[bc-gnso] FW: Article 29 WP To ICANN - EU Registrars Exempt From New RAA Data Retention Requirements

[Phil Corwin]

FYI-- full text of letter attached--while the letter was sent prior to the adoption of the final RAA, I am told that the relevant provisions are materially unchanged.

The letter states that " the proposed data retention requirement violates data protection law in Europe" and therefore " relevant registrars targeting individual domain name holders in Europe" would violate data privacy law in 27 EU nations if they complied with it.

The finding was based on two major factors:
-"The proposed new data retention requirement does not stem from any legal requirement in Europe... Taking into account the diversity of these registrars in terms of size and technical and organisational security measures, and the chance of data breaches causing adverse effects to individuals holding a domain name, the Working Party finds the benefits of this proposal disproportionate to the risk for individuals and their rights to the protection of their personal data."
-"the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement."

As the new RAA permits any registrar to seek an exemption from ICANN if provisions of the RAA conflict with local law we can assume that all EU-based registrars will do so. While not an unintended loophole, this sure creates an unlevel playing field between EU-based registrars and those in  other jurisdictions. 



http://www.internetnews.me/2013/07/04/article-29-working-party-to-icann-eu-registrars-exempt-from-data-retention-requirements/?utm_source=buffer&utm_campaign=Buffer&utm_content=buffer39245&utm_medium=twitter



Domain Industry & Internet NewsDomain Name Industry News

  

Article 29 Working Party To ICANN - EU Registrars Exempt From Data Retention Requirements

By Michele Neylon on July 4, 2013 in icann, policy, privacy, registrars 


The 2013 RAA was approved by ICANN's board of directors less than a week ago.

The new contract introduces a number of new obligations on ICANN accredited registrars, among them are several related to data validation, verification and retention.

The Article 29 Working Party, however, has written to ICANN and made it very clear that it views these requirements to be unlawful. While the letter dates from earlier this month the text of the contract was not changed drastically prior to its acceptance by ICANN's board.

The letter makes reference to the new exemption process that ICANN introduced with this version of the contract, which allows registrars to gain exemptions if contractual obligations conflict with local law. And what is sure to be welcomed by EU based registrars is the letter's aim - to avoid duplication of work by data protection authorities (and registrars):

In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe


Here's the letter's full text:

Subject: Statement on the data protection impact of the revision of the ICANN RAA  Dear Mr Crocker and Mr Chehadé,  In the context of ICANN' s revision of the Registrar Accreditation Agreement (RAA) and the  final RAA Proposal1, the Working Party on the Protection of Individuals with regard to the  Processing of Personal Data (Article 29 WP)2 wishes to provide a harmonised statement  concerning compliance with European data protection law.
 Following up on our letter of 27 September 20123 and previous contributions to the process of  collecting and disclosing WHOIS data4, this statement specifically addresses the legitimacy of  the data retention obligation for registrars, contained in the new RAA.
 The Working Party notes that ICANN has included a procedure for registrars to request a  waiver from these requirements if necessary to avoid a violation of applicable data protection  law. Such a waiver request can be based on written guidance from a governmental body of competent jurisdiction providing that compliance with the data retention requirements violates  applicable law.
 In order to avoid unnecessary duplication of work by 27 national data protection authorities in  Europe, with this letter, the Working Party wishes to provide a single statement for all  relevant registrars targeting individual domain name holders in Europe.
 The final proposed Data Retention specification roughly distinguishes between name and  contact details for the domain name holder (specified in 1.1.1 to 1.1.7) and all other types of  data a registrar might collect (specified in 1.2.1 to 1.2.3), such as logfiles and billing records  containing the 'means and source of payment', logfiles about the communication with the  registrar including source IP address, telephone number, e-mail address, Skype handle or  instant messaging identifier, as well as the date, time and time zones of communications.
 Registrars are required to keep the first category of personal data for a period of two years  after the contract for the domain has been ended. The second category of personal data must  be retained for six months after the contract has ended.
 The first category of data includes payment data, defined as: 'card on file', current period  third party transaction number, or other recurring payment data.
 The proposed new data retention requirement does not stem from any legal requirement in
 Europe.5 It entails the extended processing of personal data such as credit card and  communication data by a very large number of registrars. The fact that these data may be  useful for law enforcement (including copyright enforcement by private parties) does not  equal a necessity to retain these data after termination of the contract. Taking into account the  diversity of these registrars in terms of size and technical and organisational security  measures, and the chance of data breaches causing adverse effects to individuals holding a  domain name, the Working Party finds the benefits of this proposal disproportionate to the  risk for individuals and their rights to the protection of their personal data.
 Secondly, the Working Party reiterates its strong objection to the introduction of data  retention by means of a contract issued by a private corporation in order to facilitate (public)  law enforcement. If there is a pressing social need for specific collections of personal data to  be available for law enforcement, and the proposed data retention is proportionate to the  legitimate aim pursued, it is up to national governments to introduce legislation that meets the  demands of article 8 of the European Convention on Human Rights and article 17 of the  International Covenant on Civil and Political rights.
 The fact that these personal data can be useful for law enforcement does not legitimise the  retention of these personal data after termination of the contract. Because there is no legal  ground for the data processing, the proposed data retention requirement violates data  protection law in Europe.
 In general, we repeat that the problem of inaccurate contact details in the WHOIS database  cannot be solved without addressing the root of the problem: the unlimited public  accessibility of private contact details in the WHOIS database. In that light, the Working  Party welcomes the growing number of registries in Europe that are offering layered access to  the WHOIS data.
 Yours sincerely,
 On behalf of the Article 29 Working Party

About Michele Neylon
Michele is founder and managing director of domain registrar and hosting company Blacknight. He also co-hosts the Technology.ie podcast. 
  
 Site hosted in Ireland by Blacknight 

© 2013 Domain Industry & Internet News. All Rights Reserved. 


  
        




Philip S. Corwin, Founding Principal
Virtualaw LLC
1155 F Street, NW
Suite 1050
Washington, DC 20004
202-559-8597/Direct
202-559-8750/Fax
202-255-6172/Cell

Twitter: @VLawDC

"Luck is the residue of design" -- Branch Rickey

Sent from my iPad
-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13 Internal Virus Database is out of date.

-----
No virus found in this message.
Checked by AVG - www.avg.com
Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13 Internal Virus Database is out of date.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ICANN-RAA_data_retention-Article29WP_Letter_to_ICANN.pdf
Type: application/pdf
Size: 61987 bytes
Desc: ICANN-RAA_data_retention-Article29WP_Letter_to_ICANN.pdf
URL: <http://mm.icann.org/pipermail/bc-gnso/attachments/20130705/c09c5bb1/ICANN-RAA_data_retention-Article29WP_Letter_to_ICANN.pdf>