Great suggestions, Ed, thank you! And thanks so much for your close review! Kathy : > Fantastic work Kathy! Surely we don’t want to introduce the ‘ICANN > defense’ into the international legal vernacular (‘Sorry your honour, > ICANN made me do it!’). > Two minor suggestions: > 1. The NCSG is much more than mere organizations; we’re also the home > of individual noncommercial users within the GNSO. Perhaps we could > reflect that in the introduction, such as: > The Noncommercial Stakeholders Group represents noncommercial > organizations /and individual noncommercial users /in their work in > the policy and proceedings of ICANN and the GNSO. > 2. As the third “triggering event” you have, in part, “Receipt of a > written legal opinion from a nationally recognized law firm in the > applicable jurisdiction”. > Here in the United Kingdom some of the most prominent solicitors > practicing in both the cyber and privacy realms are solo > practitioners, often practicing in combination with a part time > lecturing career. Think of, for example, Jeremy Phillips. I’d hate to > give the big law firms any advantage over the equally qualified > solicitor or barrister who does not belong to a firm. Consider, > perhaps amending the statement, as such: > Receipt of a written legal opinion from a nationally recognized law > firm /or qualified legal practitioner/ in the applicable jurisdiction. > > Thanks for considering and thanks again, Kathy, for all of this. It’s > really great work! > > -----Original Message----- > From: Kathy Kleiman <[log in to unmask]> > To: [log in to unmask] > Date: Tue, 29 Jul 2014 13:44:44 -0400 > Subject: Draft Comments for Whois Proceeding > To Rafik, NCSG Executive Committee and NCSG Membership, > There is an important, but very quiet comment proceeding that has > been taking place this summer. It is the /Review of the ICANN > Procedure for Handling WHOIS Conflicts with Privacy Law///at > /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en > / > Stephanie put out a call for comments, and not seeing any, I > drafted these. It has been dismayeding ever since ICANN adopted > its Consensus Procedure for Handling WHOIS Conflicts with Privacy > law -- because it basically requires that Registrars and > Registries have to be sued or receive an official notice of > violation before they can ask ICANN for a waiver of the Whois > requirements. That always seemed very unfair- that you have to be > exposed to allegation of illegal activity in order to protect > yourself or your Registrants under your national data protection > and privacy laws. > In the more recent Data Retention Specification, of the 2013 RAA, > ICANN Staff and Lawyers saw this problem and corrected it -- now > Registrars can be much more pro-active in showing ICANN that a > certain clause in their contract (e.g., extended data retention) > is a clear violation of their national law (e.g., more limited > data retention). > So to this important comment proceeding, I drafted these comments > for us to submit. As Reply Comments (during the Reply Period), we > are asked to respond to other commenters. That's easy as the > European Commission and Registrar Blacknight submitted useful > comments. > Rafik, can we edit, finalize and submit by the deadline on Friday? > Comments below and attached. If you have edits, in the interest of > time, kindly suggest alternate language. Tx!! > Best, > Kathy > -------------------------------------------------------------------------------------------------------- > > DRAFT NCSG Response to the Questions of the > /Review of the ICANN Procedure for Handling WHOIS Conflicts with > Privacy Law/ > /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en > / > *Introduction* > The Noncommercial Stakeholders Group represents noncommercial > organizations in their work in the policy and proceedings of ICANN > and the GNSO. We respectfully submit as an opening premise that > every legal business has the right and obligation to operate > within the bounds and limits of its national laws and regulations. > No legal business establishes itself to violate the law; and to do > so is an invitation to civil and criminal penalties. ICANN > Registries and Registrars are no different – they want and need to > abide by their laws. > Thus, it is timely for ICANN to raise the questions of this > proceeding, /Review of the ICANN Procedure for Handling WHOIS > Conflicts with Privacy Law/(albeit at a busy time for the > Community and at the height of summer; we expect to see more > interest in this time towards the Fall). We submit these comments > in response to the issues raises and the questions asked. > *Background* > The /ICANN Procedure for Handling Whois Conflicts with Privacy Law > / was adopted in 2006 after years of debate on Whois issues. This > Consensus Procedure was the first step of recognition that data > protection laws and privacy law DO apply to the personal and > sensitive data being collected by Registries and Registrars for > the Whois database. > But for those of us in the Noncommercial Users Constituency (now > part of the Noncommercial Stakeholders Group/NCSG) who helped > debate, draft and adopt this Consensus Procedure in the mid-2000s, > we were always shocked that the ICANN Community did not do more. > At the time, multiple Whois Task Forces were at work with multiple > proposals which include important and pro-active suggestions to > allow Registrars and Registries to come into compliance with their > national data protection and privacy laws. > At the time, we never expected this Consensus Procedure to be an > end itself – but the first step of many steps. It was an “end” for > too long, so we are glad the discussion is reopened and once again > we seek to allow Registrars and Registries to be in full > compliance with their national data protection and privacy laws – > from the moment they enter into their contracts with ICANN. > *II. Data Protection and Privacy Laws – A Quick Overview of the > Principles that Protect the Personal and Sensitive Data of > Individuals and Organizations/Small Businesses * > ** > /*[Stephanie, Tamir or Others with Expertise in Canadian and > European Data Protection Laws may choose to add something here]. */ > III/*. */Questions asked of the Community in this Proceeding > The ICANN Review Paper raised a number of excellent questions. In > keeping with the requirements of a Reply Period, these NCSG > comments will address both our comments and those comments we > particularly support in this proceeding. > > 1. > 1. > Is it impractical for ICANN to require that a contracted > party already has litigation or a government proceeding > initiated against it prior to being able to invoke the > Whois Procedure? > > 1.1 Response: Yes, it is completely impractical (and ill-advised) > to force a company to violate a national law as a condition of > complying with that national law. Every lawyer advises businesses > to comply with the laws and regulations of their field. To do > otherwise is to face fines, penalties, loss of the business, even > jail for officers and directors. Legal business strives to be > law-abiding; no officer or director wants to go to jail for her > company's violations. It is the essence of an attorney's advice to > his/her clients to fully comply with the laws and operate clearly > within the clear boundaries and limits of laws and regulations, > both national, by province or state and local. > In these Reply Comments, we support and encourage ICANN to adopt > policies consistent with the initial comments submitted by the > European Commission: > > * > o > that the Whois Procedure be changed from requiring > specific prosecutorial action instead to allowing > “demonstrating evidence of a potential conflict widely and > e.g. accepting information on the legislation imposing > requirements that the contractual requirements would > breach as sufficient evidence.” (European Commission comments) > > We also agree with Blacknight: > > * > o > “It's completely illogical for ICANN to require that a > contracting party already has litigation before they can > use a process. We would have loved to use a procedure or > process to get exemptions, but expecting us to already be > litigating before we can do so is, for lack of a better > word, nuts.” (Blacknight comments in this proceeding). > > 1.1a How can the triggering event be meaningfully defined? > 1.1 a Response: This is an important question. Rephrased, we might > ask together – what must a Registry or Registrar show ICANN in > support of its claim that certain provisions involving Whois data > violate provisions of national data protection and privacy laws? > NCSG respectfully submits that there are at least four “triggering > events” that ICANN should recognize: > > * > o > Evidence from a national Data Protection Commissioner or > his/her office (or from a internationally recognized body > of national Data Protection Commissioners in a certain > region of the world, including the Article 29 Working > Party that analyzes the national data protection and > privacy laws) that ICANN's contractual obligations for > Registry and/or Registrar contracts violate the data > protection laws of their country or their group of countries; > o > Evidence of legal and/or jurisdictional conflict arising > from analysis performed by ICANN's legal department or by > national legal experts hired by ICANN to evaluate the > Whois requirements of the ICANN contracts for compliance > and conflicts with national data protection laws and > cross-border transfer limits) (similar to the process we > understand was undertaken for the data retention issue); > > * > o > Receipt of a written legal opinion from a nationally > recognized law firm in the applicable jurisdiction that > states that the collection, retention and/or transfer of > certain Whois data elements as required by Registrar or > Registry Agreements is “reasonably likely to violate the > applicable law” of the Registry or Registrar (per the > process allowed in RAA Data Retention Specification); or > > * > o > An official opinion of any other governmental body of > competent jurisdiction providing that compliance with the > data protection requirements of the Registry/Registrar > contracts violates applicable national law (although such > pro-active opinions may not be the practice of the Data > Protection Commissioner's office). > > The above list draws from the comments of the European Commission, > Data Retention Specification of the 2013 Registrar Accreditation > Agreement, and sound compliance and business practices for the > ICANN General Counsel's office. > We further agree with Blacknight that the requirements for > triggering any review and consideration by ICANN be: simple and > straightforward, quick and easy to access. > 1.3 Are there any components of the triggering event/notification > portion of the RAA's Data Retention waiver process that should be > considered as optional for incorporation into a modified Whois > Procedure? > 1.3 Response: Absolutely, the full list in 1.1a above, together > with other constructive contributions in the Comments and Reply > Comments of this proceeding, should be strongly considered for > incorporation into a modified Whois Procedure, or simply written > into the contracts of the Registries and Registrars contractual > language, or a new Annex or Specification. > We respectfully submit that the obligation of Registries and > Registrars to comply with their national laws is not a matter of > multistakeholder decision making, but a matter of law and > compliance. In this case, we wholeheartedly embrace the concept of > building a process together that will allow exceptions for data > protection and privacy laws to be adopted quickly and easily. > 1.4 Should parties be permitted to invoke the Whois Procedure > before contracting with ICANN as a registrar or registry? > 1.4 Response: Of course, Registries and Registrars should be > allowed to invoke the Whois Procedure, or other appropriate > annexes and specifications that may be added into Registry and > Registrar contracts with ICANN. As discussed above, the right of a > legal company to enter into a legal contracts is the most basic of > expectations under law. > 2.1 Are there other relevant parties who should be included in > this step? > 2.1 Response: We agree with the EC that ICANN should be working as > closely with National Data Protection Authorities as they will > allow. In light of the overflow of work into these national > commissions, and the availability of national experts at law > firms, ICANN should also turn to the advice of private experts, > such as well-respected law firms who specialize in national data > protection laws. The law firm's opinions on these matters would > help to guide ICANN's knowledge and evaluation of this important > issue. > 3.1 How is an agreement reached and published? > 3.1 Response. As discussed above, compliance with national law may > not be the best matter for negotiation within a multistakeholder > process. It really should not be a chose for others to make > whether you comply with your national data protection and privacy > laws. That said, the process of refining the Consensus Procedure, > and adopting new policies and procedures, or simply putting new > contract provisions, annexes or specifications into the Registry > and Registrar contracts SHOULD be subject to community discussion, > notification and review. But once the new process is adopted, we > think the new changes, variations, modifications or exceptions of > Individual Registries and Registrars need go through a public > review and process. The results, however, Should be published for > Community notification and review. > We note that in conducting the discussion with the Community on > the overall or general procedure, policy or contractual changes, > ICANN should be assertive in its outreach to the Data Protection > Commissioners. Individual and through their organizations, they > have offered to help ICANN evaluate this issue numerous times. The > Whois Review Team noted the inability of many external bodies to > monitor ICANN regularly, but the need for outreach to them by > ICANN staff nonetheless: > *Recommendation 3: Outreach* > *ICANN should ensure that WHOIS policy issues are accompanied by > cross-community* > *outreach, including outreach to the communities outside of ICANN > with a specific* > *interest in the issues, and an ongoing program for consumer > awareness.* > This is a critical policy item for such outreach and input. > 3.2 If there is an agreed outcome among the relevant parties, > should the Board be involved in this procedure? > 3.2 Response: Clearly, the changing of the procedure, or the > adoption of a new policy or new contractual language for > Registries and Registrars, Board oversight and review should be > involved. But once the new procedure, policy or contractual > language is in place, then subsequent individual changes, > variations, modifications or exceptions should be handled through > the process and ICANN Staff – as the Data Retention Process is > handled today. > 4.1 Would it be fruitful to incorporate public comment in each of > the resolution scenarios? > 4.1 Response: We think this question means whether there should be > public input on each and every exception? We respectfully submit > that the answer is No. Once the new policy, procedure or > contractual language is adopted, then the process should kick in > and the Registrar/Registry should be allowed to apply for the > waiver, modification or revision consistent with its data > protection and privacy laws. Of course, once the waiver or > modification is granted, the decision should be matter of public > record so that other Registries and Registrars in the jurisdiction > know and so that the ICANN Community as a whole can monitor this > process' implementation and compliance. > Step Five: Public notice > 5.2 Is the exemption or modification termed to the length of the > agreement? Or is it indefinite as long as the contracted party is > located in the jurisdiction in question, or so long as the > applicable law is in force. > 5.2 Response: We agree with the European Commission in its > response, “/By logic the exemption or modification shall be in > place as long as the party is subject to the jurisdiction in > conflict with ICANN rules. If the applicable law was to change, or > the contacted party moved to a different jurisdiction, the > conditions should be reviewed to assess if the exemption is still > justified.” But provided it is the same parties, operating under > the same laws, the modification or change should continue through > the duration of the relationship between the Registry/Registrar > and ICANN. / > 5.3 Should an exemption or modification based on the same laws > and facts then be granted to other affected contracted parties in > the same jurisdiction without invoking the Whois Procedure > 5.3 Response. The European Commission in its comments wrote, and > we strongly agree: /“the same exception should apply to others in > the same jurisdiction who can demonstrate that they are in the > same situation.” /Further, Blacknight wrote and we support: /“if > ANY registrar in Germany, for example, is granted a waiver based > on German law, than ALL registrars based in Germany should receive > the same treatment.” /Once a national data protection or privacy > law is interpreted as requiring and exemption or modification, it > should be available to all Registries/Registrars in that country. > Further, we recommend that ICANN should be required to notify each > gTLD Registry and Registrar in the same jurisdiction as that of > the decision so they will have notice of the change. > We thank ICANN staff for holding this comment period. > Respectfully submitted, > NCSG > DRAFT >