[IAG-WHOIS conflicts] Follow up from IAG call
Raymond HO
arbitrator at raymondho.com
Thu Apr 30 00:39:44 UTC 2015
Once again thanks a lot, Christopher, for sharing with us your view.
By publication of the ICANN WHOIS data (the registrant’s name, email and fax contacts) in the public domain and the prevention of any unauthorised use by 3rd party, you might wish to consider
Article 17 of the EU Directive:
“Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
- the processor shall act only on instructions from the controller,
- the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.”
It follows that the condition of “proportionality” might come into play.
Kind regards,
Raymond
From: Christopher Wilkinson
Sent: Wednesday, April 29, 2015 11:13 PM
To: RaymondHO
Cc: James Gannon ; whois-iag-volunteers at icann.org
Subject: Re: [IAG-WHOIS conflicts] Follow up from IAG call
Dear Raymond:
My understanding is that the 'processing of the data for the performance of the contract" etc. is not the issue.
The issue is the publication of the data (and its unauthorised re-use by third parities.)
Regards
CW
PS: I have said at the outset of this exercise that the appropriate forum is between ICANN and the EU data protection and privacy authorities.
Although I was persuaded to join this group, I am still not sure that it is a competent forum to interpret national privacy laws as they apply to ICANN Whois.
On 29 Apr 2015, at 08:42, RaymondHO <arbitrator at raymondho.com> wrote:
Thanks, Christopher.
I note from your email below that you have quoted the example of the EU privacy law.
It seems to me that the IAG discussions so far have assumed a strict prohibition on the collection and use of personal data under certain local law and the oft-quoted example is the “EU Privacy Law”. However, with respect, a quick wiki search on “EU Privacy Law” will reveal that this is not the situation http://en.wikipedia.org/wiki/Data_Protection_Directive Under the Data Protection Directive in the EU, “Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.” It does not appear to be a complete prohibition on the collection and use of personal data in the EU. In particular, article 7 of the EU Directive provides
“Article 7
Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; or
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
(d) processing is necessary in order to protect the vital interests of the data subject; or
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1 (1).”
http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
Perhaps, the ICANN Secretariat could provide to members of IAG a briefing on the EU Privacy law as an example.
My apologies that I shall not be able to attend the upcoming conference call but would request the example of the EU Privacy law be revisited.
Regards,
Raymond
_________________________________________________
RAYMOND HO FCIArb, LLM(Lond), MSocSc(HK), LLB(Hons)(HK)
Independent Arbitrator
Suite 21, Level 4, 401-3, Cyberport 1, 100 Cyberport Road, Hong Kong.
E: arbitrator at raymondho.com
From: Christopher Wilkinson
Sent: Sunday, April 19, 2015 1:18 AM
To: James Gannon
Cc: whois-iag-volunteers at icann.org
Subject: Re: [IAG-WHOIS conflicts] Follow up from IAG call
Good afternoon. Thankyou, James for your useful comments.
More generally, I am not very much taken with the idea that we should be editing the existing document, that is in principle unsustainable.
It is inappropriate to envisage a procedure whereby each and every Registrar in each and every EU Member State has to address this matter with ICANN, severally. No.
Allow me to refer, yet again, to the Articles of Incorporation of ICANN. Article 4:
4. The Corporation shall operate for the benefit of the Internet community as a whole, carrying out its activities in conformity with relevant principles of international law and applicable international conventions and local law …
The purpose of that text is to ensure that ICANN will respect, proactively, local law of which a current example is EU privacy law.
I hope that this is helpful
CW
PS: In the Wiki, what is the purpose of the "Resolve" button on the comments? First time I touched it, James' comment disappeared, which I am sure is not the intention!
On 18 Apr 2015, at 18:14, James Gannon <james at cyberinvasion.net> wrote:
Hi Maria,
Thanks for this, I was hoping that I would get to this sooner as I was the requestor I think! T
I have made a number of comments and would encourage other members of the IAG to have a look at them prior to our next call. I would love to get some feedback on my initial comments and some of the members with more legal experience than I might be able to flesh out some of my less informed comments.
James Gannon
From: Maria Otanes <maria.otanes at icann.org>
Date: Thursday 2 April 2015 15:42
To: "whois-iag-volunteers at icann.org" <whois-iag-volunteers at icann.org>
Subject: Re: [IAG-WHOIS conflicts] Follow up from IAG call
Hello all,
Following up on a request from yesterday’s call and Mary’s email below, we have created a Google docs workspace for the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law. Everyone on this email distribution has access to the document and has the ability to suggest edits or provide comments. If you have any questions or run into any problems with the Google doc, please let us know. Thanks.
https://docs.google.com/document/d/18WWFEu2ud7Prd4g2LI2UM0a9zT-Q8v9lHtbLJ8rchvU/edit
Kind regards,
Maria
From: Mary Wong <mary.wong at icann.org>
Date: Wednesday, April 1, 2015 8:04 PM
To: "whois-iag-volunteers at icann.org" <whois-iag-volunteers at icann.org>
Subject: [IAG-WHOIS conflicts] Follow up from IAG call
Dear IAG members,
Thank you for a productive meeting earlier today. To follow up, these points that emerged from the discussion may be useful “action items” for the group to consider prior to the next call:
(1) On what would be adequate and practicable to satisfy the policy that a registry or registrar “credibly demonstrate” that it is legally prevented from complying with its contractual obligations regarding its collection, display or distribution of Whois data – in other words, what the appropriate “triggers” for invoking the procedure should be:
The IAG may find the report of public comments received to the proposal to review the procedure, as well as the actual public comments themselves, helpful in continuing its discussions on this issue. These documents can be found on the IAG wiki space as well as here: https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en. Your further deliberations will be critical to taking forward some of the suggestions outlined in the discussion paper that Jamie had circulated, to ensure that future discussions center on suggestions made by the community (as reflected in the public comments received) and the IAG.
(2) On whether, in addition to the procedure, the underlying policy itself needs to be reviewed (noting that the IAG’s mandate is limited to recommending such a review, if any, to the GNSO, as the IAG is not chartered as a policy making body):
The IAG may find it helpful to list and document those elements and/or steps in the current procedure that need to be changed, and do the same for the underlying policy. This exercise should be of assistance in both framing further discussions of the IAG beyond the triggers and on the various other aspects of the procedure, as well as identifying the specific rationale for, and elements that require reviewing, in the policy, if any. The procedure can be found here: https://www.icann.org/resources/pages/whois-privacy-conflicts-procedure-2008-01-17-en and the policy, as approved by the GNSO Council and subsequently by the ICANN Board, is contained in the GNSO Council’s resolution here: http://gnso.icann.org/en/council/resolutions#200511.
ICANN staff will look into creating a Google Docs workspace, as requested on the call, in the hopes of furthering the IAG’s deliberations on these and the other topics outlined in the mission and scope for the group.
Thanks and cheers
Mary
Mary Wong
Senior Policy Director
Internet Corporation for Assigned Names & Numbers (ICANN)
Telephone: +1 603 574 4892
Email: mary.wong at icann.org
_______________________________________________
Whois-iag-volunteers mailing list
Whois-iag-volunteers at icann.org
https://mm.icann.org/mailman/listinfo/whois-iag-volunteers
------------------------------------------------------------------------------
_______________________________________________
Whois-iag-volunteers mailing list
Whois-iag-volunteers at icann.org
https://mm.icann.org/mailman/listinfo/whois-iag-volunteers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/whois-iag-volunteers/attachments/20150430/bc83a741/attachment-0001.html>
More information about the Whois-iag-volunteers
mailing list