[log in to unmask]" type="cite">
Hi Stephanie,
Tx for adding Avri's comments. I've reviewed all of the changes,
and also added one more to this most recent version. Newest
version (NCSGEdits3) attached.
**Due tomorrow**
Best,
Kathy
:
[log in to unmask]"
type="cite">I also agreed with Avri and inserted a few of her
changes, Kathy did not get those edits....we need to make sure
we have a final copy that Rafik can sign, which reflects all the
agreed changes. Do you want me to have another edit one last
time, to make sure that Joy's comments (which were on an earlier
draft) and Avri's are all in there?
cheers stephanie
On 2014-07-31, 9:22, Amr Elsadr wrote:
Hi all,
On Jul 30, 2014, at 2:57 PM, Avri Doria <[log in to unmask]> wrote:
hi,
Reviewed the document.
Made a change so it could be a NCSG document.
Thanks.
There are parts I am uncomfortable
with, some of which I deleted and
some of which I left and still am uncomfortable with.
I do not think we should ever dismiss the Multistakeholder
model. I do
not wish to find ourselves in the situation of being quoted
for having
suggested that there are times when the model should be
superseded. That
would be a gold mine for some. I deleted those references.
Fully agree. Although I don’t feel that was the intent, it
could certainly be perceived that way. No need to bring it up.
I am also uncomfortable with saying
there are things that don't need
public comment on. To just have to take the legal staff
view on things
is dangerous. What if they say the law does not require
something when
someone knows better. Better to have a null review. I have
not,
however, removed these as they were an entire section. I
would like
to see that section reworded or removed before approving the
documents.
IMHO, I don’t see the need for a public comment period on
every time this policy might be used. If a new set of policies
and processes are adopted for handling WHOIS conflicts with
privacy laws, then they should be clear enough during
implementation to not require public comment, right? Isn’t
this the case with all policies? For instance, is there a
public comment period every time a new registrar signs a
contract with ICANN? Or will there be a public comment period
when implementation of the “thick” WHOIS policy kicks in?
Another thought is that a public comment period will also
lengthen the period during which a registrar will potentially
be at risk for non-compliance with local laws. Unless there is
an important reason why there should be a public comment for
each of the resolution scenarios, then I suggest we support
Kathy’s recommendation to not have any.
Thanks.
Amr
I also removed a bunch of weasel words
like 'respectfully'
avri
On 30-Jul-14 14:28, Avri Doria wrote:
Hi,
Started reviewing them, actually Stephanie's comments.
They are written
from an NCUC perspective and need to be approved by them,
not us.
avri
On 30-Jul-14 11:36, Rafik Dammak wrote:
Hi everyone,
Kathy sent a draft comment to the whois conflict with
local laws. we
have a tight schedule and we should act quickly.
we are responding during the reply period which means
the last chance
for us to do so.
@Maria can you please follow-up with this request?
Best,
Rafik
---------- Forwarded message ----------
From: *Kathy Kleiman* <[log in to unmask]
<mailto:[log in to unmask]>>
Date: 2014-07-30 2:44 GMT+09:00
Subject: Draft Comments for Whois Proceeding
To: Rafik Dammak <[log in to unmask]
<mailto:[log in to unmask]>>,
[log in to unmask]
<mailto:[log in to unmask]>
To Rafik, NCSG Executive Committee and NCSG Membership,
There is an important, but very quiet comment proceeding
that has been
taking place this summer. It is the /Review of the ICANN
Procedure for
Handling WHOIS Conflicts with Privacy Law///at
/https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
Stephanie put out a call for comments, and not seeing
any, I drafted
these. It has been dismayeding ever since ICANN adopted
its Consensus
Procedure for Handling WHOIS Conflicts with Privacy law
-- because it
basically requires that Registrars and Registries have
to be sued or
receive an official notice of violation before they can
ask ICANN for a
waiver of the Whois requirements. That always seemed
very unfair- that
you have to be exposed to allegation of illegal activity
in order to
protect yourself or your Registrants under your national
data protection
and privacy laws.
In the more recent Data Retention Specification, of the
2013 RAA, ICANN
Staff and Lawyers saw this problem and corrected it --
now Registrars
can be much more pro-active in showing ICANN that a
certain clause in
their contract (e.g., extended data retention) is a
clear violation of
their national law (e.g., more limited data retention).
So to this important comment proceeding, I drafted these
comments for us
to submit. As Reply Comments (during the Reply Period),
we are asked to
respond to other commenters. That's easy as the European
Commission and
Registrar Blacknight submitted useful comments.
Rafik, can we edit, finalize and submit by the deadline
on Friday?
Comments below and attached. If you have edits, in the
interest of time,
kindly suggest alternate language. Tx!!
Best,
Kathy
--------------------------------------------------------------------------------------------------------
DRAFT NCSG Response to the Questions of the
/Review of the ICANN Procedure for Handling WHOIS
Conflicts with Privacy
Law//
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en/
*Introduction*
The Noncommercial Stakeholders Group represents
noncommercial
organizations in their work in the policy and
proceedings of ICANN and
the GNSO. We respectfully submit as an opening premise
that every legal
business has the right and obligation to operate within
the bounds and
limits of its national laws and regulations. No legal
business
establishes itself to violate the law; and to do so is
an invitation to
civil and criminal penalties. ICANN Registries and
Registrars are no
different – they want and need to abide by their laws.
Thus, it is timely for ICANN to raise the questions of
this proceeding,
/Review of the ICANN Procedure for Handling WHOIS
Conflicts with Privacy
Law/(albeit at a busy time for the Community and at the
height of
summer; we expect to see more interest in this time
towards the Fall).
We submit these comments in response to the issues
raises and the
questions asked.
*Background*
The /ICANN Procedure for Handling Whois Conflicts with
Privacy Law /was
adopted in 2006 after years of debate on Whois issues.
This Consensus
Procedure was the first step of recognition that data
protection laws
and privacy law DO apply to the personal and sensitive
data being
collected by Registries and Registrars for the Whois
database.
But for those of us in the Noncommercial Users
Constituency (now part of
the Noncommercial Stakeholders Group/NCSG) who helped
debate, draft and
adopt this Consensus Procedure in the mid-2000s, we were
always shocked
that the ICANN Community did not do more. At the time,
multiple Whois
Task Forces were at work with multiple proposals which
include important
and pro-active suggestions to allow Registrars and
Registries to come
into compliance with their national data protection and
privacy laws.
At the time, we never expected this Consensus Procedure
to be an end
itself – but the first step of many steps. It was an
“end” for too long,
so we are glad the discussion is reopened and once again
we seek to
allow Registrars and Registries to be in full compliance
with their
national data protection and privacy laws – from the
moment they enter
into their contracts with ICANN.
*II. Data Protection and Privacy Laws – A Quick Overview
of the
Principles that Protect the Personal and Sensitive Data
of Individuals
and Organizations/Small Businesses *
**
/*[Stephanie, Tamir or Others with Expertise in Canadian
and European
Data Protection Laws may choose to add something here].
*/
III/*. */Questions asked of the Community in this
Proceeding
The ICANN Review Paper raised a number of excellent
questions. In
keeping with the requirements of a Reply Period, these
NCSG comments
will address both our comments and those comments we
particularly
support in this proceeding.
1.
Is it impractical for ICANN to require that a
contracted party
already has litigation or a government proceeding
initiated
against it prior to being able to invoke the
Whois Procedure?
1.1 Response: Yes, it is completely impractical (and
ill-advised) to
force a company to violate a national law as a condition
of complying
with that national law. Every lawyer advises businesses
to comply with
the laws and regulations of their field. To do otherwise
is to face
fines, penalties, loss of the business, even jail for
officers and
directors. Legal business strives to be law-abiding; no
officer or
director wants to go to jail for her company's
violations. It is the
essence of an attorney's advice to his/her clients to
fully comply with
the laws and operate clearly within the clear boundaries
and limits of
laws and regulations, both national, by province or
state and local.
In these Reply Comments, we support and encourage ICANN
to adopt
policies consistent with the initial comments submitted
by the European
Commission:
o
that the Whois Procedure be changed from
requiring specific
prosecutorial action instead to allowing
“demonstrating evidence
of a potential conflict widely and e.g. accepting
information on
the legislation imposing requirements that the
contractual
requirements would breach as sufficient
evidence.” (European
Commission comments)
We also agree with Blacknight:
o
“It's completely illogical for ICANN to require
that a
contracting party already has litigation before
they can use a
process. We would have loved to use a procedure
or process to
get exemptions, but expecting us to already be
litigating before
we can do so is, for lack of a better word,
nuts.” (Blacknight
comments in this proceeding).
1.1a How can the triggering event be meaningfully
defined?
1.1 a Response: This is an important question.
Rephrased, we might ask
together – what must a Registry or Registrar show ICANN
in support of
its claim that certain provisions involving Whois data
violate
provisions of national data protection and privacy laws?
NCSG respectfully submits that there are at least four
“triggering
events” that ICANN should recognize:
o
Evidence from a national Data Protection
Commissioner or his/her
office (or from a internationally recognized body
of national
Data Protection Commissioners in a certain region
of the world,
including the Article 29 Working Party that
analyzes the
national data protection and privacy laws) that
ICANN's
contractual obligations for Registry and/or
Registrar contracts
violate the data protection laws of their country
or their group
of countries;
o
Evidence of legal and/or jurisdictional conflict
arising from
analysis performed by ICANN's legal department or
by national
legal experts hired by ICANN to evaluate the
Whois requirements
of the ICANN contracts for compliance and
conflicts with
national data protection laws and cross-border
transfer limits)
(similar to the process we understand was
undertaken for the
data retention issue);
o
Receipt of a written legal opinion from a
nationally recognized
law firm in the applicable jurisdiction that
states that the
collection, retention and/or transfer of certain
Whois data
elements as required by Registrar or Registry
Agreements is
“reasonably likely to violate the applicable law”
of the
Registry or Registrar (per the process allowed in
RAA Data
Retention Specification); or
o
An official opinion of any other governmental
body of competent
jurisdiction providing that compliance with the
data protection
requirements of the Registry/Registrar contracts
violates
applicable national law (although such pro-active
opinions may
not be the practice of the Data Protection
Commissioner's office).
The above list draws from the comments of the European
Commission, Data
Retention Specification of the 2013 Registrar
Accreditation Agreement,
and sound compliance and business practices for the
ICANN General
Counsel's office.
We further agree with Blacknight that the requirements
for triggering
any review and consideration by ICANN be: simple and
straightforward,
quick and easy to access.
1.3 Are there any components of the triggering
event/notification
portion of the RAA's Data Retention waiver process that
should be
considered as optional for incorporation into a modified
Whois Procedure?
1.3 Response: Absolutely, the full list in 1.1a above,
together with
other constructive contributions in the Comments and
Reply Comments of
this proceeding, should be strongly considered for
incorporation into a
modified Whois Procedure, or simply written into the
contracts of the
Registries and Registrars contractual language, or a new
Annex or
Specification.
We respectfully submit that the obligation of Registries
and Registrars
to comply with their national laws is not a matter of
multistakeholder
decision making, but a matter of law and compliance. In
this case, we
wholeheartedly embrace the concept of building a process
together that
will allow exceptions for data protection and privacy
laws to be adopted
quickly and easily.
1.4 Should parties be permitted to invoke the Whois
Procedure before
contracting with ICANN as a registrar or registry?
1.4 Response: Of course, Registries and Registrars
should be allowed to
invoke the Whois Procedure, or other appropriate annexes
and
specifications that may be added into Registry and
Registrar contracts
with ICANN. As discussed above, the right of a legal
company to enter
into a legal contracts is the most basic of expectations
under law.
2.1 Are there other relevant parties who should be
included in this
step?
2.1 Response: We agree with the EC that ICANN should be
working as
closely with National Data Protection Authorities as
they will allow. In
light of the overflow of work into these national
commissions, and the
availability of national experts at law firms, ICANN
should also turn to
the advice of private experts, such as well-respected
law firms who
specialize in national data protection laws. The law
firm's opinions on
these matters would help to guide ICANN's knowledge and
evaluation of
this important issue.
3.1 How is an agreement reached and published?
3.1 Response. As discussed above, compliance with
national law may not
be the best matter for negotiation within a
multistakeholder process. It
really should not be a chose for others to make whether
you comply with
your national data protection and privacy laws. That
said, the process
of refining the Consensus Procedure, and adopting new
policies and
procedures, or simply putting new contract provisions,
annexes or
specifications into the Registry and Registrar contracts
SHOULD be
subject to community discussion, notification and
review. But once the
new process is adopted, we think the new changes,
variations,
modifications or exceptions of Individual Registries and
Registrars need
go through a public review and process. The results,
however, Should be
published for Community notification and review.
We note that in conducting the discussion with the
Community on the
overall or general procedure, policy or contractual
changes, ICANN
should be assertive in its outreach to the Data
Protection
Commissioners. Individual and through their
organizations, they have
offered to help ICANN evaluate this issue numerous
times. The Whois
Review Team noted the inability of many external bodies
to monitor ICANN
regularly, but the need for outreach to them by ICANN
staff nonetheless:
*Recommendation 3: Outreach*
*ICANN should ensure that WHOIS policy issues are
accompanied by
cross-community*
*outreach, including outreach to the communities outside
of ICANN with a
specific*
*interest in the issues, and an ongoing program for
consumer awareness.*
This is a critical policy item for such outreach and
input.
3.2 If there is an agreed outcome among the relevant
parties, should
the Board be involved in this procedure?
3.2 Response: Clearly, the changing of the procedure, or
the adoption of
a new policy or new contractual language for Registries
and Registrars,
Board oversight and review should be involved. But once
the new
procedure, policy or contractual language is in place,
then subsequent
individual changes, variations, modifications or
exceptions should be
handled through the process and ICANN Staff – as the
Data Retention
Process is handled today.
4.1 Would it be fruitful to incorporate public
comment in each of
the resolution scenarios?
4.1 Response: We think this question means whether there
should be
public input on each and every exception? We
respectfully submit that
the answer is No. Once the new policy, procedure or
contractual language
is adopted, then the process should kick in and the
Registrar/Registry
should be allowed to apply for the waiver, modification
or revision
consistent with its data protection and privacy laws. Of
course, once
the waiver or modification is granted, the decision
should be matter of
public record so that other Registries and Registrars in
the
jurisdiction know and so that the ICANN Community as a
whole can monitor
this process' implementation and compliance.
Step Five: Public notice
5.2 Is the exemption or modification termed to the
length of the
agreement? Or is it indefinite as long as the contracted
party is
located in the jurisdiction in question, or so long as
the applicable
law is in force.
5.2 Response: We agree with the European Commission in
its response,
“/By logic the exemption or modification shall be in
place as long as
the party is subject to the jurisdiction in conflict
with ICANN rules.
If the applicable law was to change, or the contacted
party moved to a
different jurisdiction, the conditions should be
reviewed to assess if
the exemption is still justified.” But provided it is
the same parties,
operating under the same laws, the modification or
change should
continue through the duration of the relationship
between the
Registry/Registrar and ICANN. /
5.3 Should an exemption or modification based on the
same laws and
facts then be granted to other affected contracted
parties in the same
jurisdiction without invoking the Whois Procedure
5.3 Response. The European Commission in its comments
wrote, and we
strongly agree: /“the same exception should apply to
others in the same
jurisdiction who can demonstrate that they are in the
same situation.”
/Further, Blacknight wrote and we support: /“if ANY
registrar in
Germany, for example, is granted a waiver based on
German law, than ALL
registrars based in Germany should receive the same
treatment.” /Once a
national data protection or privacy law is interpreted
as requiring and
exemption or modification, it should be available to all
Registries/Registrars in that country.
Further, we recommend that ICANN should be required to
notify each gTLD
Registry and Registrar in the same jurisdiction as that
of the decision
so they will have notice of the change.
We thank ICANN staff for holding this comment period.
Respectfully submitted,
NCSG
DRAFT
_______________________________________________
PC-NCSG mailing list
[log in to unmask]
http://mailman.ipjustice.org/listinfo/pc-ncsg
_______________________________________________
PC-NCSG mailing list
[log in to unmask]
http://mailman.ipjustice.org/listinfo/pc-ncsg
<NSCG DRAFT Comments for Review of WHOIS Consensus
Proceduresp+ad.doc>_______________________________________________
PC-NCSG mailing list
[log in to unmask]
http://mailman.ipjustice.org/listinfo/pc-ncsg
_______________________________________________
PC-NCSG mailing list
[log in to unmask]
http://mailman.ipjustice.org/listinfo/pc-ncsg