[Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

theo geurts gtheo at xs4all.nl
Wed Aug 31 19:57:13 UTC 2016 

You are welcome Steve,

I guess we will wait for further responses as my brain is fried at the 
moment, a 16-hour work day will do that you. Though in my little world, 
it makes sense they are not certified for that aspect. I mean we only 
send them domain name and name servers, nothing else (in a nutshell).

Slightly off topic, but can you mention those registries, not on the 
list?  Or perhaps we should do this offlist? Not that I am asking you to 
do my leg work, but it sounds you hit the same problem as me. A lot of 
Registries rely on a backend operator. That is where the actual data 
goes to.

So in some cases, you have to dig deeper and in some cases like very 
obvious registries you find out  they use a backend in Europe :)

Have a good one,

Theo


On 31-8-2016 21:05, Metalitz, Steven wrote:
> Thanks Theo. I did check the Safe Harbor list and found some major 
> registries not on it or not referencing Whois data in their 
> self-certification. Verisign was in the latter category. But awaiting 
> further responses.
>
> Steve
>
>
>
> Sent with Good (www.good.com)
>
>
> -----Original Message-----
> *From: *theo geurts [gtheo at xs4all.nl <mailto:gtheo at xs4all.nl>]
> *Sent: *Wednesday, August 31, 2016 11:49 AM Pacific Standard Time
> *To: *Metalitz, Steven; 'Anderson, Marc'; 
> gnso-impl-thickwhois-rt at icann.org
> *Subject: *Re: [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the 
> GNSO
>
> Hi Steve,
>
> Good questions, I'll let Marc come up with his own answers.
>
> Just to point out on 1 though, USA back end Registries did rely on 
> Safe Harbor. You can still look them up here: 
> https://safeharbor.export.gov/list.aspx
>
> I already reached out to several of them, and they informed me they 
> are in the process of getting certified for Privacy Shield. I as an EU 
> based Registrar have a duty to make sure that when I send data to USA 
> based companies they are Privacy Shield certified. If they are not 
> certified then I am breaking the law.
>
> Keep in mind though that Privacy Shield itself is just a formality to 
> send data to the USA. Privacy Shield itself is not enough. So as an EU 
> Registrar I cannot put my feet on the table and relax that dealing 
> with a Privacy Shield certified company is enough.
>
> Privacy Shield is a framework, nothing more,  a Privacy Shield 
> certified company can still be in violation of the EU directive. As 
> such an EU Registrar has to make sure that the USA based privacy 
> shield Registry back end provider is not in violation of the directive.
> This puts a huge burden on the Registry but also on the Registrar. 
> Within the thin WHOIS model, this no burden does not apply.
>
> The Dutch Government introduced an additional requirement in 2014 that 
> certain IT companies actually have to audit the American companies 
> they do business with.
> Currently, this does not apply for Dutch Registrars. But these things, 
> as we know can change (laws change all the time). Though I think I 
> wouldn't mind a few trips to the USA to audit some Registries :)
>
> Best regards,
>
> Theo
>
> On 31-8-2016 17:37, Metalitz, Steven wrote:
>>
>> Thanks for providing this draft, Marc.  A couple of questions about 
>> it on a quick read:
>>
>> (1) The first two developments to which you cite are the invalidation 
>> of the US-EU Safe Harbor Program and the adoption of the EU-US 
>> Privacy Shield framework to replace it.  My impression is that US 
>> registries generally did not rely upon the Safe Harbor in processing 
>> thick Whois data (e.g., receiving Whois data containing personally 
>> identifiable information from European registrars and making it 
>> available through registry Whois), and so would not have been 
>> directly impacted by its invalidation.   Is my impression wrong? If I 
>> am correct then what is the relevance of either the Safe Harbor or 
>> the Privacy Shield in this context?
>>
>> (2)The last paragraph refers to data localization laws apart from EU 
>> privacy/data protection laws.  Can you be more specific?  I note that 
>> the Russian law was referenced in footnotes 2 and 10 of the legal 
>> review provided to the IRT in June 2015, are there other issues not 
>> covered by that analysis?
>>
>> (3)If the IRT were to send this letter,  the GNSO council  might well 
>> ask what (if anything) we are asking them to do. How would you respond?
>>
>> Steve Metalitz
>>
>> *image001*
>>
>> *Steven J. Metalitz* | *Partner, through his professional corporation*
>>
>> T: 202.355.7902 | met at msk.com <mailto:met at msk.com>
>>
>> *Mitchell Silberberg & Knupp* *LLP* | *www.msk.com <http://www.msk.com/>*
>>
>> 1818 N Street NW, 8th Floor, Washington, DC 20036
>>
>> *_THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY 
>> FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS._* 
>> *THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS 
>> PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN 
>> INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, 
>> DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY 
>> PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR 
>> TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM 
>> YOUR SYSTEM. THANK YOU.*
>>
>> *From:* gnso-impl-thickwhois-rt-bounces at icann.org 
>> [mailto:gnso-impl-thickwhois-rt-bounces at icann.org] *On Behalf Of* 
>> Anderson, Marc
>> *Sent:* Friday, August 26, 2016 3:21 PM
>> *To:* gnso-impl-thickwhois-rt at icann.org
>> *Subject:* [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO
>>
>> Dear Colleagues,
>>
>> During the IRT meetings held at ICANN 56 Helsinki, Joe Waldron raised 
>> concerns with the changing landscape of Privacy Laws, in particular 
>> with regard to the EU.  He pointed out that recommendation #3 of the 
>> Thick Whois policy directs the IRT to notify the GNSO should privacy 
>> issues emerge that were not anticipated by the working group.  The 
>> IRT agreed that we have an obligation to notify the GNSO and asked 
>> Verisign to draft a proposed memo from the IRT to the GNSO.
>>
>> Please find attached that draft memo outlining the obligation and the 
>> reasons why we think it is necessary to provide that notification at 
>> this time.
>>
>> Thank you,
>>
>> Marc
>>
>> Verisign
>>
>> *Marc Anderson*
>> mcanderson at verisign.com <mailto:mcanderson at verisign.com>
>>
>> m: 571.521.9943 t: 703.948.3404
>> 12061 Bluemont Way, Reston, VA 20190
>>
>> VerisignInc.com <http://www.verisigninc.com/>
>>
>> 	
>>
>> Verisign™
>>
>>
>>
>> _______________________________________________
>> Gnso-impl-thickwhois-rt mailing list
>> Gnso-impl-thickwhois-rt at icann.org
>> https://mm.icann.org/mailman/listinfo/gnso-impl-thickwhois-rt
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/6031e8e0/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 2772 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/6031e8e0/attachment-0003.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 131 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/6031e8e0/attachment-0004.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/gif
Size: 3105 bytes
Desc: not available
URL: <http://mm.icann.org/pipermail/gnso-impl-thickwhois-rt/attachments/20160831/6031e8e0/attachment-0005.gif>

More information about the Gnso-impl-thickwhois-rt mailing list