[Gnso-epdp-team] ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

Alex Deacon alex at colevalleyconsulting.com
Tue Aug 21 22:23:10 UTC 2018 

Hi Milton,

To be clear the point of my comment on the call this morning wasn't that
the WHOIS conflicts procedure was somehow relevant to our ePDP, but that we
need to rework the text currently in Temp Spec Appendix C.1 so what ends up
in our final report so it doesn't create uncertainty or a mechanism to
sidestep/avoid existing policy.

"IPC agrees with the bulk of this section but strongly disagrees with the
lead in language to this section, which makes the obligations subject to
applicable laws.  All obligations are subject to applicable laws, but for
the sake of certainty, it is important that the obligations be clear and
certain, and not subject to any one party’s view of what applicable laws
require.  There is an existing consensus policy and Process to govern
conflicts between WHOIS obligations and National Data Protection Laws, and
that will govern dealing with any conflict between those laws and such
obligations.  The language above appears to allow circumvention of that
policy and process, and creates uncertainty.   Therefore, in Section 1 the
phrase “except as required by applicable laws and regulations” should be
deleted, as it is unnecessary."


Alex





On Tue, Aug 21, 2018 at 2:36 PM Mueller, Milton L <milton at gatech.edu> wrote:

> Actually Mark, Ayden is correct and yours is a misreading. You are
> confusing the RAA’s Data Retention Waiver Process with the Handling Whois
> Conflicts with Law procedure. They are, as your colleague says, “similar”
> in intent, but they are not the same. One is in the RAA, the other is not.
> So Ayden and I are correct, the Whois process has never been used; and your
> colleague is correct, the other procedure has been used 35 times.
>
>
>
> Having established some facts, it might be useful to back up and ask what
> this discussion is about and why it is relevant. In my opinion, this
> discussion is only relevant because some people seem to be suggesting that
> the Whois Conflicts with Law procedure can somehow rescue ICANN from the
> need to implement or revise the temp spec. If that is not your argument,
> and I have misinterpreted the significance of this discussion, then we can
> all save a lot of effort if you can explain why you think either the Whois
> Conflict w Law Procedure or the Data Retention Waiver Process are relevant
> to our ePDP.
>
>
>
> --MM
>
>
>
> *From:* Gnso-epdp-team [mailto:gnso-epdp-team-bounces at icann.org] *On
> Behalf Of *Mark Svancarek (CELA) via Gnso-epdp-team
> *Sent:* Tuesday, August 21, 2018 5:16 PM
> *To:* Ayden Férdeline <icann at ferdeline.com>; gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS
> Conflicts with Privacy Law
>
>
>
> I think that’s a misreading, sorry.  It seems that35 waivers have been
> granted in 5 years.
>
>
>
> Here’s a clarification from Steve (posting on his behalf since he’s an
> alternate):
>
>
>
> If we read a little further into that May-2017 staff report
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Cc160deec3036483229ce08d607aa6194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636704825701106839&sdata=8Zfl0MG%2F6e3J%2F1ewA7EcBULz%2BB%2B0ITF8v3zzM90JT5k%3D&reserved=0>,
> you’ll see that 35 registrars used a process similar to the Whois Conflicts
> policy to obtain waivers to contract requirements about retaining
> registrant data – based on applicable privacy laws (see excerpt from staff
> report below).
>
> It’s unfortunate we diverted today’s discussion the Whois Conflicts
> Policy, since the wide use of ICANN’s Data Retention Waiver Process is
> sufficient to explain the point we made about TempSpec Appendix C “Data
> Processing Requirements”.
>
>
>
> That is, we should rely on ICANN policy and processes to grant a waiver
> if/when applicable law conflicts with registrant data requirements in
> Registry and registrar agreements.  But look at the first line of TempSpec
> App C.1 “Principles for Processing”:
>
> “Each Controller will observe the following principles to govern its
> Processing of Personal Data contained in Registration Data, *except as
> required by applicable laws or regulations*”. (italics added)
>
>
>
> That TempSpec *text* could imply that each registrar and registry can
> decide on its own to ignore any principles for processing – without first
> obtaining a waiver of the contractual requirement from ICANN.
>
>
>
> Here’s that excerpt from that May-2017 staff report
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7Cc160deec3036483229ce08d607aa6194%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C1%7C636704825701106839&sdata=8Zfl0MG%2F6e3J%2F1ewA7EcBULz%2BB%2B0ITF8v3zzM90JT5k%3D&reserved=0>,
> showing that 35 registrars have obtained waivers to contract requirements
> about retaining registrant data – based on applicable privacy laws:
>
>
>
> *The 2013 Registrar Accreditation Agreement (“RAA”) Data Retention Waiver
> Process *
>
> Under this Requests process, a registrar may request a compliance waiver
> of the data retention requirements, by presenting ICANN with a written
> opinion from a nationally recognized law firm, or ruling or written
> guidance from a government body that states that collecting or retaining
> one or more data elements in the manner required by the specification
> violates applicable law. A general assertion that the data collection and
> Data Retention Specification requirements are unlawful is not sufficient.
> Rather, the waiver request must specify the applicable law, the specific
> allegedly offending data collection and/or retention requirement(s), and
> the manner in which the collection and/or retention violates the law.
>
> This specificity helps ICANN to determine the appropriate limitations on
> the scope and duration of data collection and retention requirements when
> granting the waiver. This also helps ICANN balance the interests of the
> registrar, governments, and the broader Internet community when considering
> granting such waivers. In addition, if ICANN has previously waived
> compliance with the requirements for a registrar located in the same
> jurisdiction and the applying registrar is subject to the same applicable
> law, the registrar may request the same waiver.
>
> The 2013 RAA calls for ICANN and the registrar to discuss data retention
> waiver requests in good faith in an effort to reach a mutually acceptable
> resolution. The Data Retention Specification contemplates potential future
> modifications to the Whois Procedure in section 2 of the RAA.4 Because
> each country may interpret its data privacy requirements differently, ICANN
> is working through each of the submitted requests country-by-country.
>
> The complexity and diversity of national privacy laws has resulted in
> considerable investments of time and resources by ICANN and registrars
> alike. In countries with data privacy laws applicable to registrars, ICANN
> has found that restrictions generally permit the retention of registration
> data, but only for legitimate purposes, and for a period no longer than is
> necessary for the purposes for which the data were collected or for which
> they are further processed. What constitutes a legitimate purpose and how
> long data can be retained are complicated questions, and the answers may
> vary from one country to the next, even within the EU.
>
> As of April 2017, a total of 35 Data Retention Waivers were granted to
> registrars.
>
>
>
>
>
>
>
> *From:* Gnso-epdp-team <gnso-epdp-team-bounces at icann.org> *On Behalf Of *Ayden
> Férdeline
> *Sent:* Tuesday, August 21, 2018 12:56
> *To:* gnso-epdp-team at icann.org
> *Subject:* Re: [Gnso-epdp-team] ICANN Procedure for Handling WHOIS
> Conflicts with Privacy Law
>
>
>
> This statement seems to support Milton’s claim on today’s call that the
> WHOIS Conflicts with Privacy Law procedure has never been invoked:
>
>
>
> On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org> wrote:
>
>
>
> Given that to date no registrar or registry operator has formally invoked
> the Whois Procedure
>
>
>
> Kind regards,
>
>
>
> Ayden Férdeline
>
>
>
> On 21 Aug 2018, at 20:55, Marika Konings <marika.konings at icann.org> wrote:
>
>
>
> Dear All,
>
>
>
> Per the action item from today’s meeting, please find attached the staff
> assessment and next steps report on the Revised ICANN Procedure for
> Handling WHOIS Conflicts with Privacy Law which was published in May 2017.
> As there were specific questions in relation to the origin of the
> procedure, I’ve excerpted the background section from this document below.
> As noted, the GNSO Council has already agreed to form an Implementation
> Advisory Group to review the procedure and adopted a charter for this
> effort in February of this year (see
> https://gnso.icann.org/en/council/resolutions#201802
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fcouncil%2Fresolutions%23201802&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952399814&sdata=WJqXY9ZS9EFT1m1avYwLzQHbT3o6l2AAon%2BU%2FoeY7j0%3D&reserved=0>).
> However, due to workload issues and the pending EPDP, the Council delayed
> the call for volunteers and agreed during its most recent meeting to decide
> when the call for volunteers should be launched following the publication
> of the Initial Report on the Temporary Specification by the EPDP Team.
>
>
>
> Best regards,
>
>
>
> Caitlin, Berry and Marika
>
>
>
> ============================
>
>
>
> *Background* (from
> https://www.icann.org/en/system/files/files/whois-privacy-conflicts-procedure-03may17-en.pdf
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.icann.org%2Fen%2Fsystem%2Ffiles%2Ffiles%2Fwhois-privacy-conflicts-procedure-03may17-en.pdf&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952399814&sdata=Gk6O8uK6dnajSzeV8xv%2F3rUx6fm5RXETNHjWMVjm%2FCg%3D&reserved=0>
> ).
>
>
>
> In November 2005, the GNSO concluded a policy development process
> <https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgnso.icann.org%2Fen%2Fissues%2Fwhois-privacy%2Fcouncil-rpt-18jan06.htm&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952409822&sdata=Vc7EwlUp9RjKtSOSRtAvcXfXuQhAzpduNwCo9bRHZA4%3D&reserved=0>
>  (PDP) on Whois conflicts with privacy law which recommended that “In
> order to facilitate reconciliation of any conflicts between local/national
> mandatory privacy laws or regulations and applicable provisions of the
> ICANN contract regarding the collection, display and distribution of
> personal data via the gTLD Whois service, ICANN should:
>
>
>
>    1. Develop and publicly document a Procedure for dealing with the
>    situation in which a registrar or registry can credibly demonstrate that it
>    is legally prevented by local/national privacy laws or regulations from
>    fully complying with applicable provisions of its ICANN contract regarding
>    the collection, display and distribution of personal data via Whois.
>    2. Create goals for the procedure which include:
>
>
>    1. Ensuring that ICANN staff is informed of a conflict at the earliest
>       appropriate juncture;
>       2. Resolving the conflict, if possible, in a manner conducive to
>       ICANN's Mission, applicable Core Values, and the stability and uniformity
>       of the Whois system;
>       3. Providing a mechanism for the recognition, if appropriate, in
>       circumstances where the conflict cannot be otherwise resolved, of an
>       exception to contractual obligations to those registries/registrars to
>       which the specific conflict applies with regard to collection, display and
>       distribution of personally identifiable data via Whois; and
>       4. Preserving sufficient flexibility for ICANN staff to respond to
>       particular factual situations as they arise”.
>
>
>
> The ICANN Board of Directors adopted the recommendations in May 2006 and
> directed staff to develop such a Procedure. A draft Procedure was posted
> for public comment, and input was specifically solicited from the
> Governmental Advisory Committee (GAC). The GAC recommended adding a
> provision, which was included as section 1.4 in the procedure, urging a
> registrar or registry to work with relevant national governments to ensure
> adherence to domestic and international law, as well as applicable
> international conventions.
>
>
>
> If the Whois requirements require changes that ICANN determines prevent
> compliance with contractual Whois obligations, ICANN may refrain, on a
> provisional basis, from taking enforcement action for non-compliance, while
> ICANN prepares a public report and recommendation and submits it to the
> ICANN Board for a decision. Given that to date no registrar or registry
> operator has formally invoked the Whois Procedure, and yet numerous
> concerns have arisen from contracted parties and the wider community, ICANN
> launched a review in 2014, as provided in the Whois Procedure’s final
> clause.
>
>
>
>
>
> *Marika Konings*
>
> *Vice President, Policy Development Support – GNSO, Internet Corporation
> for Assigned Names and Numbers (ICANN) *
>
> *Email: **marika.konings at icann.org* <marika.konings at icann.org>
>
>
>
> *Follow the GNSO via Twitter @ICANN_GNSO*
>
> *Find out more about the GNSO by taking our **interactive courses*
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Flearn.icann.org%2Fcourses%2Fgnso&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952409822&sdata=IwV%2FoVI35K1EpCsySXi%2ByVQChRcCkxVZFMjmgqyureM%3D&reserved=0>* and
> visiting the **GNSO Newcomer pages*
> <https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fgnso.icann.org%2Fsites%2Fgnso.icann.org%2Ffiles%2Fgnso%2Fpresentations%2Fpolicy-efforts.htm%23newcomers&data=02%7C01%7Cmarksv%40microsoft.com%7C2158f84e56f24e1e26a108d607a03173%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636704781952419826&sdata=oJHiPRaRApE8LTrNGVIfVKoEUFwgo1xunGCxfTFi4q8%3D&reserved=0>
> *. *
>
>
>
> <whois-privacy-conflicts-procedure-03may17-en.pdf>
>
>
> _______________________________________________
> Gnso-epdp-team mailing list
> Gnso-epdp-team at icann.org
> https://mm.icann.org/mailman/listinfo/gnso-epdp-team



-- 
___________
*Alex Deacon*
Cole Valley Consulting
alex at colevalleyconsulting.com
+1.415.488.6009
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mm.icann.org/pipermail/gnso-epdp-team/attachments/20180821/8e2a73f2/attachment-0001.html>

More information about the Gnso-epdp-team mailing list