[gnso-rds-pdp-wg] Article 29 WP on ICANN Procedure for Handling WHOIS Conflicts with Privacy Law (2007)
Vayra, Fabricio (Perkins Coie)
FVayra at perkinscoie.com
Mon Jun 6 18:05:30 UTC 2016
I reviewed the document at https://www.icann.org/en/correspondence/schaar-to-cerf-12mar07.pdf (and related correspondence with ICANN).
The document is meant to address ICANN's procedure for handling WHOIS Conflicts with Privacy, and although it touches on that issue (by making the declaratory statement that there's a conflict in fact), it's light on substance from which one could draw out possible requirements on the issue. However, the document does go into some detail about Purpose, Data Accuracy, Data Elements, and Privacy (see related quotes below under closest associated charter question for each).
In sum, from this document we could draw out the following possible requirements:
1. Need for a well-defined purpose for processing/use of data;
2. Domain name Point of Contact needs to be in a position to face the legal and technical responsibilities of domain operation;
3. Bulk access to WHOIS data for direct marketing should be limited;
4. WHOIS data should be accurate;
5. There should be a differentiation for data collection/use between legal and natural persons; and
6. When considering privacy (e.g., publication of data), there should be a consideration as to whether the registrant is a private domain holders that use domains solely in a non-commercial context, and if so, the data should only be published with explicit, freely given consent.
Charter questions and relevant/associated quotes from https://www.icann.org/en/correspondence/schaar-to-cerf-12mar07.pdf:
*Users/Purposes: Who should have access to gTLD registration data and why?
1. Purpose definition is a central element in determining whether a specific processing or use of personal data is in accordance with EU data protection legislation.
2. Article 29 WP acknowledges the legitimacy of the purpose of the making available of some personal data through the WHOIS services ...[t]his publicity is necessary in order to put the person running a Website in a position to face the legal and technical responsibilities which are inherent to the running of such a site.
3. Support for earlier proposals concerning ... limitation of bulk access for direct marketing issues.
*Data Accuracy: What steps should be taken to improve data accuracy?
1. Support for earlier proposals concerning accuracy of the data (which is also one of the principles of the Data Protection Directive) published in WHOIS directories ...
*Data Elements: What data should be collected, stored, and disclosed?
1. Article 29 WP emphasizes once more the need to differentiate between legal and natural persons registering domain names.
*Privacy: What steps are needed to protect data and privacy?
1. The Article 29 WP's primary concern relates to private domain holders that use domains solely in a non-commercial context.
2. The Article 29 WP therefore recommends to modify the proposal in such a way that at least for private domain holders that use domains solely in a non-commercial context the name of the domain holder should only be published in the WHOIS service with the explicit, freely given consent of the data subject.
3. The Article 29 WP sees, in the current situation, actual conflicts between current WHOIS practice and EU data protection and privacy laws, not just potential conflicts as the title of the proposed procedure on ICANN's website states.
4. As a matter of fact, registrars operating in EU member states under the current ICANN registrar accreditation agreement face a generally present and unresolved conflict between EU data protection legislation and several international rules on the one hand, and current WHOIS practice on the other hand.
Please let me know if there are any questions.
700 Thirteenth Street, N.W. Suite 600
Washington, DC 20005-3960
E. FVayra at perkinscoie.com<mailto:FVayra at perkinscoie.com>
[cid:image001.jpg at 01D054C5.01001EE0]
NOTICE: This communication may contain privileged or other confidential information. If you have received it in error, please advise the sender by reply email and immediately delete the message and any attachments without copying or disclosing the contents. Thank you.
-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4701 bytes
More information about the gnso-rds-pdp-wg