[Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

Mark Svancarek (CELA) marksv at microsoft.com
Tue Aug 21 21:56:34 UTC 2018

I concede that my use of “misreading” was wrong.  Sorry about that.

I suggest we back up a bit further when determining what the discussion is about and why it’s relevant.  Go back past any mention of Handling Whois Conflicts with Law procedure.  (I further concede that it was not a great example of existing consensus policy for this discussion.)

The original comment was “The language above  [“obligations subject to local laws” ] creates uncertainty by failing both to reference existing consensus policy and by leaving applicability of local law subject to each party’s interpretations.“

Perhaps I could have made my point better by referencing RAA and data retention waivers.  (I have less institutional memory than some others; perhaps that is also not the best example.) The intent was to express that we should acknowledge the existence of existing obligations and processes and determine when it is appropriate to conform to them.

As for  “somehow rescue ICANN from the need to implement or revise the temp spec”, I think you have me mistaken for someone else.


From: Mueller, Milton L <milton at gatech.edu>
Sent: Tuesday, August 21, 2018 14:36
To: Mark Svancarek (CELA) <marksv at microsoft.com>; Ayden Férdeline <icann at ferdeline.com>
Cc: gnso-epdp-team at icann.org
Subject: RE: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

Actually Mark, Ayden is correct and yours is a misreading. You are confusing the RAA’s Data Retention Waiver Process with the Handling Whois Conflicts with Law procedure. They are, as your colleague says, “similar” in intent, but they are not the same. One is in the RAA, the other is not. So Ayden and I are correct, the Whois process has never been used; and your colleague is correct, the other procedure has been used 35 times.

Having established some facts, it might be useful to back up and ask what this discussion is about and why it is relevant. In my opinion, this discussion is only relevant because some people seem to be suggesting that the Whois Conflicts with Law procedure can somehow rescue ICANN from the need to implement or revise the temp spec. If that is not your argument, and I have misinterpreted the significance of this discussion, then we can all save a lot of effort if you can explain why you think either the Whois Conflict w Law Procedure or the Data Retention Waiver Process are relevant to our ePDP.


From: Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] On Behalf Of Mark Svancarek (CELA) via Gnso-epdp-team
Sent: Tuesday, August 21, 2018 5:16 PM
To: Ayden Férdeline <icann at ferdeline.com<mailto:icann at ferdeline.com>>; gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

I think that’s a misreading, sorry.  It seems that35 waivers have been granted in 5 years.

Here’s a clarification from Steve (posting on his behalf since he’s an alternate):

If we read a little further into that May-2017 staff report<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711420385&sdata=yChIGdiE2vm%2FeCvNRhVRohl7RP3yvuxKJaEAuXFjrCg%3D&reserved=0>, you’ll see that 35 registrars used a process similar to the Whois Conflicts policy to obtain waivers to contract requirements about retaining registrant data – based on applicable privacy laws (see excerpt from staff report below).
It’s unfortunate we diverted today’s discussion the Whois Conflicts Policy, since the wide use of ICANN’s Data Retention Waiver Process is sufficient to explain the point we made about TempSpec Appendix C “Data Processing Requirements”.

That is, we should rely on ICANN policy and processes to grant a waiver if/when applicable law conflicts with registrant data requirements in Registry and registrar agreements.  But look at the first line of TempSpec App C.1 “Principles for Processing”:
“Each Controller will observe the following principles to govern its Processing of Personal Data contained in Registration Data, except as required by applicable laws or regulations”. (italics added)

That TempSpec text could imply that each registrar and registry can decide on its own to ignore any principles for processing – without first obtaining a waiver of the contractual requirement from ICANN.

Here’s that excerpt from that May-2017 staff report<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711430393&sdata=5hs%2FwHZg%2BUv4wLon9tUAjb9ekG4GDPT4ivDOhnGmytg%3D&reserved=0>, showing that 35 registrars have obtained waivers to contract requirements about retaining registrant data – based on applicable privacy laws:

The 2013 Registrar Accreditation Agreement (“RAA”) Data Retention Waiver Process

Under this Requests process, a registrar may request a compliance waiver of the data retention requirements, by presenting ICANN with a written opinion from a nationally recognized law firm, or ruling or written guidance from a government body that states that collecting or retaining one or more data elements in the manner required by the specification violates applicable law. A general assertion that the data collection and Data Retention Specification requirements are unlawful is not sufficient. Rather, the waiver request must specify the applicable law, the specific allegedly offending data collection and/or retention requirement(s), and the manner in which the collection and/or retention violates the law.

This specificity helps ICANN to determine the appropriate limitations on the scope and duration of data collection and retention requirements when granting the waiver. This also helps ICANN balance the interests of the registrar, governments, and the broader Internet community when considering granting such waivers. In addition, if ICANN has previously waived compliance with the requirements for a registrar located in the same jurisdiction and the applying registrar is subject to the same applicable law, the registrar may request the same waiver.

The 2013 RAA calls for ICANN and the registrar to discuss data retention waiver requests in good faith in an effort to reach a mutually acceptable resolution. The Data Retention Specification contemplates potential future modifications to the Whois Procedure in section 2 of the RAA.4 Because each country may interpret its data privacy requirements differently, ICANN is working through each of the submitted requests country-by-country.

The complexity and diversity of national privacy laws has resulted in considerable investments of time and resources by ICANN and registrars alike. In countries with data privacy laws applicable to registrars, ICANN has found that restrictions generally permit the retention of registration data, but only for legitimate purposes, and for a period no longer than is necessary for the purposes for which the data were collected or for which they are further processed. What constitutes a legitimate purpose and how long data can be retained are complicated questions, and the answers may vary from one country to the next, even within the EU.

As of April 2017, a total of 35 Data Retention Waivers were granted to registrars.

From: Gnso-epdp-team <gnso-epdp-team-bounces at icann.org<mailto:gnso-epdp-team-bounces at icann.org>> On Behalf Of Ayden Férdeline
Sent: Tuesday, August 21, 2018 12:56
To: gnso-epdp-team at icann.org<mailto:gnso-epdp-team at icann.org>
Subject: Re: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

This statement seems to support Milton’s claim on today’s call that the WHOIS Conflicts with Privacy Law procedure has never been invoked:

On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>> wrote:

Given that to date no registrar or registry operator has formally invoked the Whois Procedure

Kind regards,

Ayden Férdeline

On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org<mailto:marika.konings at icann.org>> wrote:

Dear All,

Per the action item from today’s meeting, please find attached the staff assessment and next steps report on the Revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law which was published in May 2017. As there were specific questions in relation to the origin of the procedure, I’ve excerpted the background section from this document below. As noted, the GNSO Council has already agreed to form an Implementation Advisory Group to review the procedure and adopted a charter for this effort in February of this year (see https://gnso.icann.org/en/council/resolutions#201802<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fcouncil%2Fresolutions%23201802&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711430393&sdata=nXeTZtsYUM2RS8vioBXzsP%2BKOfYXeUmpmq5uikIZJPs%3D&reserved=0>). However, due to workload issues and the pending EPDP, the Council delayed the call for volunteers and agreed during its most recent meeting to decide when the call for volunteers should be launched following the publication of the Initial Report on the Temporary Specification by the EPDP Team.

Best regards,

Caitlin, Berry and Marika


Background (from https://www.icann.org/en/system/files/files/whois-privacy-conflicts-procedure-03may17-en.pdf<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711440402&sdata=fKzqbaaEFDk9Ib32sUJZnZJyfOH5SZgJoATi6WCN0gE%3D&reserved=0>).

In November 2005, the GNSO concluded a policy development process<https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fissues%2Fwhois-privacy%2Fcouncil-rpt-18jan06.htm&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711450410&sdata=Gr1qzWhIN8La5YkThZieAEgvWZt2mFZV0YIcpz7%2BZms%3D&reserved=0> (PDP) on Whois conflicts with privacy law which recommended that “In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD Whois service, ICANN should:

  1.  Develop and publicly document a Procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via Whois.
  2.  Create goals for the procedure which include:

     *   Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
     *   Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the Whois system;
     *   Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via Whois; and
     *   Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise”.

The ICANN Board of Directors adopted the recommendations in May 2006 and directed staff to develop such a Procedure. A draft Procedure was posted for public comment, and input was specifically solicited from the Governmental Advisory Committee (GAC). The GAC recommended adding a provision, which was included as section 1.4 in the procedure, urging a registrar or registry to work with relevant national governments to ensure adherence to domestic and international law, as well as applicable international conventions.

If the Whois requirements require changes that ICANN determines prevent compliance with contractual Whois obligations, ICANN may refrain, on a provisional basis, from taking enforcement action for non-compliance, while ICANN prepares a public report and recommendation and submits it to the ICANN Board for a decision. Given that to date no registrar or registry operator has formally invoked the Whois Procedure, and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review in 2014, as provided in the Whois Procedure’s final clause.

Marika Konings
Vice President, Policy Development Support – GNSO, Internet Corporation for Assigned Names and Numbers (ICANN)
Email: marika.konings at icann.org<mailto:marika.konings at icann.org>

Follow the GNSO via Twitter @ICANN_GNSO
Find out more about the GNSO by taking our interactive courses<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flearn.icann.org%2Fcourses%2Fgnso&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711450410&sdata=USA31sSrsvyeA%2Bfb7np1cQGUrl8SfRjwG9tJX57Qd%2BE%3D&reserved=0> and visiting the GNSO Newcomer pages<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgnso.icann.org%2Fsites%2Fgnso.icann.org%2Ffiles%2Fgnso%2Fpresentations%2Fpolicy-efforts.htm%23newcomers&data=02%7C01%7Cmarksv%40microsoft.com%7Ca0122d7a2557496e27c708d607ae1b44%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704841711460419&sdata=EtxEONwvQ%2BfYVZqo%2FuMdJql%2FDN7Rdep7fm4sHEDoBPY%3D&reserved=0>.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180821/07ca8a78/attachment-0001.html>

More information about the Gnso-epdp-team mailing list