Fantastic work Kathy! Surely we don’t want to introduce the
‘ICANN defense’ into the international legal vernacular
(‘Sorry your honour, ICANN made me do it!’).
1. The NCSG is much more than mere organizations; we’re
also the home of individual noncommercial users within the
GNSO. Perhaps we could reflect that in the introduction, such
as:
The Noncommercial Stakeholders Group represents
noncommercial organizations and individual noncommercial
users in their work in the policy and proceedings of
ICANN and the GNSO.
2. As the third “triggering event” you have, in part,
“Receipt of a written legal opinion from a nationally
recognized law firm in the applicable jurisdiction”.
Here in the United Kingdom some of the most prominent
solicitors practicing in both the cyber and privacy realms are
solo practitioners, often practicing in combination with a
part time lecturing career. Think of, for example, Jeremy
Phillips. I’d hate to give the big law firms any advantage
over the equally qualified solicitor or barrister who does not
belong to a firm. Consider, perhaps amending the statement, as
such:
Receipt of a written legal opinion from a nationally
recognized law firm or qualified legal practitioner
in the applicable jurisdiction.
-----Original Message-----
From: Kathy Kleiman <[log in to unmask]>
To: [log in to unmask]
Date: Tue, 29 Jul 2014 13:44:44 -0400
Subject: Draft Comments for Whois Proceeding
To Rafik, NCSG
Executive Committee and NCSG Membership,
Stephanie put out a call for
comments, and not seeing any, I drafted these. It has been
dismayeding ever since ICANN adopted its Consensus Procedure
for Handling WHOIS Conflicts with Privacy law -- because it
basically requires that Registrars and Registries have to be
sued or receive an official notice of violation before they
can ask ICANN for a waiver of the Whois requirements. That
always seemed very unfair- that you have to be exposed to
allegation of illegal activity in order to protect yourself
or your Registrants under your national data protection and
privacy laws.
In the more recent Data
Retention Specification, of the 2013 RAA, ICANN Staff and
Lawyers saw this problem and corrected it -- now Registrars
can be much more pro-active in showing ICANN that a certain
clause in their contract (e.g., extended data retention) is
a clear violation of their national law (e.g., more limited
data retention).
So to this
important comment proceeding, I drafted these comments
for us to submit. As Reply Comments (during the Reply
Period), we are asked to respond to other commenters.
That's easy as the European Commission and Registrar
Blacknight submitted useful comments.
Rafik, can we
edit, finalize and submit by the deadline on Friday?
Comments below and attached. If you have edits, in the
interest of time, kindly suggest alternate language.
Tx!!
Best,
Kathy
--------------------------------------------------------------------------------------------------------
DRAFT NCSG Response to the
Questions of the
Review of
the ICANN Procedure for Handling WHOIS Conflicts with
Privacy Law
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
Introduction
The Noncommercial Stakeholders
Group represents noncommercial organizations in their
work in the policy and proceedings of ICANN and the
GNSO. We respectfully submit as an opening premise that
every legal business has the right and obligation to
operate within the bounds and limits of its national
laws and regulations. No legal business establishes
itself to violate the law; and to do so is an invitation
to civil and criminal penalties. ICANN Registries and
Registrars are no different – they want and need to
abide by their laws.
Thus, it is timely for ICANN to
raise the questions of this proceeding,
Review of the ICANN Procedure for Handling WHOIS
Conflicts with Privacy Law (albeit at a
busy time for the Community and at the height of summer;
we expect to see more interest in this time towards the
Fall). We submit these comments in response to the
issues raises and the questions asked.
Background
The
ICANN Procedure for Handling Whois Conflicts with
Privacy Law
was
adopted in 2006 after years of debate on Whois issues.
This Consensus Procedure was the first step of
recognition that data protection laws and privacy law DO
apply to the personal and sensitive data being collected
by Registries and Registrars for the Whois database.
But for those of us in the
Noncommercial Users Constituency (now part of the
Noncommercial Stakeholders Group/NCSG) who helped
debate, draft and adopt this Consensus Procedure in the
mid-2000s, we were always shocked that the ICANN
Community did not do more. At the time, multiple Whois
Task Forces were at work with multiple proposals which
include important and pro-active suggestions to allow
Registrars and Registries to come into compliance with
their national data protection and privacy laws.
At the time, we never expected
this Consensus Procedure to be an end itself – but the
first step of many steps. It was an “end” for too long,
so we are glad the discussion is reopened and once again
we seek to allow Registrars and Registries to be in full
compliance with their national data protection and
privacy laws – from the moment they enter into their
contracts with ICANN.
II. Data Protection and
Privacy Laws – A Quick Overview of the Principles that
Protect the Personal and Sensitive Data of Individuals
and Organizations/Small Businesses
[Stephanie,
Tamir or Others with Expertise in Canadian and
European Data Protection Laws may choose to add
something here].
III. Questions asked of
the Community in this Proceeding
The ICANN Review Paper raised a
number of excellent questions. In keeping with the
requirements of a Reply Period, these NCSG comments will
address both our comments and those comments we
particularly support in this proceeding.
-
-
Is it impractical for
ICANN to require that a contracted party already
has litigation or a government proceeding
initiated against it prior to being able to
invoke the Whois Procedure?
1.1 Response: Yes, it is
completely impractical (and ill-advised) to force a
company to violate a national law as a condition of
complying with that national law. Every lawyer advises
businesses to comply with the laws and regulations of
their field. To do otherwise is to face fines,
penalties, loss of the business, even jail for officers
and directors. Legal business strives to be law-abiding;
no officer or director wants to go to jail for her
company's violations. It is the essence of an attorney's
advice to his/her clients to fully comply with the laws
and operate clearly within the clear boundaries and
limits of laws and regulations, both national, by
province or state and local.
In these Reply Comments, we
support and encourage ICANN to adopt policies consistent
with the initial comments submitted by the European
Commission:
We also agree with Blacknight:
-
-
“It's completely
illogical for ICANN to require that a
contracting party already has litigation before
they can use a process. We would have loved to
use a procedure or process to get exemptions,
but expecting us to already be litigating before
we can do so is, for lack of a better word,
nuts.” (Blacknight comments in this proceeding).
1.1a How can the triggering
event be meaningfully defined?
1.1 a Response: This is an
important question. Rephrased, we might ask together –
what must a Registry or Registrar show ICANN in support
of its claim that certain provisions involving Whois
data violate provisions of national data protection and
privacy laws?
NCSG respectfully submits that
there are at least four “triggering events” that ICANN
should recognize:
-
-
Evidence from a
national Data Protection Commissioner or his/her
office (or from a internationally recognized
body of national Data Protection Commissioners
in a certain region of the world, including the
Article 29 Working Party that analyzes the
national data protection and privacy laws) that
ICANN's contractual obligations for Registry
and/or Registrar contracts violate the data
protection laws of their country or their group
of countries;
-
Evidence of legal
and/or jurisdictional conflict arising from
analysis performed by ICANN's legal department
or by national legal experts hired by ICANN to
evaluate the Whois requirements of the ICANN
contracts for compliance and conflicts with
national data protection laws and cross-border
transfer limits) (similar to the process we
understand was undertaken for the data retention
issue);
-
-
Receipt of a written
legal opinion from a nationally recognized law
firm in the applicable jurisdiction that states
that the collection, retention and/or transfer
of certain Whois data elements as required by
Registrar or Registry Agreements is “reasonably
likely to violate the applicable law” of the
Registry or Registrar (per the process allowed
in RAA Data Retention Specification); or
The above list draws from the
comments of the European Commission, Data Retention
Specification of the 2013 Registrar Accreditation
Agreement, and sound compliance and business practices
for the ICANN General Counsel's office.
We further agree with
Blacknight that the requirements for triggering any
review and consideration by ICANN be: simple and
straightforward, quick and easy to access.
1.3 Are
there any components of the triggering event/notification
portion of the RAA's Data Retention waiver process that
should be considered as optional for incorporation into a
modified Whois Procedure?
1.3 Response: Absolutely, the
full list in 1.1a above, together with other
constructive contributions in the Comments and Reply
Comments of this proceeding, should be strongly
considered for incorporation into a modified Whois
Procedure, or simply written into the contracts of the
Registries and Registrars contractual language, or a new
Annex or Specification.
We respectfully submit that the
obligation of Registries and Registrars to comply with
their national laws is not a matter of multistakeholder
decision making, but a matter of law and compliance. In
this case, we wholeheartedly embrace the concept of
building a process together that will allow exceptions
for data protection and privacy laws to be adopted
quickly and easily.
1.4 Should
parties be permitted to invoke the Whois Procedure before
contracting with ICANN as a registrar or registry?
1.4 Response: Of course,
Registries and Registrars should be allowed to invoke
the Whois Procedure, or other appropriate annexes and
specifications that may be added into Registry and
Registrar contracts with ICANN. As discussed above, the
right of a legal company to enter into a legal contracts
is the most basic of expectations under law.
2.1 Are
there other relevant parties who should be included in
this step?
2.1 Response: We agree with the
EC that ICANN should be working as closely with National
Data Protection Authorities as they will allow. In light
of the overflow of work into these national commissions,
and the availability of national experts at law firms,
ICANN should also turn to the advice of private experts,
such as well-respected law firms who specialize in
national data protection laws. The law firm's opinions
on these matters would help to guide ICANN's knowledge
and evaluation of this important issue.
3.1 How is
an agreement reached and published?
3.1 Response. As discussed
above, compliance with national law may not be the best
matter for negotiation within a multistakeholder
process. It really should not be a chose for others to
make whether you comply with your national data
protection and privacy laws. That said, the process of
refining the Consensus Procedure, and adopting new
policies and procedures, or simply putting new contract
provisions, annexes or specifications into the Registry
and Registrar contracts SHOULD be subject to community
discussion, notification and review. But once the new
process is adopted, we think the new changes,
variations, modifications or exceptions of Individual
Registries and Registrars need go through a public
review and process. The results, however, Should be
published for Community notification and review.
We note that in conducting the
discussion with the Community on the overall or general
procedure, policy or contractual changes, ICANN should
be assertive in its outreach to the Data Protection
Commissioners. Individual and through their
organizations, they have offered to help ICANN evaluate
this issue numerous times. The Whois Review Team noted
the inability of many external bodies to monitor ICANN
regularly, but the need for outreach to them by ICANN
staff nonetheless:
Recommendation
3: Outreach
ICANN should
ensure that WHOIS policy issues are accompanied by
cross-community
outreach,
including outreach to the communities outside of ICANN
with a specific
interest in
the issues, and an ongoing program for consumer
awareness.
This is a
critical policy item for such outreach and input.
3.2 If
there is an agreed outcome among the relevant parties,
should the Board be involved in this procedure?
3.2 Response: Clearly, the
changing of the procedure, or the adoption of a new
policy or new contractual language for Registries and
Registrars, Board oversight and review should be
involved. But once the new procedure, policy or
contractual language is in place, then subsequent
individual changes, variations, modifications or
exceptions should be handled through the process and
ICANN Staff – as the Data Retention Process is handled
today.
4.1 Would
it be fruitful to incorporate public comment in each of
the resolution scenarios?
4.1 Response: We think this
question means whether there should be public input on
each and every exception? We respectfully submit that
the answer is No. Once the new policy, procedure or
contractual language is adopted, then the process should
kick in and the Registrar/Registry should be allowed to
apply for the waiver, modification or revision
consistent with its data protection and privacy laws. Of
course, once the waiver or modification is granted, the
decision should be matter of public record so that other
Registries and Registrars in the jurisdiction know and
so that the ICANN Community as a whole can monitor this
process' implementation and compliance.
Step Five: Public notice
5.2 Is
the exemption or modification termed to the length of the
agreement? Or is it indefinite as long as the contracted
party is located in the jurisdiction in question, or so
long as the applicable law is in force.
5.2 Response: We agree with the
European Commission in its response, “By logic the
exemption or modification shall be in place as long as
the party is subject to the jurisdiction in conflict
with ICANN rules. If the applicable law was to change,
or the contacted party moved to a different
jurisdiction, the conditions should be reviewed to
assess if the exemption is still justified.” But
provided it is the same parties, operating under the
same laws, the modification or change should continue
through the duration of the relationship between the
Registry/Registrar and ICANN.
5.3 Should
an exemption or modification based on the same laws and
facts then be granted to other affected contracted parties
in the same jurisdiction without invoking the
Whois Procedure
5.3 Response. The European
Commission in its comments wrote, and we strongly agree:
“the same exception should apply to others in the
same jurisdiction who can demonstrate that they are in
the same situation.” Further, Blacknight wrote
and we support: “if ANY registrar in Germany, for
example, is granted a waiver based on German law, than
ALL registrars based in Germany should receive the
same treatment.”
Once a national data protection or privacy law is
interpreted as requiring and exemption or
modification, it should be available to all
Registries/Registrars in that country.
Further, we recommend that
ICANN should be required to notify each gTLD Registry
and Registrar in the same jurisdiction as that of the
decision so they will have notice of the change.
We thank ICANN staff for
holding this comment period.
Respectfully submitted,
NCSG
DRAFT