<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
But Peter, <br>
Isn't the question of laws the very essence of what the GAC should
be advising ICANN on? The Affirmation of Commitments sets out a
very clear guideline: and requires our (WRT) evaluation "subject to
Applicable Laws." It is a key important definitional question; it is
a key important legal one. We have addressed the first, but not the
second in detail.<br>
<br>
It is key that the ICANN community grow to understand the key laws
that fit under Applicable Law. It's not just a "we've been contacted
by law enforcement and need to change our Whois policy" (the
"after-the-fact" discussion which is what the narrow current
procedure requires) -- but a proactive, upfront approach that allows
registrars and registries to operate within the bounds of their laws
from the start and seems entirely consistent with the wording of the
Affirmation of Commitments. <br>
<br>
If GAC can't provide guidance on these key legal issues, who can? <br>
<br>
Best,<br>
Kathy<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><br>
<br>
Peter wrote:<br>
<<However, </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
don’t see a </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">compelling
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">case
for </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">us
to </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">catalog</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ue</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
all potential applicable privacy or data protection laws</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
as a way to take this forward</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">.
In practice, I think this w</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">ould</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
be very difficult, and arguably of limited use. Even if every GAC
member provided details of every potentially applicable law, this
would not cover every country, and would only cover contributing
countries at a set point in time. Further, what would we do with
this data? How would we reconcile </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">the
inevitable</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
differences?<o:p></o:p></span>
<blockquote
cite="mid:636771A7F4383E408C57A0240B5F8D4A305FC62512@EMB01.dept.gov.au"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Arguably,
any conflict with national law (whether it relates to
‘sensitive’ information, or other personal information) is
intended to be addressed by ICANN’s consensus procedure. </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Th</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">e</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
consensus p</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">rocedure</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
was developed by the ICANN community to deal with </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">specific</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
conflicts with national law. Whether and how it has been
used may therefore provide us some guidance about </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">any
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">actual
conflicts and how they’ve been handled. I see that Denise
has undertaken to get back to us shortly with an answer to
this - thanks Denise! </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">The</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
answer</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
to this may</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
provide useful insights into whether that particular
procedure is effective or needs modification</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
to deal with specific legal situations, and it could also
clarify the potential extent of existing legal conflicts. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">For
the procedure to be effective, there is no need to catalogue
applicable laws in advance. Personally, </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
can’t see any way to replace </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">this
(or a similar) case-by-case procedure</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
with a </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">more
prescriptive</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
universal mechanism</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
based on a survey of applicable laws,</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">n</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">or
any way to anticipate all potential </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">legal
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">conflicts
in advance</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">.
<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">There
is then the additional question of </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">whether
we’re only interested in situations where there is a
conflict with a national law?</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"
lang="EN-US"> If so, then </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">we
need to consider whether there needs to be any additional
protections beyond the existing procedure. </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">On
balance, my position is that </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">we
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">should
consider</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
some way to acknowledge </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">the
</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">privacy
concerns</span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">
of individuals, </span><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">including
those that may not be addressed by ICANN’s existing
consensus procedures and policies. The problem is how to do
this without facilitating the unregulated and widely abused
privacy/proxy situation that we now have. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">This
is what I tried to address in the draft gaps chapter. The
proposed recommendations at the end of that chapter are
intended to provide a framework for a balanced, open and
accountable privacy regime, while acknowledging that much of
the detail (such as what data could be ‘protected’ or
‘limited’, and standardised processes for release of that
data when needed) would rightly be developed through
existing ICANN community (and cross community) processes.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">I
look forward to further discussion on this as we move
forward.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Cheers,<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Peter<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US"> <a class="moz-txt-link-abbreviated" href="mailto:rt4-whois-bounces@icann.org">rt4-whois-bounces@icann.org</a>
[<a class="moz-txt-link-freetext" href="mailto:rt4-whois-bounces@icann.org">mailto:rt4-whois-bounces@icann.org</a>] <b>On Behalf Of </b>Kathy
Kleiman<br>
<b>Sent:</b> Wednesday, 17 August 2011 2:30 PM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:rt4-whois@icann.org">rt4-whois@icann.org</a>;
<a class="moz-txt-link-abbreviated" href="mailto:lynn@goodsecurityconsulting.com">lynn@goodsecurityconsulting.com</a><br>
<b>Subject:</b> Re: [Rt4-whois] Applicable laws<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Dear Lynn and All,<br>
I wanted to say how much I appreciate Lynn posting the key
regional data protection frameworks to the group. I think they
are very important, and she and I have discussed the need for
us to look at them more closely in relation to the Whois data.
I hope we can do this soon! <br>
<br>
Regarding sensitive vs private data, I wanted to add my views
as an attorney who specializes in the area of data protection
and privacy since starting my telecommunications practice in
1993. While sensitive data may focus on the areas of
financial, birth, religion, health, and let's add political
affiliation and sexual orientation, that's not where the story
ends.<br>
<br>
Data protection and privacy laws certainly consider home
address, home phone number, and now cell phone data as
"private" or "personal data." Certainly telecommunications
laws in the US, as one example, regularly protect the right of
a person to "opt-out" of sharing their home address or home
phone number in a public directory as a matter of personal
privacy. In fact, opt-out in directories was chosen by a
majority of Californians when last I researched it (and the
state protects privacy as part of its state constitution)
because home addresses and home phone numbers are considered
very personal information, and worthy of protection. <br>
<br>
These are the very elements that have been such an issue of
controversy within the ICANN arena. Over the last decade, as
part of the history of Whois within ICANN, at least four Data
Protection Commissioners and their senior staffs have warned
ICANN about the problems of this data, and its data protection
implications. They are very concerned with the elements now
collected and published in the Whois. I will gather their
letters to ICANN and share them, as well as notes of the
speeches they have given. I would like to request that we ask
ICANN Staff to work with us on this important matter as well.
<br>
<br>
Ultimately, I do not think this is a matter for us to decide
on (which may relieve everyone greatly). As many of you know,
I have been thinking about this issue a great deal. I will be
submitting a recommendation to our Team asking that GAC
provide ICANN with clear information about relevant applicable
laws, including data protection laws, and their guidance,
based on these laws, as to the elements of the Whois now
published. I'll distribute this before our meeting tomorrow.<br>
<br>
All the best,<br>
Kathy<br>
<br>
Since data privacy is an area of specialization for me, I
would like to offer a couple of <o:p></o:p></p>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">comments
on the dialogue about privacy laws.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">Although
WHOIS data contains personal data, it does not have any
data elements that are<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">considered
to be "sensitive" in nature. The focus and priority of
data protection authorities throughout the world is
on protection of sensitive data such as financial account
details, date of birth, religious affiliations, medical
conditions, etc.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">For
global, multi-national organizations who need to develop
and maintain policies regarding the collection and use of
personal data, there are multi-lateral privacy frameworks
and principles that have been accepted and are well
established including:<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">1)
OECD Guidelines on the Protection of Privacy and
Transborder Flows<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">2)
UN Guidelines Concerning Computerized Personal Data Files<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">3)
EU Directive 95/46/EC on the Protection of Individuals
with Regard to the Processing of Personsal Data and on the
Free Movement of Such Data<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">4)
APEC Privacy Framework<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">Since
ICANN is headquartered in the State of California and the
United States, I would note that California has an Office
of Privacy Protection. At the national level, the U.S.
Federal Trade Commission has been accepted as the
equivalent of a Data Protection Authority.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">Hope
these brief comments are helpful.<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif"">Lynn<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span
style="font-size:10.0pt;font-family:"Verdana","sans-serif""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Rt4-whois mailing list<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="mailto:Rt4-whois@icann.org">Rt4-whois@icann.org</a><o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="https://mm.icann.org/mailman/listinfo/rt4-whois">https://mm.icann.org/mailman/listinfo/rt4-whois</a><o:p></o:p></pre>
<p class="MsoNormal" style="margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>-- <o:p></o:p></pre>
<pre><o:p> </o:p></pre>
<pre><o:p> </o:p></pre>
</div>
<p><br>
<b>-------------------------------------------------------------------------------</b><br>
</p>
<p>The information transmitted is for the use of the intended
recipient only and may contain confidential and/or legally
privileged material. Any review, re-transmission, disclosure,
dissemination or other use of, or taking of any action in
reliance upon, this information by persons or entities other
than the intended recipient is prohibited and may result in
severe penalties.</p>
<br>
<p>If you have received this e-mail in error please notify the
Security Advisor of the Department of Broadband, Communications
and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603,
telephone (02) 6271-1376 and delete all copies of this
transmission together with any attachments.</p>
<br>
<p>Please consider the environment before printing this email.</p>
<br>
<b>-------------------------------------------------------------------------------</b><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Rt4-whois mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Rt4-whois@icann.org">Rt4-whois@icann.org</a>
<a class="moz-txt-link-freetext" href="https://mm.icann.org/mailman/listinfo/rt4-whois">https://mm.icann.org/mailman/listinfo/rt4-whois</a>
</pre>
</blockquote>
<br>
<br>
<pre class="moz-signature" cols="72">--
</pre>
</body>
</html>