Thanks for sending, I am having trouble with attachments but I got it. I think I have made all the corrections now, here is the amended version 6, I believe you can post it. cheers Stephanie On 2014-08-01, 6:11, Rafik Dammak wrote: > > Hi Stephanie, > > I think joy included her language in the attached document, can you > please merge that with the latest draft you circulated? > Lesson learned: using a shared online document and avoid the word > document versioning nightmare. > > Best, > > Rafik > > ---------- Forwarded message ---------- > From: "joy" <[log in to unmask] <mailto:[log in to unmask]>> > Date: Jul 31, 2014 3:05 AM > Subject: Re: [NCSG-Discuss] Draft Comments for Whois Proceeding > To: <[log in to unmask] <mailto:[log in to unmask]>> > Cc: > > Hi - thanks everyone for the effort on this > I have also added some information on the recent report of the UN High > Commissioner for Human Rights on the right to privacy in the digital age > - which includes aspects relevant for companies - plus one or two other > minor comments > Hope you get these in time! > Joy > > On 31/07/2014 4:17 a.m., Kathy Kleiman wrote: > > Hi All, > > Attached is the revised version of the comments. It has the changes of > > Stephanie and Ed incorporated (tx you!) I have drafted it for Rafik's > > signature and submission on behalf of the NCSG (feel free to add an > > electronic signature, Rafik!). (Track changes version showing edits > > attached) > > > > If you could please use _this version _of the revised comments for > > review and submission, that would be great. > > Best, > > Kathy > > > > > > > ----------------------------------------------------------------------------------------------------------------------------------------------- > > > > NCSG Response to the Questions of the > > > > /Review of the ICANN Procedure for Handling WHOIS Conflicts with > > Privacy Law / > > > > > https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en// > > > > > > ** > > > > The Noncommercial Stakeholders Group represents noncommercial > > organizations and individual noncommercial users in their work in the > > policy and proceedings of ICANN and the GNSO. We respectfully submit > > as an opening premise that every legal business has the right and > > obligation to operate within the bounds and limits of its national > > laws and regulations. No legal business establishes itself to violate > > the law; and to do so is an invitation to civil and criminal > > penalties, in addition to reputational damage and a loss of the trust > > of their customers and business partner. ICANN Registries and > > Registrars are no different – they want and need to abide by their laws. > > > > To that end, Registries and Registrars strive to comply with their > > national and local laws.They strive affirmatively and proactively to > > follow the laws and regulations under which they operate as legal > > entities. To do otherwise is to violate the purpose of a legal regime, > > to threaten the well being of the company, and to expose Directors, > > Officers and Employees to fines, jail, or civil litigation. In the > > matter of protection of personal and confidential information, which > > is a very newsworthy issue in the 21^st century, privacy practices are > > a matter of consumer trust, and therefore high risk for those > > operating an Internet business.Even if customers have obediently > > complied with demands for excessive collection and disclosure of > > personal information up to this point, in the current news furor over > > Snowden and the cooperation of business with national governments > > engaged in surveillance, this could change with the next news > > story.The Internet facilitates successful privacy campaigns. > > > > Thus, it is wise and timely for ICANN to raise the questions of this > > proceeding, /Review of the ICANN Procedure for Handling WHOIS > > Conflicts with Privacy Law/ (albeit at a busy time for the Community > > and at the height of summer; we expect to see more interest in this > > time towards the Fall and recommend that ICANN not construe the small > > number of comments received to date as a reflection of lack of > > interest). We submit these comments in response to the issues raises > > and the questions asked. > > > > *Background* > > > > The /ICANN Procedure for Handling Whois Conflicts with Privacy Law > > /was adopted in 2006 after years of debate on Whois issues. This > > Consensus Procedure was the first step of recognition that data > > protection laws and privacy law DO apply to the personal and sensitive > > data being collected by Registries and Registrars for the Whois > database. > > > > But for those of us in the Noncommercial Users Constituency (now part > > of the Noncommercial Stakeholders Group/NCSG) who helped debate, draft > > and adopt this Consensus Procedure in the mid-2000s, we were always > > shocked that the ICANN Community did not do more. At the time, several > > Whois Task Forces were at work with multiple proposals which include > > important and pro-active suggestions to allow Registrars and > > Registries to come into compliance with their national and local data > > protection and privacy laws. > > > > At the time, we never expected this Consensus Procedure to be an end > > itself – but the first of many steps. We are glad the discussion is > > now reopened and we support empowering Registrars and Registries to be > > in full compliance with their national and local data protection, > > consumer protection and privacy laws – from the moment they enter into > > their contracts with ICANN. > > > > We note there have been a number of recent decisions in higher courts > > in various jurisdictions which impact the constitutional rights of > > citizens to be free from warrantless disclosure and retention of their > > personal information for law enforcement purposes.This reflects the > > time it takes for data protection issues to wend their way to the high > > courts for a ruling.We would urge ICANN, who otherwise sit on the > > cutting edge of Internet technical issues, to reflect on their role as > > a key global player in Internet governance.Do we lead or do we wait > > until we are dragged into Court, to realize our responsibilities to > > protect the fundamental rights of the citizens who depend on the > > Internet to participate in modern society?// > > > > II. Data Protection and Privacy Laws – A Quick Overview of the > > Principles that Protect the Personal and Sensitive Data of Individuals > > and Organizations/Small Businesses > > > > It is important to stress that while the discourse about data > > protection requirements at ICANN has tended to focus on the European > > Union and its Data Commissioners, as represented in the Article 29 > > Working Party on Data Protection, there are a great many countries > > which have data protection law in place, including Canada, Mexico, > > much of South America, Korea, Japan, Australia, New Zealand, > > Singapore, South Africa, and many others.It is therefore quite > > puzzling that ICANN does not assemble a working group to study the > > matter and develop a harmonized approach to the issue, rather than > > take this rather odd approach of forcing registrars and registries to > > break national and local law. > > > > It is also important to note that there are many levels of data > > protection law, from local municipal law to state and national > > law.There is also sectoral law which applies to certain sectors.It > > would be a reasonable approach to develop a policy that reflects > > harmonized best practice, and abide by the policy rather than engage > > in this adversarial approach to local law.Data protection law is > > overwhelmingly complaints based, so it is inherently difficult for > > registrars and registries to get a ruling from data protection > > commissioners absent a complaint and a set of facts. > > > > In this regard, we also find it puzzling that despite the fact that > > the Article 29 Working Party wrote to ICANN senior management to > > indicate that they have reviewed the matter and reached an opinion > > that the practices involving WHOIS do indeed violate EU law, ICANN has > > not taken that message and developed a policy that guides their data > > protection practices, starting with a clear statement of limited > > purpose for the collection, use, and disclosure of personal information. > > > > The NCSG held a privacy meeting at the London ICANN 50 meeting, which > > was quite well attended.While we did not specifically address or > > attempt to brainstorm this particular problem, we feel it is safe to > > summarize the following points: > > > > ·There is considerable interest, in civil society, in the protection > > of personal information at ICANN. > > > > ·Policies and procedures such as were developed for the 2013 RAA are > > very puzzling to those who are engaged in government and business in > > the privacy field.This is not 1995, when the EU Directive on data > > protection was passed and was still controversial.ICANN needs to catch > > up with global business practice, preferably by developing binding > > corporate rules which would take a harmonized approach to the > > differing local laws. It is not appropriate for all data protection to > > fall away in jurisdictions where there is not yet a data protection > > law that applies to the provision of internet services, including > > domain name registration. > > > > ·NCSG is ramping up a team of volunteers to provide more detailed > > expertise and input on a number of privacy and free speech > > issues.While civil society is inherently stretched and short of > > resources, this is an issue that they care deeply about, and our > > outreach has begun to bear fruit in engaging others who are outside > > the immediate sphere of ICANN membership.This is important as they are > > part of the constituency we seek to represent. > > > > ICANN spends considerable time on technical parameters, data accuracy, > > and retention.More time needs to be spent on data protection policy.In > > this respect, more expertise would be required as there is very little > > evidence of privacy expertise in the ICANN community. > > > > III*/./*Questions asked of the Community in this Proceeding > > > > The ICANN Review Paper raised a number of excellent questions. In > > keeping with the requirements of a Reply Period, these NCSG comments > > will address both our comments and those comments we particularly > > support in this proceeding. > > > > However we would first like to note that the paper appears to start > > from the position that the procedures involved in this waiver process > > simply need to be tweaked.Operating under the first principle that all > > business must comply with local law, there is a need for ICANN to > > embrace data protection law as a well recognized branch of law which > > codifies well recognized business best practices with respect to the > > confidentiality of customer data.We respectfully submit that, if ICANN > > had a professional privacy officer, it is highly unlikely that he/she > > would recommend to senior management that the current approach be > > entertained in 2014. > > > > 1.1Is it impractical for ICANN to require that a contracted party > > already haslitigation or a government proceeding initiated against it > > prior to being able to invoke the Whois Procedure? > > > > 1.1 Response: Yes, it is completely impractical (and ill-advised) to > > force a company to violate a national law as a condition of complying > > with their contract. Every lawyer advises businesses to comply with > > the laws and regulations of their field. To do otherwise is to face > > fines, penalties, loss of the business, even jail for officers and > > directors. Legal business strives to be law-abiding; no officer or > > director wants to go to jail for her company's violations. It is the > > essence of an attorney's advice to his/her clients to fully comply > > with the laws and operate clearly within the clear boundaries and > > limits of laws and regulations, both national, by province or state > > and local. > > > > In these Reply Comments, we support and encourage ICANN to adopt > > policies consistent with the initial comments submitted by the > > European Commission: > > > > -that the Whois Procedure be changed from requiring specific > > prosecutorial action instead to allowing “demonstrating evidence of a > > potential conflict widely and e.g. accepting information on the > > legislation imposing requirements that the contractual requirements > > would breach as sufficient evidence.” (European Commission comments) > > > > We also agree with Blacknight: > > > > -“It's completely illogical for ICANN to require that a contracting > > party already has litigation before they can use a process. We would > > have loved to use a procedure or process to get exemptions, but > > expecting us to already be litigating before we can do so is, for lack > > of a better word, nuts.” (Blacknight comments in this proceeding). > > > > - > > > > 1.1a How can the triggering event be meaningfully defined? > > > > This is an important question. Rephrased, we might ask together –what > > must a Registry or Registrar show ICANN in support of its claim that > > certain provisions involving Whois data violate provisions of national > > data protection and privacy laws? > > > > NCSG respectfully submits that there are at least four “triggering > > events” that ICANN should recognize: > > > > -Evidence from a national Data Protection Commissioner or his/her > > office (or from a internationally recognized body of national Data > > Protection Commissioners in a certain region of the world, including > > the Article 29 Working Party that analyzes the national data > > protection and privacy laws) that ICANN's contractual obligations for > > Registry and/or Registrar contracts violate the data protection laws > > of their country or their group of countries; > > > > -Evidence of legal and/or jurisdictional conflict arising from > > analysis performed by ICANN's legal department or by national legal > > experts hired by ICANN to evaluate the Whois requirements of the ICANN > > contracts for compliance and conflicts with national data protection > > laws and cross-border transfer limits) (similar to the process we > > understand was undertaken for the data retention issue); > > > > -Receipt of a written legal opinion from a nationally recognized law > > firm or qualified legal practitioner in the applicable jurisdiction > > that states that the collection, retention and/or transfer of certain > > Whois data elements as required by Registrar or Registry Agreements is > > “reasonably likely to violate the applicable law” of the Registry or > > Registrar (per the process allowed in RAA Data Retention > > Specification); or > > > > -An official opinion of any other governmental body of competent > > jurisdiction providing that compliance with the data protection > > requirements of the Registry/Registrar contracts violates applicable > > national law (although such pro-active opinions may not be the > > practice of the Data Protection Commissioner's office). > > > > The above list draws from the comments of the European Commission, > > Data Retention Specification of the 2013Registrar Accreditation > > Agreement, and sound compliance and business practices for the ICANN > > General Counsel's office. > > > > We further agree with Blacknight that the requirements for triggering > > any review and consideration by ICANN be: simple and straightforward, > > quick and easy to access. > > > > 1.3Are there any components of the triggering event/notification > > portion of the RAA's Data Retention waiver process that should be > > considered as optional for incorporation into a modified Whois > Procedure? > > > > 1.3 Response:Absolutely, the full list in 1.1a above, together with > > other constructive contributions in the Comments and Reply Comments of > > this proceeding, should be strongly considered for incorporation into > > a modified Whois Procedure, or simply written into the contracts of > > the Registries and Registrars contractual language, or a new Annex or > > Specification. > > > > We respectfully submit that the obligation of Registries and > > Registrars to comply with their national laws is not a matter of > > multistakeholder decision making, but a matter of law and compliance. > > In this case, we wholeheartedly embrace the concept of building a > > process together that will allow exceptions for data protection and > > privacy laws to be adopted quickly and easily. > > > > 1.4Should parties be permitted to invoke the Whois Procedure before > > contracting with ICANN as a registrar or registry? > > > > 1.4 Response: Of course, Registries and Registrars should be allowed > > to invoke the Whois Procedure, or other appropriate annexes and > > specifications that may be added into Registry and Registrar contracts > > with ICANN. As discussed above, the right of a legal company to enter > > into a legal contracts is the most basic of expectations under law. > > > > 2.1Are there other relevant parties who should be included in this step? > > > > 2.1 Response: We agree with the EC that ICANN should be working as > > closely with National Data Protection Authorities as they will allow. > > In light of the overflow of work into these national commissions, and > > the availability of national experts at law firms, ICANN should also > > turn to the advice of private experts,such as well-respected law firms > > who specialize in national data protection laws. The law firm's > > opinions on these matters would help to guide ICANN's knowledge and > > evaluation of this important issue. > > > > 3.1How is an agreement reached and published? > > > > 3.1 Response. As discussed above, compliance with national law may not > > be the best matter for negotiation within a multistakeholder process. > > It really should not be a chose for others to make whether you comply > > with your national data protection and privacy laws. That said, the > > process of refining the Consensus Procedure, and adopting new policies > > and procedures, or simply putting new contract provisions, annexes or > > specifications into the Registry and Registrar contracts SHOULD be > > subject to community discussion, notification and review.But once the > > new process is adopted, we think the new changes, variations, > > modifications or exceptions of Individual Registries and Registrars > > need go through a public review and process. The results, however, > > Should be published for Community notification and review. > > > > We note that in conducting the discussion with the Community on the > > overall or general procedure, policy or contractual changes, ICANN > > should be assertive in its outreach to the Data Protection > > Commissioners. Individual and through their organizations, they have > > offered to help ICANN evaluate this issue numerous times. The Whois > > Review Team noted the inability of many external bodies to monitor > > ICANN regularly, but the need for outreach to them by ICANN staff > > nonetheless: > > > > *Recommendation 3:Outreach* > > > > *ICANN should ensure that WHOIS policy issues are accompanied by > > cross-community outreach, including outreach to the communities > > outside of ICANN with a specific interest in the issues, and an > > ongoing program for consumer awareness. (Whois Review Team Final > Report)* > > > > This is a critical policy item for such outreach and input. > > > > 3.2If there is an agreed outcome among the relevant parties, should > > the Board be involved in this procedure? > > > > 3.2 Response: Clearly, the changing of the procedure, or the adoption > > of a new policy or new contractual language for Registries and > > Registrars, Board oversight and review should be involved. But once > > the new procedure, policy or contractual language is in place, then > > subsequent individual changes, variations, modifications or exceptions > > should be handled through the process and ICANN Staff – as the Data > > Retention Process is handled today. > > > > 4.1Would it be fruitful to incorporate public comment in each of the > > resolution scenarios. > > > > 4.1 Response: We think this question means whether there should be > > public input on each and every exception?We respectfully submit that > > the answer is No. Once the new policy, procedure or contractual > > language is adopted, then the process should kick in and the > > Registrar/Registry should be allowed to apply for the waiver, > > modification or revision consistent with its data protection and > > privacy laws.Of course, once the waiver or modification is granted, > > the decision should be matter of public record so that other > > Registries and Registrars in the jurisdiction know and so that the > > ICANN Community as a whole can monitor this process' implementation > > and compliance. > > > > Step Five: Public notice > > > > 5.2Is the exemption or modification termed to the length of the > > agreement? Or is it indefinite as long as the contracted party is > > located in the jurisdiction in question, or so long as the applicable > > law is in force. > > > > 5.2 Response:We agree with the European Commission in its response, > > > > “/By logic the exemption or modification shall be in place as long as > > the party is subject to the jurisdiction in conflict with ICANN rules. > > If the applicable law was to change, or the contacted party moved to a > > different jurisdiction, the conditions should be reviewed to assess if > > the exemption is still justified.”/ > > > > // > > > > But provided it is the same parties, operating under the same laws, > > the modification or change should continue through the duration of the > > relationship between the Registry/Registrar and ICANN. > > > > 5.3Should an exemption or modification based on the same laws and > > facts then be granted to other affected contracted parties in the same > > jurisdiction without invoking the Whois Procedure. > > > > 5.3 Response. The European Commission in its comments wrote, and we > > strongly agree: /“the same exception should apply to others in the > > same jurisdiction who can demonstrate that they are in the same > > situation.” /Further, Blacknight wrote and we support: /“if ANY > > registrar in Germany, for example, is granted a waiver based on German > > law, than ALL registrars based in Germany should receive the same > > treatment.” /Once a national data protection or privacy law is > > interpreted as requiring and exemption or modification, it should be > > available to all Registries/Registrars in that country. > > > > Further, we recommend that ICANN should be required to notify each > > gTLD Registry and Registrar in the same jurisdiction as that of the > > decision so they will have notice of the change. > > > > We thank ICANN staff for holding this comment period. > > > > Respectfully submitted, > > > > Rafik Dammak > > > > Chairman, NCSG > > > > On behalf of the Noncommercial Stakeholders Group > > > > > > >