[gnso-rds-pdp-wg] Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

[nathalie coupet]

Here is the Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
 Requirements from pastaccreditation agreements are unchanged:
Registrars must notifyregistrants:

[UP-D1-R01] 1) Of the purposesfor the collection of any personal data 

[UP-D1-R02] 2) The intendedrecipients of the data 

[DE-D1-R01] 3) Which data areobligatory 

[SM-D1-R01] 4) How to accessand rectify any data

[OQ-D1-R01] 5) Data collectionmay only be conducted with the consent of the registrant. 

These requirements are broadlyconsistent with data privacy and protection expectations and legal requirementsin most jurisdictions, and they have underpinned the successful operation ofthe Internet’s shared registration system for at least the past 15 years. 


 
During the negotiation of the 2013 RAA, some registrarsexpressed concerns that local or national data protection and other privacylaws might make it difficult for them to comply with the new requirements,while law enforcement and intellectual property owners advocated for retentionof information in the Data Retention Specification. Accordingly, the 2013 RAA’sData Retention Specification includes a provision concerning waiversto deal with cases where compliance with the data collection and/or retentionrequirements might be prohibited by applicable law. Indeed, ICANNcontracted parties are obligated to abide by any applicable laws.



|  Comparison of available processes   

                       

  |                                  

 Whois Procedure         RSEP                       

  |                 RAA Data Retention      

                       Waiver*           

  |
|  How the procedure starts 

  |  Notify ICANN after receiving notice of investigation, litigation, regulatory proceeding or other civil action 

  |  Registry submits request to ICANN, which completes a preliminary determination 

  |  Based on a written opinion from a nationally recognized law firm, or ruling or written guidance from a government body, registrar may apply to ICANN for a waiver. Note: If ICANN has previously waived compliance with the requirements for a registrar located in the same jurisdiction and the applying registrar is subject to the same applicable law, the registrar may request the same waiver. 

  |
|  Consultation/negotiation process 

  |  Consult with ICANN and relevant national government 

  |  ICANN may approve the request, refer the matter to a Competition Authority, and/or refer the request to RSTEP for a security and stability review 

  |  ICANN will discuss the matter with registrar in good faith in an effort to reach a resolution. 

  |
|  Resolution 

  |  Board approves or rejects staff recommendation, seeks additional information, schedules public comment or refers to the GNSO for review and comment. 

  |  The request is approved or denied by ICANN; some requests have required Board review and approval. 

  |  Registrar works with ICANN to reach a solution and ICANN may issue a waiver or modify the requirements. 

  |
|  |  |  |  |  |  |


 
*Data RetentionWaiver: 

1) Registrars must presentICANN with an opinion from a law firm or a ruling or guidance from agovernmental body of competent jurisdiction that states that collecting orretaining one or more data elements in themanner required by the specification violates applicable law. A generalassertion that the data collection and Data Retention Specificationrequirements are unlawful is not sufficient. Rather, the waiver request mustspecify the applicable law, the specific allegedly offending data collectionand/or retention requirement(s), and the manner in which the collection and/orretention violates the law. This specificity helps ICANN to determine theappropriate limitations on the scope and duration of data collection andretention requirements when granting the waiver. This will also help ICANNbalance the interests of the registrar, governments, and the broader Internetcommunity when considering granting such waivers.


 
2) The 2013 RAA calls for ICANNand the registrar to discuss data retention waiver requests in good faith inan effort to reach a mutually acceptable resolution. The Data RetentionSpecification contemplates potential future modifications to the WhoisProcedure in section 2: “Until such time as ICANN's Procedure for HandlingWhois Conflicts with Privacy Law is modified to include conflicts relating tothe requirements of this Specification and if ICANN agrees with Registrar’sdetermination, ICANN’s office of general counsel may temporarily or permanentlysuspend compliance and enforcement of the affected provisions of the DataRetention Specification and grant the waiver request. Prior to granting anyexemption, ICANN will post its determination on its website for a period ofthirty (30) calendar days.” ICANN contemplates that waivers should be tailoredto limit the scope and/or duration of data collection and retention asnecessary to comply with local law, but will not completely eliminate allrequirements for data collection and retention. 

Because each country mayinterpret its data privacy requirements differently, ICANN is working througheach of the submitted requests to change Whois data retention requirements,country-by-country. The complexity and diversity of national privacy lawshas resulted in considerable investments of time and resources by ICANN andregistrars alike. In countries with data privacy laws applicable to registrars,ICANN has found that restrictions generally permit the retention ofregistration data, but only for legitimate purposes, and for a period no longerthan is necessary for the purposes for which the data were collected or forwhich they are further processed. What constitutes a legitimate purpose andhow long data can be retained are complicated questions, and the answers mayvary from one country to the next, even within the EU. All EU member states aresubject to the same data privacy directive, but individual member state’slegislation implementing the data privacy directive may differ in significantrespects.7 

In all, 15 requests towaive the Data Retention Specification in the 2013 RAA have been submitted byregistrars, all from within the European Union. 

For example, on 24January 2014 ICANN posted the first “Notice of Preliminary Determination toGrant Registrar Data Retention Waiver Request” to Registrar OVH SAS in France. The waiver, which was approved 12 March 2014,permits OVH SAS to maintain certain information specified in part of the DataRetention Specification for the duration of its sponsorship of eachregistration and for a period of 1 additional year thereafter, rather than 2 years thereafter. The data that ICANN requires to be retainedfor 180 days would continue to be retained for that 180 day period. ICANN andits outside counsel have been engaged in talks with several other registrarsabout their waiver requests. On 21 March 2014, ICANN posted another “Notice ofPreliminary Determination to Grant Registrar Data Retention Waiver Request” forNAMEWEB BVBA, based in Belgium. The waiver would grant NAMEWEB BVBA the sameexemption as OVH SAS.

On 7 May2014, a “Notice of Potential Grant of Registrar Data Retention Waiver Request,”was posted for registrar Blacknight Internet Solutions Ltd., which is based inIreland. In this instance, the waiver would change the 2-year retentionrequirement to 1 year, and the 180 days to 90 days.

The EU’s Article29 Working Party has also written to ICANN to express its concerns aboutthe legality of the requirements of the 2013 RAA within the EU. ICANN hasalso received correspondence from the European Data Protection Supervisorurging ICANN to waive the retention period under the 2013 RAA Data RetentionSpecification to all registrars operating in EU member states.  




https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en




 Nathalie Coupet 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-rds-pdp-wg/attachments/20160606/60c512e8/attachment.html>