Fantastic work Kathy! Surely we don’t want to introduce the ‘ICANN
defense’ into the international legal vernacular (‘Sorry your honour,
ICANN made me do it!’).
Two minor suggestions:
1. The NCSG is much more than mere organizations; we’re also the home of
individual noncommercial users within the GNSO. Perhaps we could reflect
that in the introduction, such as:
The Noncommercial Stakeholders Group represents noncommercial organizations
and individual noncommercial users in their work in the policy and
proceedings of ICANN and the GNSO.
2. As the third “triggering event” you have, in part, “Receipt of a
written legal opinion from a nationally recognized law firm in the
applicable jurisdiction”.
Here in the United Kingdom some of the most prominent solicitors practicing
in both the cyber and privacy realms are solo practitioners, often
practicing in combination with a part time lecturing career. Think of, for
example, Jeremy Phillips. I’d hate to give the big law firms any advantage
over the equally qualified solicitor or barrister who does not belong to a
firm. Consider, perhaps amending the statement, as such:
Receipt of a written legal opinion from a nationally recognized law firm or
qualified legal practitioner in the applicable jurisdiction.
Thanks for considering and thanks again, Kathy, for all of this. It’s
really great work!
-----Original Message-----
From: Kathy Kleiman <[log in to unmask]>
To: [log in to unmask]
Date: Tue, 29 Jul 2014 13:44:44 -0400
Subject: Draft Comments for Whois Proceeding
To Rafik, NCSG Executive Committee and NCSG Membership,
There is an important, but very quiet comment proceeding that has been
taking place this summer. It is the Review of the ICANN Procedure for
Handling WHOIS Conflicts with Privacy Law at
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
Stephanie put out a call for comments, and not seeing any, I drafted these.
It has been dismayeding ever since ICANN adopted its Consensus Procedure for
Handling WHOIS Conflicts with Privacy law -- because it basically requires
that Registrars and Registries have to be sued or receive an official notice
of violation before they can ask ICANN for a waiver of the Whois
requirements. That always seemed very unfair- that you have to be exposed to
allegation of illegal activity in order to protect yourself or your
Registrants under your national data protection and privacy laws.
In the more recent Data Retention Specification, of the 2013 RAA, ICANN
Staff and Lawyers saw this problem and corrected it -- now Registrars can be
much more pro-active in showing ICANN that a certain clause in their
contract (e.g., extended data retention) is a clear violation of their
national law (e.g., more limited data retention).
So to this important comment proceeding, I drafted these comments for us to
submit. As Reply Comments (during the Reply Period), we are asked to respond
to other commenters. That's easy as the European Commission and Registrar
Blacknight submitted useful comments.
Rafik, can we edit, finalize and submit by the deadline on Friday? Comments
below and attached. If you have edits, in the interest of time, kindly
suggest alternate language. Tx!!
Best,
Kathy
--------------------------------------------------------------------------------------------------------
DRAFT NCSG Response to the Questions of the
Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
Introduction
The Noncommercial Stakeholders Group represents noncommercial organizations
in their work in the policy and proceedings of ICANN and the GNSO. We
respectfully submit as an opening premise that every legal business has the
right and obligation to operate within the bounds and limits of its national
laws and regulations. No legal business establishes itself to violate the
law; and to do so is an invitation to civil and criminal penalties. ICANN
Registries and Registrars are no different – they want and need to abide
by their laws.
Thus, it is timely for ICANN to raise the questions of this proceeding,
Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
(albeit at a busy time for the Community and at the height of summer; we
expect to see more interest in this time towards the Fall). We submit these
comments in response to the issues raises and the questions asked.
Background
The ICANN Procedure for Handling Whois Conflicts with Privacy Law was
adopted in 2006 after years of debate on Whois issues. This Consensus
Procedure was the first step of recognition that data protection laws and
privacy law DO apply to the personal and sensitive data being collected by
Registries and Registrars for the Whois database.
But for those of us in the Noncommercial Users Constituency (now part of the
Noncommercial Stakeholders Group/NCSG) who helped debate, draft and adopt
this Consensus Procedure in the mid-2000s, we were always shocked that the
ICANN Community did not do more. At the time, multiple Whois Task Forces
were at work with multiple proposals which include important and pro-active
suggestions to allow Registrars and Registries to come into compliance with
their national data protection and privacy laws.
At the time, we never expected this Consensus Procedure to be an end itself
– but the first step of many steps. It was an “end” for too long, so
we are glad the discussion is reopened and once again we seek to allow
Registrars and Registries to be in full compliance with their national data
protection and privacy laws – from the moment they enter into their
contracts with ICANN.
II. Data Protection and Privacy Laws – A Quick Overview of the Principles
that Protect the Personal and Sensitive Data of Individuals and
Organizations/Small Businesses
[Stephanie, Tamir or Others with Expertise in Canadian and European Data
Protection Laws may choose to add something here].
III. Questions asked of the Community in this Proceeding
The ICANN Review Paper raised a number of excellent questions. In keeping
with the requirements of a Reply Period, these NCSG comments will address
both our comments and those comments we particularly support in this
proceeding.
Is it impractical for ICANN to require that a contracted party already has
litigation or a government proceeding initiated against it prior to being
able to invoke the Whois Procedure?
1.1 Response: Yes, it is completely impractical (and ill-advised) to force a
company to violate a national law as a condition of complying with that
national law. Every lawyer advises businesses to comply with the laws and
regulations of their field. To do otherwise is to face fines, penalties,
loss of the business, even jail for officers and directors. Legal business
strives to be law-abiding; no officer or director wants to go to jail for
her company's violations. It is the essence of an attorney's advice to
his/her clients to fully comply with the laws and operate clearly within the
clear boundaries and limits of laws and regulations, both national, by
province or state and local.
In these Reply Comments, we support and encourage ICANN to adopt policies
consistent with the initial comments submitted by the European Commission:
that the Whois Procedure be changed from requiring specific prosecutorial
action instead to allowing “demonstrating evidence of a potential conflict
widely and e.g. accepting information on the legislation imposing
requirements that the contractual requirements would breach as sufficient
evidence.” (European Commission comments)
We also agree with Blacknight:
“It's completely illogical for ICANN to require that a contracting party
already has litigation before they can use a process. We would have loved to
use a procedure or process to get exemptions, but expecting us to already be
litigating before we can do so is, for lack of a better word, nuts.”
(Blacknight comments in this proceeding).
1.1a How can the triggering event be meaningfully defined?
1.1 a Response: This is an important question. Rephrased, we might ask
together – what must a Registry or Registrar show ICANN in support of its
claim that certain provisions involving Whois data violate provisions of
national data protection and privacy laws?
NCSG respectfully submits that there are at least four “triggering
events” that ICANN should recognize:
Evidence from a national Data Protection Commissioner or his/her office (or
from a internationally recognized body of national Data Protection
Commissioners in a certain region of the world, including the Article 29
Working Party that analyzes the national data protection and privacy laws)
that ICANN's contractual obligations for Registry and/or Registrar contracts
violate the data protection laws of their country or their group of
countries;
Evidence of legal and/or jurisdictional conflict arising from analysis
performed by ICANN's legal department or by national legal experts hired by
ICANN to evaluate the Whois requirements of the ICANN contracts for
compliance and conflicts with national data protection laws and cross-border
transfer limits) (similar to the process we understand was undertaken for
the data retention issue);
Receipt of a written legal opinion from a nationally recognized law firm in
the applicable jurisdiction that states that the collection, retention
and/or transfer of certain Whois data elements as required by Registrar or
Registry Agreements is “reasonably likely to violate the applicable law”
of the Registry or Registrar (per the process allowed in RAA Data Retention
Specification); or
An official opinion of any other governmental body of competent jurisdiction
providing that compliance with the data protection requirements of the
Registry/Registrar contracts violates applicable national law (although such
pro-active opinions may not be the practice of the Data Protection
Commissioner's office).
The above list draws from the comments of the European Commission, Data
Retention Specification of the 2013 Registrar Accreditation Agreement, and
sound compliance and business practices for the ICANN General Counsel's
office.
We further agree with Blacknight that the requirements for triggering any
review and consideration by ICANN be: simple and straightforward, quick and
easy to access.
1.3 Are there any components of the triggering event/notification
portion of the RAA's Data Retention waiver process that should be considered
as optional for incorporation into a modified Whois Procedure?
1.3 Response: Absolutely, the full list in 1.1a above, together with other
constructive contributions in the Comments and Reply Comments of this
proceeding, should be strongly considered for incorporation into a modified
Whois Procedure, or simply written into the contracts of the Registries and
Registrars contractual language, or a new Annex or Specification.
We respectfully submit that the obligation of Registries and Registrars to
comply with their national laws is not a matter of multistakeholder decision
making, but a matter of law and compliance. In this case, we wholeheartedly
embrace the concept of building a process together that will allow
exceptions for data protection and privacy laws to be adopted quickly and
easily.
1.4 Should parties be permitted to invoke the Whois Procedure before
contracting with ICANN as a registrar or registry?
1.4 Response: Of course, Registries and Registrars should be allowed to
invoke the Whois Procedure, or other appropriate annexes and specifications
that may be added into Registry and Registrar contracts with ICANN. As
discussed above, the right of a legal company to enter into a legal
contracts is the most basic of expectations under law.
2.1 Are there other relevant parties who should be included in this
step?
2.1 Response: We agree with the EC that ICANN should be working as closely
with National Data Protection Authorities as they will allow. In light of
the overflow of work into these national commissions, and the availability
of national experts at law firms, ICANN should also turn to the advice of
private experts, such as well-respected law firms who specialize in national
data protection laws. The law firm's opinions on these matters would help to
guide ICANN's knowledge and evaluation of this important issue.
3.1 How is an agreement reached and published?
3.1 Response. As discussed above, compliance with national law may not be
the best matter for negotiation within a multistakeholder process. It really
should not be a chose for others to make whether you comply with your
national data protection and privacy laws. That said, the process of
refining the Consensus Procedure, and adopting new policies and procedures,
or simply putting new contract provisions, annexes or specifications into
the Registry and Registrar contracts SHOULD be subject to community
discussion, notification and review. But once the new process is adopted, we
think the new changes, variations, modifications or exceptions of Individual
Registries and Registrars need go through a public review and process. The
results, however, Should be published for Community notification and review.
We note that in conducting the discussion with the Community on the overall
or general procedure, policy or contractual changes, ICANN should be
assertive in its outreach to the Data Protection Commissioners. Individual
and through their organizations, they have offered to help ICANN evaluate
this issue numerous times. The Whois Review Team noted the inability of many
external bodies to monitor ICANN regularly, but the need for outreach to
them by ICANN staff nonetheless:
Recommendation 3: Outreach
ICANN should ensure that WHOIS policy issues are accompanied by
cross-community
outreach, including outreach to the communities outside of ICANN with a
specific
interest in the issues, and an ongoing program for consumer awareness.
This is a critical policy item for such outreach and input.
3.2 If there is an agreed outcome among the relevant parties, should the
Board be involved in this procedure?
3.2 Response: Clearly, the changing of the procedure, or the adoption of a
new policy or new contractual language for Registries and Registrars, Board
oversight and review should be involved. But once the new procedure, policy
or contractual language is in place, then subsequent individual changes,
variations, modifications or exceptions should be handled through the
process and ICANN Staff – as the Data Retention Process is handled today.
4.1 Would it be fruitful to incorporate public comment in each of the
resolution scenarios?
4.1 Response: We think this question means whether there should be public
input on each and every exception? We respectfully submit that the answer is
No. Once the new policy, procedure or contractual language is adopted, then
the process should kick in and the Registrar/Registry should be allowed to
apply for the waiver, modification or revision consistent with its data
protection and privacy laws. Of course, once the waiver or modification is
granted, the decision should be matter of public record so that other
Registries and Registrars in the jurisdiction know and so that the ICANN
Community as a whole can monitor this process' implementation and
compliance.
Step Five: Public notice
5.2 Is the exemption or modification termed to the length of the
agreement? Or is it indefinite as long as the contracted party is located in
the jurisdiction in question, or so long as the applicable law is in force.
5.2 Response: We agree with the European Commission in its response, “By
logic the exemption or modification shall be in place as long as the party
is subject to the jurisdiction in conflict with ICANN rules. If the
applicable law was to change, or the contacted party moved to a different
jurisdiction, the conditions should be reviewed to assess if the exemption
is still justified.” But provided it is the same parties, operating under
the same laws, the modification or change should continue through the
duration of the relationship between the Registry/Registrar and ICANN.
5.3 Should an exemption or modification based on the same laws and facts
then be granted to other affected contracted parties in the same
jurisdiction without invoking the Whois Procedure
5.3 Response. The European Commission in its comments wrote, and we strongly
agree: “the same exception should apply to others in the same jurisdiction
who can demonstrate that they are in the same situation.” Further,
Blacknight wrote and we support: “if ANY registrar in Germany, for
example, is granted a waiver based on German law, than ALL registrars based
in Germany should receive the same treatment.” Once a national data
protection or privacy law is interpreted as requiring and exemption or
modification, it should be available to all Registries/Registrars in that
country.
Further, we recommend that ICANN should be required to notify each gTLD
Registry and Registrar in the same jurisdiction as that of the decision so
they will have notice of the change.
We thank ICANN staff for holding this comment period.
Respectfully submitted,
NCSG
DRAFT