[Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

Metalitz, Steven met at msk.com
Wed Aug 31 19:05:44 UTC 2016 

Thanks Theo. I did check the Safe Harbor list and found some major registries not on it or not referencing Whois data in their self-certification. Verisign was in the latter category. But awaiting further responses.

Steve



Sent with Good (www.good.com)


-----Original Message-----
From: theo geurts [gtheo at xs4all.nl<mailto:gtheo at xs4all.nl>]
Sent: Wednesday, August 31, 2016 11:49 AM Pacific Standard Time
To: Metalitz, Steven; 'Anderson, Marc'; gnso-impl-thickwhois-rt at icann.org
Subject: Re: [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

Hi Steve,

Good questions, I'll let Marc come up with his own answers.

Just to point out on 1 though, USA back end Registries did rely on Safe Harbor. You can still look them up here: https://safeharbor.export.gov/list.aspx<https://safeharbor.export.gov/list.aspx>

I already reached out to several of them, and they informed me they are in the process of getting certified for Privacy Shield. I as an EU based Registrar have a duty to make sure that when I send data to USA based companies they are Privacy Shield certified. If they are not certified then I am breaking the law.

Keep in mind though that Privacy Shield itself is just a formality to send data to the USA. Privacy Shield itself is not enough. So as an EU Registrar I cannot put my feet on the table and relax that dealing with a Privacy Shield certified company is enough.

Privacy Shield is a framework, nothing more,  a Privacy Shield certified company can still be in violation of the EU directive. As such an EU Registrar has to make sure that the USA based privacy shield Registry back end provider is not in violation of the directive.
This puts a huge burden on the Registry but also on the Registrar. Within the thin WHOIS model, this no burden does not apply.

The Dutch Government introduced an additional requirement in 2014 that certain IT companies actually have to audit the American companies they do business with.
Currently, this does not apply for Dutch Registrars. But these things, as we know can change (laws change all the time). Though I think I wouldn't mind a few trips to the USA to audit some Registries :)

Best regards,

Theo

On 31-8-2016 17:37, Metalitz, Steven wrote:
Thanks for providing this draft, Marc.  A couple of questions about it on a quick read:


(1)     The first two developments to which you cite are the invalidation of the US-EU Safe Harbor Program and the adoption of the EU-US Privacy Shield framework to replace it.  My impression is that US registries generally did not rely upon the Safe Harbor in processing thick Whois data (e.g., receiving Whois data containing personally identifiable information from European registrars and making it available through registry Whois), and so would not have been directly impacted by its invalidation.   Is my impression wrong?  If I am correct then what is the relevance of either the Safe Harbor or the Privacy Shield in this context?

(2)    The last paragraph refers to data localization laws apart from EU privacy/data protection laws.  Can you be more specific?  I note that the Russian law was referenced in footnotes 2 and 10 of the legal review provided to the IRT in June 2015, are there other issues not covered by that analysis?

(3)    If the IRT were to send this letter,  the GNSO council  might well ask what (if anything) we are asking them to do. How would you respond?



Steve Metalitz


[image001]
Steven J. Metalitz | Partner, through his professional corporation
T: 202.355.7902 | met at msk.com<mailto:met at msk.com>
Mitchell Silberberg & Knupp LLP | www.msk.com<http://www.msk.com/>
1818 N Street NW, 8th Floor, Washington, DC 20036

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

From: gnso-impl-thickwhois-rt-bounces at icann.org<mailto:gnso-impl-thickwhois-rt-bounces at icann.org> [mailto:gnso-impl-thickwhois-rt-bounces at icann.org] On Behalf Of Anderson, Marc
Sent: Friday, August 26, 2016 3:21 PM
To: gnso-impl-thickwhois-rt at icann.org<mailto:gnso-impl-thickwhois-rt at icann.org>
Subject: [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

Dear Colleagues,

During the IRT meetings held at ICANN 56 Helsinki, Joe Waldron raised concerns with the changing landscape of Privacy Laws, in particular with regard to the EU.  He pointed out that recommendation #3 of the Thick Whois policy directs the IRT to notify the GNSO should privacy issues emerge that were not anticipated by the working group.  The IRT agreed that we have an obligation to notify the GNSO and asked Verisign to draft a proposed memo from the IRT to the GNSO.

Please find attached that draft memo outlining the obligation and the reasons why we think it is necessary to provide that notification at this time.

Thank you,
Marc




Marc Anderson
mcanderson at verisign.com<mailto:mcanderson at verisign.com>

m: 571.521.9943 t: 703.948.3404
12061 Bluemont Way, Reston, VA 20190

VerisignInc.com<http://www.verisigninc.com/>

[Verisign™]







_______________________________________________
Gnso-impl-thickwhois-rt mailing list
Gnso-impl-thickwhois-rt at icann.org<mailto:Gnso-impl-thickwhois-rt at icann.org>
https://mm.icann.org/mailman/listinfo/gnso-impl-thickwhois-rt<https://mm.icann.org/mailman/listinfo/gnso-impl-thickwhois-rt>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/68ac978d/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00001.gif
Type: image/gif
Size: 2772 bytes
Desc: ATT00001.gif
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/68ac978d/ATT00001-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00002.gif
Type: image/gif
Size: 131 bytes
Desc: ATT00002.gif
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/68ac978d/ATT00002-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ATT00003.gif
Type: image/gif
Size: 3105 bytes
Desc: ATT00003.gif
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/68ac978d/ATT00003-0001.gif>

More information about the Gnso-impl-thickwhois-rt mailing list