[Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

Mark Svancarek (CELA) marksv at microsoft.com
Tue Aug 21 21:15:36 UTC 2018

I think that’s a misreading, sorry.  It seems that35 waivers have been granted in 5 years.

Here’s a clarification from Steve (posting on his behalf since he’s an alternate):

If we read a little further into that May-2017 staff report<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Cc160deec3036483229ce08d607aa6194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636704825701106839&sdata=8Zfl0MG%2F6e3J%2F1ewA7EcBULz%2BB%2B0ITF8v3zzM90JT5k%3D&reserved=0>, you’ll see that 35 registrars used a process similar to the Whois Conflicts policy to obtain waivers to contract requirements about retaining registrant data – based on applicable privacy laws (see excerpt from staff report below).
It’s unfortunate we diverted today’s discussion the Whois Conflicts Policy, since the wide use of ICANN’s Data Retention Waiver Process is sufficient to explain the point we made about TempSpec Appendix C “Data Processing Requirements”.

That is, we should rely on ICANN policy and processes to grant a waiver if/when applicable law conflicts with registrant data requirements in Registry and registrar agreements.  But look at the first line of TempSpec App C.1 “Principles for Processing”:
“Each Controller will observe the following principles to govern its Processing of Personal Data contained in Registration Data, except as required by applicable laws or regulations”. (italics added)

That TempSpec text could imply that each registrar and registry can decide on its own to ignore any principles for processing – without first obtaining a waiver of the contractual requirement from ICANN.

Here’s that excerpt from that May-2017 staff report<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Cc160deec3036483229ce08d607aa6194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636704825701106839&sdata=8Zfl0MG%2F6e3J%2F1ewA7EcBULz%2BB%2B0ITF8v3zzM90JT5k%3D&reserved=0>, showing that 35 registrars have obtained waivers to contract requirements about retaining registrant data – based on applicable privacy laws:

The 2013 Registrar Accreditation Agreement (“RAA”) Data Retention Waiver Process

Under this Requests process, a registrar may request a compliance waiver of the data retention requirements, by presenting ICANN with a written opinion from a nationally recognized law firm, or ruling or written guidance from a government body that states that collecting or retaining one or more data elements in the manner required by the specification violates applicable law. A general assertion that the data collection and Data Retention Specification requirements are unlawful is not sufficient. Rather, the waiver request must specify the applicable law, the specific allegedly offending data collection and/or retention requirement(s), and the manner in which the collection and/or retention violates the law.

This specificity helps ICANN to determine the appropriate limitations on the scope and duration of data collection and retention requirements when granting the waiver. This also helps ICANN balance the interests of the registrar, governments, and the broader Internet community when considering granting such waivers. In addition, if ICANN has previously waived compliance with the requirements for a registrar located in the same jurisdiction and the applying registrar is subject to the same applicable law, the registrar may request the same waiver.

The 2013 RAA calls for ICANN and the registrar to discuss data retention waiver requests in good faith in an effort to reach a mutually acceptable resolution. The Data Retention Specification contemplates potential future modifications to the Whois Procedure in section 2 of the RAA.4 Because each country may interpret its data privacy requirements differently, ICANN is working through each of the submitted requests country-by-country.

The complexity and diversity of national privacy laws has resulted in considerable investments of time and resources by ICANN and registrars alike. In countries with data privacy laws applicable to registrars, ICANN has found that restrictions generally permit the retention of registration data, but only for legitimate purposes, and for a period no longer than is necessary for the purposes for which the data were collected or for which they are further processed. What constitutes a legitimate purpose and how long data can be retained are complicated questions, and the answers may vary from one country to the next, even within the EU.

As of April 2017, a total of 35 Data Retention Waivers were granted to registrars.

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> On Behalf Of Ayden Férdeline
Sent: Tuesday, August 21, 2018 12:56
To: gnso-epdp-team at icann.org
Subject: Re: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

This statement seems to support Milton’s claim on today’s call that the WHOIS Conflicts with Privacy Law procedure has never been invoked:

On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>> wrote:

Given that to date no registrar or registry operator has formally invoked the Whois Procedure

Kind regards,

Ayden Férdeline

On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>> wrote:

Dear All,

Per the action item from today’s meeting, please find attached the staff assessment and next steps report on the Revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law which was published in May 2017. As there were specific questions in relation to the origin of the procedure, I’ve excerpted the background section from this document below. As noted, the GNSO Council has already agreed to form an Implementation Advisory Group to review the procedure and adopted a charter for this effort in February of this year (see https://gnso.icann.org/en/council/resolutions#201802<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fcouncil%2Fresolutions%23201802&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952399814&sdata=WJqXY9ZS9EFT1m1avYwLzQHbT3o6l2AAon%2BU%2FoeY7j0%3D&reserved=0>). However, due to workload issues and the pending EPDP, the Council delayed the call for volunteers and agreed during its most recent meeting to decide when the call for volunteers should be launched following the publication of the Initial Report on the Temporary Specification by the EPDP Team.

Best regards,

Caitlin, Berry and Marika


Background (from https://www.icann.org/en/system/files/files/whois-privacy-conflicts-procedure-03may17-en.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952399814&sdata=Gk6O8uK6dnajSzeV8xv%2F3rUx6fm5RXETNHjWMVjm%2FCg%3D&reserved=0>).

In November 2005, the GNSO concluded a policy development process<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fissues%2Fwhois-privacy%2Fcouncil-rpt-18jan06.htm&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952409822&sdata=Vc7EwlUp9RjKtSOSRtAvcXfXuQhAzpduNwCo9bRHZA4%3D&reserved=0> (PDP) on Whois conflicts with privacy law which recommended that “In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD Whois service, ICANN should:

  1.  Develop and publicly document a Procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via Whois.
  2.  Create goals for the procedure which include:

     *   Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
     *   Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the Whois system;
     *   Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via Whois; and
     *   Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise”.

The ICANN Board of Directors adopted the recommendations in May 2006 and directed staff to develop such a Procedure. A draft Procedure was posted for public comment, and input was specifically solicited from the Governmental Advisory Committee (GAC). The GAC recommended adding a provision, which was included as section 1.4 in the procedure, urging a registrar or registry to work with relevant national governments to ensure adherence to domestic and international law, as well as applicable international conventions.

If the Whois requirements require changes that ICANN determines prevent compliance with contractual Whois obligations, ICANN may refrain, on a provisional basis, from taking enforcement action for non-compliance, while ICANN prepares a public report and recommendation and submits it to the ICANN Board for a decision. Given that to date no registrar or registry operator has formally invoked the Whois Procedure, and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review in 2014, as provided in the Whois Procedure’s final clause.

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flearn.icann.org%2Fcourses%2Fgnso&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952409822&sdata=IwV%2FoVI35K1EpCsySXi%2ByVQChRcCkxVZFMjmgqyureM%3D&reserved=0> and visiting the GNSO Newcomer pages<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgnso.icann.org%2Fsites%2Fgnso.icann.org%2Ffiles%2Fgnso%2Fpresentations%2Fpolicy-efforts.htm%23newcomers&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952419826&sdata=oJHiPRaRApE8LTrNGVIfVKoEUFwgo1xunGCxfTFi4q8%3D&reserved=0>.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180821/d135fe63/attachment-0001.html>

More information about the Gnso-epdp-team mailing list