
assertive in its outreach to the Data Protection Commissioners. Individual
and through their organizations, they have offered to help ICANN evaluate
this issue numerous times. The Whois Review Team noted the inability of many
external bodies to monitor ICANN regularly, but the need for outreach to
them by ICANN staff nonetheless:
Recommendation 3: Outreach
ICANN should ensure that WHOIS policy issues
are accompanied by cross-community
outreach, including outreach to the
communities outside of ICANN with a specific
interest in the issues, and an ongoing program
for consumer awareness.
This is a critical policy item for such outreach
and input.
3.2 If
there is an agreed outcome among the relevant parties, should the Board be
involved in this procedure?
3.2 Response: Clearly, the changing of the procedure, or the
adoption of a new policy or new contractual language for Registries and
Registrars, Board oversight and review should be involved. But once the new
procedure, policy or contractual language is in place, then subsequent
individual changes, variations, modifications or exceptions should be
handled through the process and ICANN Staff – as the Data Retention
Process is handled today.
4.1 Would
it be fruitful to incorporate public comment in each of the resolution
scenarios?
4.1 Response: We think this question means whether there should be
public input on each and every exception? We respectfully submit that the
answer is No. Once the new policy, procedure or contractual language is
adopted, then the process should kick in and the Registrar/Registry should
be allowed to apply for the waiver, modification or revision consistent with
its data protection and privacy laws. Of course, once the waiver or
modification is granted, the decision should be matter of public record so
that other Registries and Registrars in the jurisdiction know and so that
the ICANN Community as a whole can monitor this process' implementation
and compliance.
Step Five: Public notice
5.2 Is
the exemption or modification termed to the length of the agreement? Or is
it indefinite as long as the contracted party is located in the jurisdiction
in question, or so long as the applicable law is in force.
5.2 Response: We agree with the European Commission in its
response, “By logic the exemption or modification shall be in place
as long as the party is subject to the jurisdiction in conflict with ICANN
rules. If the applicable law was to change, or the contacted party moved to
a different jurisdiction, the conditions should be reviewed to assess if the
exemption is still justified.” But provided it is the same parties,
operating under the same laws, the modification or change should continue
through the duration of the relationship between the Registry/Registrar and
ICANN.
5.3
Should an exemption or modification based on the same laws and facts then be
granted to other affected contracted parties in the same
jurisdiction without invoking the Whois Procedure
5.3 Response. The European Commission in its comments wrote, and we
strongly agree: “the same exception should apply to others in the
same jurisdiction who can demonstrate that they are in the same
situation.” Further, Blacknight wrote and we support: “if
ANY registrar in Germany, for example, is granted a waiver based on German
law, than ALL registrars based in Germany should receive the same
treatment.” Once a national data
protection or privacy law is interpreted as requiring and exemption or
modification, it should be available to all Registries/Registrars in that
country.
Further, we recommend that ICANN should be required to notify each
gTLD Registry and Registrar in the same jurisdiction as that of the decision
so they will have notice of the change.
We thank ICANN staff for holding this comment period.
Respectfully submitted,
NCSG
DRAFT