Hi Stephanie, Tx for adding Avri's comments. I've reviewed all of the changes, and also added one more to this most recent version. _Newest version (NCSGEdits3) attached. _ **Due tomorrow** Best, Kathy : > I also agreed with Avri and inserted a few of her changes, Kathy did > not get those edits....we need to make sure we have a final copy that > Rafik can sign, which reflects all the agreed changes. Do you want me > to have another edit one last time, to make sure that Joy's comments > (which were on an earlier draft) and Avri's are all in there? > cheers stephanie > On 2014-07-31, 9:22, Amr Elsadr wrote: >> Hi all, >> >> On Jul 30, 2014, at 2:57 PM, Avri Doria <[log in to unmask]> wrote: >> >>> hi, >>> >>> Reviewed the document. >>> >>> Made a change so it could be a NCSG document. >> Thanks. >> >>> There are parts I am uncomfortable with, some of which I deleted and >>> some of which I left and still am uncomfortable with. >>> >>> I do not think we should ever dismiss the Multistakeholder model. I do >>> not wish to find ourselves in the situation of being quoted for having >>> suggested that there are times when the model should be superseded. >>> That >>> would be a gold mine for some. I deleted those references. >> Fully agree. Although I don’t feel that was the intent, it could >> certainly be perceived that way. No need to bring it up. >> >>> I am also uncomfortable with saying there are things that don't need >>> public comment on. To just have to take the legal staff view on things >>> is dangerous. What if they say the law does not require something when >>> someone knows better. Better to have a null review. I have not, >>> however, removed these as they were an entire section. I would like >>> to see that section reworded or removed before approving the documents. >> IMHO, I don’t see the need for a public comment period on every time >> this policy might be used. If a new set of policies and processes are >> adopted for handling WHOIS conflicts with privacy laws, then they >> should be clear enough during implementation to not require public >> comment, right? Isn’t this the case with all policies? For instance, >> is there a public comment period every time a new registrar signs a >> contract with ICANN? Or will there be a public comment period when >> implementation of the “thick” WHOIS policy kicks in? >> >> Another thought is that a public comment period will also lengthen >> the period during which a registrar will potentially be at risk for >> non-compliance with local laws. Unless there is an important reason >> why there should be a public comment for each of the resolution >> scenarios, then I suggest we support Kathy’s recommendation to not >> have any. >> >> Thanks. >> >> Amr >> >>> I also removed a bunch of weasel words like 'respectfully' >>> >>> avri >>> >>> >>> >>> >>> >>> >>> On 30-Jul-14 14:28, Avri Doria wrote: >>>> Hi, >>>> >>>> Started reviewing them, actually Stephanie's comments. They are >>>> written >>>> from an NCUC perspective and need to be approved by them, not us. >>>> >>>> avri >>>> >>>> >>>> On 30-Jul-14 11:36, Rafik Dammak wrote: >>>>> Hi everyone, >>>>> >>>>> Kathy sent a draft comment to the whois conflict with local laws. we >>>>> have a tight schedule and we should act quickly. >>>>> we are responding during the reply period which means the last chance >>>>> for us to do so. >>>>> @Maria can you please follow-up with this request? >>>>> >>>>> Best, >>>>> >>>>> Rafik >>>>> >>>>> >>>>> >>>>> ---------- Forwarded message ---------- >>>>> From: *Kathy Kleiman* <[log in to unmask] >>>>> <mailto:[log in to unmask]>> >>>>> Date: 2014-07-30 2:44 GMT+09:00 >>>>> Subject: Draft Comments for Whois Proceeding >>>>> To: Rafik Dammak <[log in to unmask] >>>>> <mailto:[log in to unmask]>>, [log in to unmask] >>>>> <mailto:[log in to unmask]> >>>>> >>>>> >>>>> To Rafik, NCSG Executive Committee and NCSG Membership, >>>>> >>>>> There is an important, but very quiet comment proceeding that has >>>>> been >>>>> taking place this summer. It is the /Review of the ICANN Procedure >>>>> for >>>>> Handling WHOIS Conflicts with Privacy Law///at >>>>> /https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/ >>>>> >>>>> >>>>> >>>>> Stephanie put out a call for comments, and not seeing any, I drafted >>>>> these. It has been dismayeding ever since ICANN adopted its >>>>> Consensus >>>>> Procedure for Handling WHOIS Conflicts with Privacy law -- because it >>>>> basically requires that Registrars and Registries have to be sued or >>>>> receive an official notice of violation before they can ask ICANN >>>>> for a >>>>> waiver of the Whois requirements. That always seemed very unfair- >>>>> that >>>>> you have to be exposed to allegation of illegal activity in order to >>>>> protect yourself or your Registrants under your national data >>>>> protection >>>>> and privacy laws. >>>>> >>>>> In the more recent Data Retention Specification, of the 2013 RAA, >>>>> ICANN >>>>> Staff and Lawyers saw this problem and corrected it -- now Registrars >>>>> can be much more pro-active in showing ICANN that a certain clause in >>>>> their contract (e.g., extended data retention) is a clear >>>>> violation of >>>>> their national law (e.g., more limited data retention). >>>>> >>>>> So to this important comment proceeding, I drafted these comments >>>>> for us >>>>> to submit. As Reply Comments (during the Reply Period), we are >>>>> asked to >>>>> respond to other commenters. That's easy as the European >>>>> Commission and >>>>> Registrar Blacknight submitted useful comments. >>>>> >>>>> Rafik, can we edit, finalize and submit by the deadline on Friday? >>>>> Comments below and attached. If you have edits, in the interest of >>>>> time, >>>>> kindly suggest alternate language. Tx!! >>>>> >>>>> Best, >>>>> Kathy >>>>> -------------------------------------------------------------------------------------------------------- >>>>> >>>>> >>>>> DRAFT NCSG Response to the Questions of the >>>>> >>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with >>>>> Privacy >>>>> Law// >>>>> https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/ >>>>> >>>>> >>>>> >>>>> *Introduction* >>>>> >>>>> The Noncommercial Stakeholders Group represents noncommercial >>>>> organizations in their work in the policy and proceedings of ICANN >>>>> and >>>>> the GNSO. We respectfully submit as an opening premise that every >>>>> legal >>>>> business has the right and obligation to operate within the bounds >>>>> and >>>>> limits of its national laws and regulations. No legal business >>>>> establishes itself to violate the law; and to do so is an >>>>> invitation to >>>>> civil and criminal penalties. ICANN Registries and Registrars are no >>>>> different – they want and need to abide by their laws. >>>>> >>>>> Thus, it is timely for ICANN to raise the questions of this >>>>> proceeding, >>>>> /Review of the ICANN Procedure for Handling WHOIS Conflicts with >>>>> Privacy >>>>> Law/(albeit at a busy time for the Community and at the height of >>>>> summer; we expect to see more interest in this time towards the >>>>> Fall). >>>>> We submit these comments in response to the issues raises and the >>>>> questions asked. >>>>> >>>>> *Background* >>>>> >>>>> The /ICANN Procedure for Handling Whois Conflicts with Privacy Law >>>>> /was >>>>> adopted in 2006 after years of debate on Whois issues. This Consensus >>>>> Procedure was the first step of recognition that data protection laws >>>>> and privacy law DO apply to the personal and sensitive data being >>>>> collected by Registries and Registrars for the Whois database. >>>>> >>>>> But for those of us in the Noncommercial Users Constituency (now >>>>> part of >>>>> the Noncommercial Stakeholders Group/NCSG) who helped debate, >>>>> draft and >>>>> adopt this Consensus Procedure in the mid-2000s, we were always >>>>> shocked >>>>> that the ICANN Community did not do more. At the time, multiple Whois >>>>> Task Forces were at work with multiple proposals which include >>>>> important >>>>> and pro-active suggestions to allow Registrars and Registries to come >>>>> into compliance with their national data protection and privacy laws. >>>>> >>>>> At the time, we never expected this Consensus Procedure to be an end >>>>> itself – but the first step of many steps. It was an “end” for too >>>>> long, >>>>> so we are glad the discussion is reopened and once again we seek to >>>>> allow Registrars and Registries to be in full compliance with their >>>>> national data protection and privacy laws – from the moment they >>>>> enter >>>>> into their contracts with ICANN. >>>>> >>>>> *II. Data Protection and Privacy Laws – A Quick Overview of the >>>>> Principles that Protect the Personal and Sensitive Data of >>>>> Individuals >>>>> and Organizations/Small Businesses * >>>>> >>>>> ** >>>>> >>>>> /*[Stephanie, Tamir or Others with Expertise in Canadian and European >>>>> Data Protection Laws may choose to add something here]. */ >>>>> >>>>> III/*. */Questions asked of the Community in this Proceeding >>>>> >>>>> The ICANN Review Paper raised a number of excellent questions. In >>>>> keeping with the requirements of a Reply Period, these NCSG comments >>>>> will address both our comments and those comments we particularly >>>>> support in this proceeding. >>>>> >>>>> 1. >>>>> >>>>> Is it impractical for ICANN to require that a contracted party >>>>> already has litigation or a government proceeding initiated >>>>> against it prior to being able to invoke the Whois Procedure? >>>>> >>>>> 1.1 Response: Yes, it is completely impractical (and ill-advised) to >>>>> force a company to violate a national law as a condition of complying >>>>> with that national law. Every lawyer advises businesses to comply >>>>> with >>>>> the laws and regulations of their field. To do otherwise is to face >>>>> fines, penalties, loss of the business, even jail for officers and >>>>> directors. Legal business strives to be law-abiding; no officer or >>>>> director wants to go to jail for her company's violations. It is the >>>>> essence of an attorney's advice to his/her clients to fully comply >>>>> with >>>>> the laws and operate clearly within the clear boundaries and >>>>> limits of >>>>> laws and regulations, both national, by province or state and local. >>>>> >>>>> In these Reply Comments, we support and encourage ICANN to adopt >>>>> policies consistent with the initial comments submitted by the >>>>> European >>>>> Commission: >>>>> >>>>> o >>>>> >>>>> that the Whois Procedure be changed from requiring specific >>>>> prosecutorial action instead to allowing “demonstrating >>>>> evidence >>>>> of a potential conflict widely and e.g. accepting >>>>> information on >>>>> the legislation imposing requirements that the contractual >>>>> requirements would breach as sufficient evidence.” (European >>>>> Commission comments) >>>>> >>>>> We also agree with Blacknight: >>>>> >>>>> o >>>>> >>>>> “It's completely illogical for ICANN to require that a >>>>> contracting party already has litigation before they can use a >>>>> process. We would have loved to use a procedure or process to >>>>> get exemptions, but expecting us to already be litigating >>>>> before >>>>> we can do so is, for lack of a better word, nuts.” (Blacknight >>>>> comments in this proceeding). >>>>> >>>>> >>>>> 1.1a How can the triggering event be meaningfully defined? >>>>> >>>>> 1.1 a Response: This is an important question. Rephrased, we might >>>>> ask >>>>> together – what must a Registry or Registrar show ICANN in support of >>>>> its claim that certain provisions involving Whois data violate >>>>> provisions of national data protection and privacy laws? >>>>> >>>>> NCSG respectfully submits that there are at least four “triggering >>>>> events” that ICANN should recognize: >>>>> >>>>> o >>>>> >>>>> Evidence from a national Data Protection Commissioner or >>>>> his/her >>>>> office (or from a internationally recognized body of national >>>>> Data Protection Commissioners in a certain region of the >>>>> world, >>>>> including the Article 29 Working Party that analyzes the >>>>> national data protection and privacy laws) that ICANN's >>>>> contractual obligations for Registry and/or Registrar >>>>> contracts >>>>> violate the data protection laws of their country or their >>>>> group >>>>> of countries; >>>>> >>>>> o >>>>> >>>>> Evidence of legal and/or jurisdictional conflict arising from >>>>> analysis performed by ICANN's legal department or by national >>>>> legal experts hired by ICANN to evaluate the Whois >>>>> requirements >>>>> of the ICANN contracts for compliance and conflicts with >>>>> national data protection laws and cross-border transfer >>>>> limits) >>>>> (similar to the process we understand was undertaken for the >>>>> data retention issue); >>>>> >>>>> >>>>> o >>>>> >>>>> Receipt of a written legal opinion from a nationally >>>>> recognized >>>>> law firm in the applicable jurisdiction that states that the >>>>> collection, retention and/or transfer of certain Whois data >>>>> elements as required by Registrar or Registry Agreements is >>>>> “reasonably likely to violate the applicable law” of the >>>>> Registry or Registrar (per the process allowed in RAA Data >>>>> Retention Specification); or >>>>> >>>>> >>>>> o >>>>> >>>>> An official opinion of any other governmental body of >>>>> competent >>>>> jurisdiction providing that compliance with the data >>>>> protection >>>>> requirements of the Registry/Registrar contracts violates >>>>> applicable national law (although such pro-active opinions may >>>>> not be the practice of the Data Protection Commissioner's >>>>> office). >>>>> >>>>> The above list draws from the comments of the European Commission, >>>>> Data >>>>> Retention Specification of the 2013 Registrar Accreditation >>>>> Agreement, >>>>> and sound compliance and business practices for the ICANN General >>>>> Counsel's office. >>>>> >>>>> We further agree with Blacknight that the requirements for triggering >>>>> any review and consideration by ICANN be: simple and straightforward, >>>>> quick and easy to access. >>>>> >>>>> >>>>> 1.3 Are there any components of the triggering event/notification >>>>> portion of the RAA's Data Retention waiver process that should be >>>>> considered as optional for incorporation into a modified Whois >>>>> Procedure? >>>>> >>>>> >>>>> 1.3 Response: Absolutely, the full list in 1.1a above, together with >>>>> other constructive contributions in the Comments and Reply >>>>> Comments of >>>>> this proceeding, should be strongly considered for incorporation >>>>> into a >>>>> modified Whois Procedure, or simply written into the contracts of the >>>>> Registries and Registrars contractual language, or a new Annex or >>>>> Specification. >>>>> >>>>> We respectfully submit that the obligation of Registries and >>>>> Registrars >>>>> to comply with their national laws is not a matter of >>>>> multistakeholder >>>>> decision making, but a matter of law and compliance. In this case, we >>>>> wholeheartedly embrace the concept of building a process together >>>>> that >>>>> will allow exceptions for data protection and privacy laws to be >>>>> adopted >>>>> quickly and easily. >>>>> >>>>> >>>>> 1.4 Should parties be permitted to invoke the Whois Procedure >>>>> before >>>>> contracting with ICANN as a registrar or registry? >>>>> >>>>> >>>>> 1.4 Response: Of course, Registries and Registrars should be >>>>> allowed to >>>>> invoke the Whois Procedure, or other appropriate annexes and >>>>> specifications that may be added into Registry and Registrar >>>>> contracts >>>>> with ICANN. As discussed above, the right of a legal company to enter >>>>> into a legal contracts is the most basic of expectations under law. >>>>> >>>>> >>>>> 2.1 Are there other relevant parties who should be included in >>>>> this >>>>> step? >>>>> >>>>> >>>>> 2.1 Response: We agree with the EC that ICANN should be working as >>>>> closely with National Data Protection Authorities as they will >>>>> allow. In >>>>> light of the overflow of work into these national commissions, and >>>>> the >>>>> availability of national experts at law firms, ICANN should also >>>>> turn to >>>>> the advice of private experts, such as well-respected law firms who >>>>> specialize in national data protection laws. The law firm's >>>>> opinions on >>>>> these matters would help to guide ICANN's knowledge and evaluation of >>>>> this important issue. >>>>> >>>>> >>>>> 3.1 How is an agreement reached and published? >>>>> >>>>> 3.1 Response. As discussed above, compliance with national law may >>>>> not >>>>> be the best matter for negotiation within a multistakeholder >>>>> process. It >>>>> really should not be a chose for others to make whether you comply >>>>> with >>>>> your national data protection and privacy laws. That said, the >>>>> process >>>>> of refining the Consensus Procedure, and adopting new policies and >>>>> procedures, or simply putting new contract provisions, annexes or >>>>> specifications into the Registry and Registrar contracts SHOULD be >>>>> subject to community discussion, notification and review. But once >>>>> the >>>>> new process is adopted, we think the new changes, variations, >>>>> modifications or exceptions of Individual Registries and >>>>> Registrars need >>>>> go through a public review and process. The results, however, >>>>> Should be >>>>> published for Community notification and review. >>>>> >>>>> >>>>> We note that in conducting the discussion with the Community on the >>>>> overall or general procedure, policy or contractual changes, ICANN >>>>> should be assertive in its outreach to the Data Protection >>>>> Commissioners. Individual and through their organizations, they have >>>>> offered to help ICANN evaluate this issue numerous times. The Whois >>>>> Review Team noted the inability of many external bodies to monitor >>>>> ICANN >>>>> regularly, but the need for outreach to them by ICANN staff >>>>> nonetheless: >>>>> >>>>> >>>>> *Recommendation 3: Outreach* >>>>> >>>>> *ICANN should ensure that WHOIS policy issues are accompanied by >>>>> cross-community* >>>>> >>>>> *outreach, including outreach to the communities outside of ICANN >>>>> with a >>>>> specific* >>>>> >>>>> *interest in the issues, and an ongoing program for consumer >>>>> awareness.* >>>>> >>>>> This is a critical policy item for such outreach and input. >>>>> >>>>> >>>>> 3.2 If there is an agreed outcome among the relevant parties, >>>>> should >>>>> the Board be involved in this procedure? >>>>> >>>>> >>>>> 3.2 Response: Clearly, the changing of the procedure, or the >>>>> adoption of >>>>> a new policy or new contractual language for Registries and >>>>> Registrars, >>>>> Board oversight and review should be involved. But once the new >>>>> procedure, policy or contractual language is in place, then >>>>> subsequent >>>>> individual changes, variations, modifications or exceptions should be >>>>> handled through the process and ICANN Staff – as the Data Retention >>>>> Process is handled today. >>>>> >>>>> >>>>> 4.1 Would it be fruitful to incorporate public comment in each of >>>>> the resolution scenarios? >>>>> >>>>> 4.1 Response: We think this question means whether there should be >>>>> public input on each and every exception? We respectfully submit that >>>>> the answer is No. Once the new policy, procedure or contractual >>>>> language >>>>> is adopted, then the process should kick in and the >>>>> Registrar/Registry >>>>> should be allowed to apply for the waiver, modification or revision >>>>> consistent with its data protection and privacy laws. Of course, once >>>>> the waiver or modification is granted, the decision should be >>>>> matter of >>>>> public record so that other Registries and Registrars in the >>>>> jurisdiction know and so that the ICANN Community as a whole can >>>>> monitor >>>>> this process' implementation and compliance. >>>>> >>>>> Step Five: Public notice >>>>> >>>>> >>>>> 5.2 Is the exemption or modification termed to the length of the >>>>> agreement? Or is it indefinite as long as the contracted party is >>>>> located in the jurisdiction in question, or so long as the applicable >>>>> law is in force. >>>>> >>>>> 5.2 Response: We agree with the European Commission in its response, >>>>> “/By logic the exemption or modification shall be in place as long as >>>>> the party is subject to the jurisdiction in conflict with ICANN >>>>> rules. >>>>> If the applicable law was to change, or the contacted party moved >>>>> to a >>>>> different jurisdiction, the conditions should be reviewed to >>>>> assess if >>>>> the exemption is still justified.” But provided it is the same >>>>> parties, >>>>> operating under the same laws, the modification or change should >>>>> continue through the duration of the relationship between the >>>>> Registry/Registrar and ICANN. / >>>>> >>>>> >>>>> 5.3 Should an exemption or modification based on the same laws and >>>>> facts then be granted to other affected contracted parties in the >>>>> same >>>>> jurisdiction without invoking the Whois Procedure >>>>> >>>>> 5.3 Response. The European Commission in its comments wrote, and we >>>>> strongly agree: /“the same exception should apply to others in the >>>>> same >>>>> jurisdiction who can demonstrate that they are in the same >>>>> situation.” >>>>> /Further, Blacknight wrote and we support: /“if ANY registrar in >>>>> Germany, for example, is granted a waiver based on German law, >>>>> than ALL >>>>> registrars based in Germany should receive the same treatment.” >>>>> /Once a >>>>> national data protection or privacy law is interpreted as >>>>> requiring and >>>>> exemption or modification, it should be available to all >>>>> Registries/Registrars in that country. >>>>> >>>>> Further, we recommend that ICANN should be required to notify each >>>>> gTLD >>>>> Registry and Registrar in the same jurisdiction as that of the >>>>> decision >>>>> so they will have notice of the change. >>>>> >>>>> We thank ICANN staff for holding this comment period. >>>>> >>>>> Respectfully submitted, >>>>> >>>>> NCSG >>>>> >>>>> >>>>> DRAFT >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> PC-NCSG mailing list >>>>> [log in to unmask] >>>>> http://mailman.ipjustice.org/listinfo/pc-ncsg >>>>> >>>> _______________________________________________ >>>> PC-NCSG mailing list >>>> [log in to unmask] >>>> http://mailman.ipjustice.org/listinfo/pc-ncsg >>>> >>>> >>> <NSCG DRAFT Comments for Review of WHOIS Consensus >>> Proceduresp+ad.doc>_______________________________________________ >>> PC-NCSG mailing list >>> [log in to unmask] >>> http://mailman.ipjustice.org/listinfo/pc-ncsg >> >> _______________________________________________ >> PC-NCSG mailing list >> [log in to unmask] >> http://mailman.ipjustice.org/listinfo/pc-ncsg