[council] Fwd: Thick WHOIS Legal Review Memorandum

Drazek, Keith kdrazek at verisign.com
Mon Feb 6 14:46:28 UTC 2017

Thanks to Erika for taking the lead on this. I think it looks very good.

The updated review will help us determine if further policy work is needed and also help to inform the RDS PDP WG.



From: council-bounces at gnso.icann.org [mailto:council-bounces at gnso.icann.org] On Behalf Of Erika Mann
Sent: Thursday, February 02, 2017 10:45 PM
To: jbladel at godaddy.com
Cc: GNSO Council List (council at gnso.icann.org)
Subject: [EXTERNAL] [council] Fwd: Thick WHOIS Legal Review Memorandum

Dear James, dear GNSO colleagues -

below is a draft approach to request a legal update from ICANN concerning the existing legal review

memorandum which was submitted to the Thick WHOIS IRT on 8 June 2015.  We discussed this at our last call. I hope you may find the draft request below helpful.

First part (1) covers the reasoning. And, second part (2) highlights the relevant parts for this debate from the original 2015 legal memo.


1) Draft text for request

GNSO request from ICANN legal an updated review  of the existing legal review memorandum which was submitted to the Thick WHOIS IRT on 8 June 2015.

We recommend to coordinate with appropriate subject matter experts and outside counsel to ensure the GNSO Council receives updated fact-based and independent advice, like this was done with the existing legal review memorandum from 2015.

We like to see a full review of applicable law(s) and a list of recommendations as to what extent existing policies the GNSO should consider changing.

FOR EXAMPLE: Since June 2015 the legal data privacy/protection/retention landscape changed drastically in many countries but in In particular in the European Union. It is therefore key to understand how these changes might impact ICANN registries, registrars, users and contractual arrangements in general.

Certain national laws have additional extraterritorial implications. These impacts were not captured in the  2015 legal review memorandum.

Why is such a review needed? A good example are the changes that were introduced in the European Union and between the EU and the US since June 2015.

The 'General Data Protection Regulation' in the European Union came into force May 2016 and will apply across Europe in May 2018. The core element of the data protection reform is a general data protection regulation that will replace and equal existing data protection laws across the European Union countries. This new regulation updates and modernises the principles of the 1995 Data Protection Directive that the existing ICANN legal review memorandum from 2015 covers.  It sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules. In addition, certain aspects of this law, will be interpreted by the European Data Protection Board (EDPB)
in the near future. Law enforcement related aspects of this law are regulated in a separate legal framework.

The GDRP is insofar unique as it's a law with far reaching extraterritorial implications, this aspect is not captured in ICANNs
2015 legal memo neither.

Since 2015 the transfer of personal data requirements from EU to the US changed as well. In 2015 the Safe Harbor Agreement (SHA) was in place, in 2016 a new Privacy Shield Agreement came into force, replacing the SHA, implementing new adequacy requirements for the transfer of date between EU and US. ICANNs legal memo from 2015 does not cover these developments.

In addition, we may see new legal challenges arising that might question the SHA because of President Donald Trump’s Executive Order on domestic safety, released on January 26th, 2017. "Agencies shall, to the extent consistent with applicable law, ensure that their privacy policies exclude persons who are not United States citizens or lawful permanent residents from the protections of the Privacy Act regarding personally identifiable information."

2) Key exert from the existing legal review memorandum which was submitted to the Thick WHOIS IRT on 8 June 2015

To the extent that a contracted party finds that it is unable to
comply with the Thick Whois policy requirements due to a conflict with
its obligations under local privacy laws, such conflicts may be dealt
with by exception through use of the Whois Conflicts Procedure, or
requests to ICANN for an amendment to or waiver of certain provisions
in the Registry Agreement or Registrar Accreditation Agreement. (page

As further detailed below, to address the concerns previously
highlighted in the EWG Memo, this memorandum provides practical
recommendations about the move to Thick Whois and also notes that
ICANN’s Procedure for Handling WHOIS Conflicts with Privacy Law is
available to contracted parties to address specific cases where Thick
Whois requirements may be inconsistent with the parties’ obligations
under local privacy laws. (page 2)

 Additionally, contracted parties may consider requesting amendments
to or waivers from specific Thick Whois requirements in agreements
with ICANN that may be inconsistent with contracted parties'
obligations under local privacy laws. (page 2)

 The present analysis is neither a detailed nor complete analysis of
data protection laws within any particular jurisdiction. Instead,
ICANN performed a general survey of EU data protection laws as the
Data Protection Directive 95/46/EC embodies international principles
which serve as a basis for many data protection laws around the world.
(page 3)

As an example of the latter, see Russia’s Federal Law 242-FZ
(“Localization Law”) which requires compliance by 1 September 2015,
but is still the subject of significant uncertainty as to its scope,
applicability and requirements.(page 4)

It is true that in some countries there are some important and
legitimate questions relating to data protection obligations under
local law that must be addressed as implementation of Thick Whois
across all gTLDs is considered. (page 5)

ICANN recognizes that two of those principles trigger particular
attention in relation to the transition to Thick Whois: the need for
registrars in some countries to establish a 'lawful basis' (i) for the
disclosure of registrants' personal data to the relevant registry and
(ii) for the transfer of such data to another country (in this case,
the U.S., where all three relevant registries are located). “Transfer”
generally covers any sharing, transmission or disclosure of, providing
access to, or otherwise making available, personal information to
third parties. The EU Data Protection Directive (95/46/EC) (“EU
Directive”), for example, requires that personal information may only
be transferred to third countries outside the European Economic Area
(EEA) if the receiving countries provide an “adequate” level of
protection, as determined by the European Commission or the transfer
satisfies one of the exceptions permitted by the EU Directive. One of
the two most viable “exceptions” to permit lawful transfer is the
consent of the data subjects. However, utilizing this “exception” does
entail some challenge that the registrar and registry must ensure are
addressed. (page 6/7)

Consent in some form and degree is of significant importance across
most jurisdictions as it relates to implementation of thick Whois. For
example, consent is one way in which organisations can meet one of the
‘conditions’ for processing of personal data throughout the EEA. It
also serves to justify transfers outside the EEA - the EU Directive
clearly specifies consent9 as a lawful ground for these purposes. In
Russia, transfer is permitted provided that (1) consent of the data
subject is properly obtained and (2) the transfer is as legally
prescribed.10 If proper consent is obtained, such data may be
collected, stored, published and/or transferred in the manner
consistent with the specific consent provided. Other data protection
requirements will still need to be met– for example, proportionality,
data quality and security considerations still apply even where
consent has been obtained. (page 7)

However, in certain jurisdictions there exists the right to revoke
consent. In such instance, the registry or registrar must determine
the effect on the registration and the corresponding registration
data. The EU Directive does not contain any procedural guidance around
withdrawal of consent (e.g. time periods for acting on this). The
Article 29 Working Party11 requires that consent should be possible to
be withdrawn at any time with effect for the future. It regards
consent to be deficient if no effective withdrawal is provided.12 The
Article 29 Working Party itself has made clear that withdrawal of
consent is not retroactive13. Accordingly, if a registrant withdrew
consent, this would not affect the lawfulness of data which had
already been transferred from an EU registrar to a relevant registry.
(page 8)

Apart from the possibility to revoke consent, there may also be doubts
as to whether the consent of registrants granted as a condition for
the transfer of the registrant data to the registry under the thick
Whois should be regarded as “freely given,” in particular if all
registrars "require" registrants to grant consent in a similar form.
However, ICANN notes that this concern can actually be addressed via
the provision of privacy/proxy services by the relevant registrars, as
these do provide effective choice to the registrant. (page 8)

In any case and especially for the application of the thick Whois in
the EU, ICANN considers it is important that the data processing under
thick Whois and the transition thereto can also be based upon the
legitimate interests of a party (including ICANN, registries, and
registrants). Legitimate interests can be an alternative basis for EU
registrars to justify processing of personal data, as long as the
processing is not unwarranted because of the (privacy) interests of
the individuals whose data is processed. Acknowledged legitimate
interests include increased security, stability and resiliency in the
Internet. However, from an EU perspective, if the data processing
under thick Whois is based upon legitimate interests, instruments to
provide for an adequate level of data protection on part of the data
recipient located outside of the EEA will also become relevant (e.g.,
Standard Contract Clauses, Safe Harbor, approval from the relevant
data protection authorities, etc.14). This is because while sharing of
data within the EEA may be justified on this basis, there are
additional restrictions on transfers of data outside the EEA. Those
instruments contain restrictions on onward transfers (to be imposed on
third parties wishing to look up EU Whois data) and contracted parties
will need to assess whether and in which form it is practically
feasible to implement those restrictions; these restrictions are
likely to mean that consent is the most suitable approach,
notwithstanding the difficulties outlined above. Furthermore, in
addition to consent, (i) privacy/proxy services, and perhaps (ii)
thick Whois services where the data stays in the region subject to
restrictions to avoid data transfer limitations remain as options
available to address transfer of the data. (page 9)

The Whois Conflicts Procedure is the implementation of GNSO consensus
policy adopted “in order to facilitate reconciliation of any conflicts
between local/national mandatory privacy laws or regulations and
applicable provisions of the ICANN contract regarding the collection,
display and distribution of personal data via the gTLD Whois service.”
The Whois Conflicts Procedure is designed to ensure regulatory
obstacles on the collection, processing, transfer and display of gTLD
registration data can be dealt with by exception in instances where a
registry or registrar can demonstrate that it is legally prevented by
local/national data protection laws or regulations from fully
complying with applicable provisions of its contract. ICANN has
commenced a review of the Whois Conflicts Procedure to determine
whether modifications to that procedure might be considered. (page 10)

The most common complaint of ICANN contracted parties is that the
Whois Conflicts Procedure requires 15
en.htm 11 “notification of an investigation, litigation, regulatory
proceeding or other government or civil action . . .” as its trigger.
To the extent any proposed changes to implementation of the Whois
Conflicts Procedure are recommended, they would be presented to the
GNSO Council, which would determine next steps. (page 10/11)

In other cases, ICANN has granted limited waivers from compliance with
specific terms and conditions in the 2013 Registrar Accreditation
Agreement regarding data retention requirements in cases where
registrars requests such change because they believe the requirements
violate their countries’ data retention laws. (page 12)

Additionally, contracted parties may wish to consider requesting
amendments to or waivers from specific contractual requirements in
connection with the transition from a thin to a thick Whois model to
the extent the contracted parties’ obligations conflict with its local
laws. Historically, ICANN has granted amendments to specific Whois
provisions in the Registry Agreement when requested by registry
operators with support of relevant Data Protection Authorities to
comply local privacy laws. (page 11)

Where a conflict is proven to exist by a registrar or registry by way
of the Whois Conflicts Procedure, or an amendment or waiver from
certain Whois requirements is granted by ICANN, the Registration Data
Access Protocol, or RDAP, could be a means to mitigating such conflict
without eliminating entirely the benefits of thick WHOIS (e.g. an
end-user looking up Whois data would see “thick” data, even though the
underlying data is not be stored with the registry). Because RDAP
would only permit registry-level access to thick Whois output by
redirect to the registrar’s own portal, meaning such data would not be
“thick” in the sense of existing also at the registry level, there are
questions as to whether its implementation would be consistent with
policy recommendation #1 and the identified benefits of the thick
Whois model outlined in the Thick Whois Final Report. (page 12)

(To assist with the legal analysis reflected in this Section, ICANN
engaged Bird & Bird, a leading international law firm with over 1100
lawyers in 27 offices across Europe, the Middle East and Asia with a
highly regarded International Privacy & Data Protection Group that
advises clients throughout the world. (page 6)

On Fri, Jan 20, 2017 at 12:22 AM, Marika Konings
<marika.konings at icann.org<mailto:marika.konings at icann.org>> wrote:
> Dear All,
> As requested during the call today, please find attached the legal review memorandum which was submitted to the Thick WHOIS IRT on 8 June 2015.
> Best regards,
> Marika
> Marika Konings
> Senior Policy Director & Team Leader for the GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
> Email: marika.konings at icann.org<mailto:marika.konings at icann.org>
> Follow the GNSO via Twitter @ICANN_GNSO
> Find out more about the GNSO by taking our interactive courses and visiting the GNSO Newcomer pages.

> _______________________________________________
> council mailing list
> council at gnso.icann.org<mailto:council at gnso.icann.org>
> https://mm.icann.org/mailman/listinfo/council

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/council/attachments/20170206/1beda073/attachment.html>

More information about the council mailing list