[IAG-WHOIS conflicts] Agenda and Draft Redline and Notes

Stephanie Perrin stephanie.perrin at mail.utoronto.ca
Thu Mar 5 17:22:46 UTC 2015 

Once again, my apologies for missing the meeting.  I have listened to 
the recording, and I can see I missed an interesting meeting.
I would like to offer my views on why the procedure and the remedies 
discussed are off the mark.  I am not a lawyer, but I did spend ten 
years in the Canadian government working on the privacy standard which 
we attempted to take to ISO, and the law which passed parliament and is 
in force today (PIPEDA).  During that period (the 1990s) I did 
considerable research on how to legislate privacy for the private 
sector, particularly in a federal jurisdiction, and had the opportunity 
to hold workshops with data protection authorities to discuss powers and 
what provisions work better than others, to consult with the European 
Commission, and converse with privacy scholars.  It is this experience 
that I hope might make my remarks useful to the discussion.  I also 
served two years as the Director of Policy and Research in our federal 
DPA's office, and spoke many years ago on WHOIS issues on behalf of the 
office at the Vancouver meeting.   Still, remember that my remarks are 
those of a non-lawyer and therefore an amateur.

1.  On the issue of whether a data protection authority is 
legitimate....that is an excellent question.  Unfortunately for those 
wishing to harmonize, different jurisdictions may have authority...in 
the Canadian context, it is hard to predict whether or not a provincial 
data commissioner might think they have jurisdiction.  Where there is 
none, the federal commissioner assuredly would.  I have written a 
textbook on our law, but I would not be brave enough to offer a view on 
that, and I believe it is likely the matter would have to be settled in 
Court.  With respect, I doubt you will get an authoritative answer from 
our GAC representative, so I don't think that is a fruitful avenue to 
explore as I am sure this will be true for many countries.  I really 
don't think ICANN should put users in the postion of having to take 
matters to Court to prove a point, and I believe this is where that 
question would have to be resolved.

2.  In some countries matters relating to the domain industry might be 
covered under other laws than data protection law, a point that was made 
yesterday.  Many of those laws could not necessarily be interpreted 
reliably until they go to Court, so I believe you are in the same 
situation there.  The fact is, ICANN matters with respect to privacy and 
constitutional rights (against search and seizure) have essentially not 
been litigated.  Are you embarking on a policy route that will ensure 
the matters do get litigated?

3.  On the issue of enforcement powers....if I understand the argument 
here, some parties believe that if a DPA simply writes a letter 
indicating that in their opinion the requirements imposed by ICANN 
violate the DP law, this is not sufficient unless the official writing 
the letter has the power to enforce that opinion. Unfortunately, not all 
data protection commissioners have binding powers.  Many new laws are 
"light touch", where states have decided to see whether organizations 
will fall in line with the new laws in this relatively young area of 
law, before loading on criminal sanctions and powers to stop commercial 
activity.   Some DPAs are more like Ombudsmen than judges.  Some DPAs 
have the power to take a matter to the Court to request enforcement: 
this is the case in Canada with the national law.  You are therefore 
pushing end users who are aggrieved to take registrars to Court.  Volker 
Greimann made the point yesterday that if ICANN is going to put 
registrars in legal jeopardy in this way, they should cover the 
liability.  In my view, he is missing a whole area of financial risk 
that goes far beyond the Court costs.  IF end users crowd source class 
action or cases for higher courts to settle this matter and stop what 
they might regard (rightly or wrongly, it does not matter) as 
surveillance, it will certainly be the registrars who pay...not just in 
legal costs and potential damages, but in loss of customer trust and 
damage to their brands.  If I were a registrar, I would find this 
totally and utterly unacceptable.

4.  Just to be clear, on the matter of whether a letter from a DPA 
without enforcement powers is enough.....an end user/registrant who 
received such an opinion would be well armed to take a civil action 
against the registrar in question, at least in my jurisdiction. Tort law 
increasingly is being used in privacy invasion cases. This would 
probably be cheaper and easier than fighting it through the higher 
courts. Damages are often higher too.

5.  I don't actually understand, given what I know about how data 
protection law works, how this procedure could have been accepted in the 
first place.  I would suggest that before ICANN attempts to fix the 
procedure, they need to consult broadly with data protection 
authorities.  The Article 29 group sent a letter giving an authoritative 
opinion for Europe.  Many of the DPAs who form that group are legally 
constrained from offering such an opinion precisely because they have 
binding powers.....so you have put registrars in a catch-22.  ICANN will 
not accept a letter from a group that is mandated by the Directive that 
sets the standard for data protection law in Europe, because they are 
not actually the body that enforces law, and demands instead that 
authorities who have enforcement powers send them a letter.   DPAs with 
enforcement powers are likely to be constrained from offering an 
opinion, precisely because they have binding powers and the status of a 
judge.  These are matters well understood in the data protection 
authority community, why don't you talk to them?  A cynic might be 
forgiven for suspecting that this Catch 22 was engineered precisely to 
prevent registrars from abiding by data protection/constitutional 
requirements, precisely because those who are familiar with DP law 
easily can spot that Catch 22.   I fear that the letter the registrars 
are going to get is a summons to Court...but as I said before, I am not 
a lawyer and I do not pretend to understand European law.

I doubt that this is helpful, but I did want to get it on the record.  
IF you do ask for public comments on this procedure, you may get more 
informed opinion.  iF you don't, please don't assume that the matter 
ends there.   Privacy advocates do not have this matter on their radar 
at the moment, but post-Snowden irritation with business cooperating 
under the table with law enforcement is at a very high level.  I would 
suggest that you do not want 500 comments from irate global experts; it 
may put registrars in more jeopardy.

I will turn my attention now to providing comments on the draft text.  
Once again, my apologies for missing this important discussion.
Kind regards,
Stephanie Perrin
NCSG
On 2015-03-03 14:44, Maria Otanes wrote:
> Hello all,
>
> Attached, please find the Agenda for tomorrow's call and Draft Redline 
> and Notes based on the last meeting.
>
> I'm updating the calendar invite with the Adobe Connect link for the 
> call, but you may also find the information at the bottom of this 
> email. The call is scheduled for tomorrow, March 4th, at 13:00-14:30 UTC.
>
> If you have any questions, please let me know.
>
> Kind regards,
> Ria
>
> Link to Adobe Connect: https://icann.adobeconnect.com/iag-whois/
>
> ***Upon logging into Adobe Connect, a pop up window will provide you 
> the option to dial out to your phone. Enter your phone number, + 
> country, phone number***
>
> If you are unable to log into Adobe Connect and can only join via 
> phone or Skype: [Select *6 to mute and unmute on the call]
>
> International Dial In Numbers: 
> https://www.myrcplus.com/cnums.asp?bwebid=8369444&ppc=3515982074&num=1-719-867-1571
>
> Participant Passcode: 351 598 2074
>
> US Mobile Phone Direct Link: tel://1-719-867-1571,*,,3515982074#
>
>
>
> _______________________________________________
> Whois-iag-volunteers mailing list
> Whois-iag-volunteers at icann.org
> https://mm.icann.org/mailman/listinfo/whois-iag-volunteers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/whois-iag-volunteers/attachments/20150305/a572d18d/attachment.html>

More information about the Whois-iag-volunteers mailing list