[IAG-WHOIS conflicts] Agenda and Draft Redline and Notes
Stephanie Perrin
stephanie.perrin at mail.utoronto.ca
Thu Mar 5 17:22:46 UTC 2015
Once again, my apologies for missing the meeting. I have listened to
the recording, and I can see I missed an interesting meeting.
I would like to offer my views on why the procedure and the remedies
discussed are off the mark. I am not a lawyer, but I did spend ten
years in the Canadian government working on the privacy standard which
we attempted to take to ISO, and the law which passed parliament and is
in force today (PIPEDA). During that period (the 1990s) I did
considerable research on how to legislate privacy for the private
sector, particularly in a federal jurisdiction, and had the opportunity
to hold workshops with data protection authorities to discuss powers and
what provisions work better than others, to consult with the European
Commission, and converse with privacy scholars. It is this experience
that I hope might make my remarks useful to the discussion. I also
served two years as the Director of Policy and Research in our federal
DPA's office, and spoke many years ago on WHOIS issues on behalf of the
office at the Vancouver meeting. Still, remember that my remarks are
those of a non-lawyer and therefore an amateur.
1. On the issue of whether a data protection authority is
legitimate....that is an excellent question. Unfortunately for those
wishing to harmonize, different jurisdictions may have authority...in
the Canadian context, it is hard to predict whether or not a provincial
data commissioner might think they have jurisdiction. Where there is
none, the federal commissioner assuredly would. I have written a
textbook on our law, but I would not be brave enough to offer a view on
that, and I believe it is likely the matter would have to be settled in
Court. With respect, I doubt you will get an authoritative answer from
our GAC representative, so I don't think that is a fruitful avenue to
explore as I am sure this will be true for many countries. I really
don't think ICANN should put users in the postion of having to take
matters to Court to prove a point, and I believe this is where that
question would have to be resolved.
2. In some countries matters relating to the domain industry might be
covered under other laws than data protection law, a point that was made
yesterday. Many of those laws could not necessarily be interpreted
reliably until they go to Court, so I believe you are in the same
situation there. The fact is, ICANN matters with respect to privacy and
constitutional rights (against search and seizure) have essentially not
been litigated. Are you embarking on a policy route that will ensure
the matters do get litigated?
3. On the issue of enforcement powers....if I understand the argument
here, some parties believe that if a DPA simply writes a letter
indicating that in their opinion the requirements imposed by ICANN
violate the DP law, this is not sufficient unless the official writing
the letter has the power to enforce that opinion. Unfortunately, not all
data protection commissioners have binding powers. Many new laws are
"light touch", where states have decided to see whether organizations
will fall in line with the new laws in this relatively young area of
law, before loading on criminal sanctions and powers to stop commercial
activity. Some DPAs are more like Ombudsmen than judges. Some DPAs
have the power to take a matter to the Court to request enforcement:
this is the case in Canada with the national law. You are therefore
pushing end users who are aggrieved to take registrars to Court. Volker
Greimann made the point yesterday that if ICANN is going to put
registrars in legal jeopardy in this way, they should cover the
liability. In my view, he is missing a whole area of financial risk
that goes far beyond the Court costs. IF end users crowd source class
action or cases for higher courts to settle this matter and stop what
they might regard (rightly or wrongly, it does not matter) as
surveillance, it will certainly be the registrars who pay...not just in
legal costs and potential damages, but in loss of customer trust and
damage to their brands. If I were a registrar, I would find this
totally and utterly unacceptable.
4. Just to be clear, on the matter of whether a letter from a DPA
without enforcement powers is enough.....an end user/registrant who
received such an opinion would be well armed to take a civil action
against the registrar in question, at least in my jurisdiction. Tort law
increasingly is being used in privacy invasion cases. This would
probably be cheaper and easier than fighting it through the higher
courts. Damages are often higher too.
5. I don't actually understand, given what I know about how data
protection law works, how this procedure could have been accepted in the
first place. I would suggest that before ICANN attempts to fix the
procedure, they need to consult broadly with data protection
authorities. The Article 29 group sent a letter giving an authoritative
opinion for Europe. Many of the DPAs who form that group are legally
constrained from offering such an opinion precisely because they have
binding powers.....so you have put registrars in a catch-22. ICANN will
not accept a letter from a group that is mandated by the Directive that
sets the standard for data protection law in Europe, because they are
not actually the body that enforces law, and demands instead that
authorities who have enforcement powers send them a letter. DPAs with
enforcement powers are likely to be constrained from offering an
opinion, precisely because they have binding powers and the status of a
judge. These are matters well understood in the data protection
authority community, why don't you talk to them? A cynic might be
forgiven for suspecting that this Catch 22 was engineered precisely to
prevent registrars from abiding by data protection/constitutional
requirements, precisely because those who are familiar with DP law
easily can spot that Catch 22. I fear that the letter the registrars
are going to get is a summons to Court...but as I said before, I am not
a lawyer and I do not pretend to understand European law.
I doubt that this is helpful, but I did want to get it on the record.
IF you do ask for public comments on this procedure, you may get more
informed opinion. iF you don't, please don't assume that the matter
ends there. Privacy advocates do not have this matter on their radar
at the moment, but post-Snowden irritation with business cooperating
under the table with law enforcement is at a very high level. I would
suggest that you do not want 500 comments from irate global experts; it
may put registrars in more jeopardy.
I will turn my attention now to providing comments on the draft text.
Once again, my apologies for missing this important discussion.
Kind regards,
Stephanie Perrin
NCSG
On 2015-03-03 14:44, Maria Otanes wrote:
> Hello all,
>
> Attached, please find the Agenda for tomorrow's call and Draft Redline
> and Notes based on the last meeting.
>
> I'm updating the calendar invite with the Adobe Connect link for the
> call, but you may also find the information at the bottom of this
> email. The call is scheduled for tomorrow, March 4th, at 13:00-14:30 UTC.
>
> If you have any questions, please let me know.
>
> Kind regards,
> Ria
>
> Link to Adobe Connect: https://icann.adobeconnect.com/iag-whois/
>
> ***Upon logging into Adobe Connect, a pop up window will provide you
> the option to dial out to your phone. Enter your phone number, +
> country, phone number***
>
> If you are unable to log into Adobe Connect and can only join via
> phone or Skype: [Select *6 to mute and unmute on the call]
>
> International Dial In Numbers:
> https://www.myrcplus.com/cnums.asp?bwebid=8369444&ppc=3515982074&num=1-719-867-1571
>
> Participant Passcode: 351 598 2074
>
> US Mobile Phone Direct Link: tel://1-719-867-1571,*,,3515982074#
>
>
>
> _______________________________________________
> Whois-iag-volunteers mailing list
> Whois-iag-volunteers at icann.org
> https://mm.icann.org/mailman/listinfo/whois-iag-volunteers
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/whois-iag-volunteers/attachments/20150305/a572d18d/attachment.html>
More information about the Whois-iag-volunteers
mailing list