[registrars] Draft for TF2
Paul Stahura
stahura at enom.com
Fri Apr 9 17:16:37 UTC 2004
>From what I understand the EU registrars can put some language in their
registration agreement that registrants agree to move their information to
non-EU registrars provided the non-EU registrars abide by ICANN's whois and
transfer policies, regardless whether such non-EU registrars are in a
jurisdiction which complies with the EU privacy directive. This is
something that ICANN could require of all registrars, including
EU-registrars. The alternative is for non-EU registrars and anyone who
wants to get the whois (such as IP firms), to follow a burdensome process
for obtaining consent from the registrant.
Paul
Follows is a comment from eNom's GC (not legal advice, get your own):
Generally, the EU outright prohibits transfers of personal data to a country
which does not meet the minimum protections required by the EU. (Directive
95/46/EC of the European Parliament, Chapter IV, Article 25) There are
exceptions (a) through (f), Article 26, but complying with these are NOT a
mere formality. Organizations can certify themselves as a "safe harbor"
through the US Department of Commerce, though the requirements are similar
to the exceptions (a) through (f). Certain of exceptions (a) through (f)
would allow ICANN to impose contract language on registrars and, through
them, on registrants which would obviate some of the burdens which might
otherwise exist. See following.
(a) the data subject has given his consent unambiguously to the proposed
transfer;
TO UNAMBIGUOUSLY CONSENT:
There must be a statement explaining how the information is going to
be used by the gaining registrar, including opt-out options (if any). This
includes an explanation of the gaining registrar's marketing practices,
manditory opt-out options, and an explanation of data retention policy
(including that the gaining registrar will not delete the WHOIS information
if the registrant transfers away from the gaining registrar, as I assume
that most of us will keep historic WHOIS data).
There must be a statement explaining what third parties will be
given access to the personal data and opt-out options.
There must be a statement explaining the known risks of potential
disclosure to third parties.
-- OR --
(b) the transfer is necessary for the performance of a contract between the
data subject and the controller or the implementation of precontractual
measures taken in response to the data subject's request;
THIS IS WHERE ICANN COULD REQUIRE THAT EU REGISTRARS HAVE THEIR CUSTOMERS
CONTRACTUALLY AGREE TO TRANSFER WHOIS INFORMATION TO NON-EU REGISTRARS
PROVIDED THE NON-EU REGISTRARS ABIDE BY ICANN'S WHOIS AND TRANSFER POLICIES.
This would obviate the burden of exception (a) or the requirement that
non-EU registrars register themselves as a "safe harbor" with the DOC.
-- OR --
(c) the transfer is necessary for the conclusion or performance of a
contract concluded in the interest of the data subject between the
controller and a third party;
The "controller" is the EU Registrar. The contract with a third
party would be the registrar's contract with ICANN. This is another
instance in which ICANN could require that EU Registrars have their
customers agree to transfer to non-EU registrars provided the non-EU
registrars abide by ICANN's WHOIS and transfer policies.
-- OR --
(d) the transfer is necessary or legally required on important public
interest grounds, or for the establishment, exercise or defence of legal
claims; or
(e) the transfer is necessary in order to protect the vital interests of the
data subject; or
These do not apply.
(f) the transfer is made from a register which according to laws or
regulations is intended to provide information to the public and which is
open to consultation either by the public in general or by any person who
can demonstrate legitimate interest, to the extent that the conditions laid
down in law for consultation are fulfilled in the particular case.
This might apply, but depends on the WHOIS policies and whether the
conditions for accessing the WHOIS comply with "the conditions laid down in
law for consultation."
-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Tim Ruiz
Sent: Friday, April 09, 2004 4:22 AM
To: 'Jean-Michel Becar'; 'Paul Stahura'
Cc: 'Rob Hall'; 'Registrars Mail List'
Subject: RE: [registrars] Draft for TF2
All,
If ICANN is going to continue to encourage global participation it cannot
ignore the fact that registrars, like other businesses, are going to be
subject to local laws. That concerns me as it does many of you, but
realistically, I don't see how that fact can be ignored.
I also want a level playing field, but I understand that it must be relative
and that we cannot avoid the issues that globalization creates in our
industry.
I believe that a simple rule that requires public availability of
registration/Whois data, within the scope of local law, is what we need. We
should eliminate the idea of requiring specific methods, such as port 43,
bulk access, or even Web based whois. If someone wants the Whois info for a
domain managed by an EU registrar they will have to follow that registrar's
EU privacy compliant process to get it. That registrar should not be able to
just deny the request unilaterally. And the method by which legitimate,
compliant requests are made or fulfilled should be the decision of the
registrar.
I don't believe we are ever going to see ICANN tell potential registrars
that because of their geographic location they do not qualify to be a
registrar. However, if Rob can get laws passed in Barbados that are
favorable to registrars, we all have the option of moving our businesses
there.
As far as transfers are concerned, there is a solution that would solve any
issue with conflicts with local privacy laws. The transfer should start with
the current registrar of record. The current registrar understands best the
local laws under which they operate. Upon a legitimate and verified request
to transfer by a registrant or their verified agent, the registrar would
flag the domain as transferable at the registry and return a key,
authorization code, whatever you want to call it, to the registrant. The
registrant can then take that key to the registrar of their choice anywhere
in the world and complete the transfer without the need for any transfer of
private information. That could be collected directly from the registrant
under their own local laws and regulations.
Any concern about incentive on the losing registrar's part to comply with
transfer requests will ultimately be answered by the market itself. And any
enforcement mechanism on the part of ICANN will be much less complicated
since it will involve a single registrar and single set of local laws.
All that said, I do not feel that any of the current Whois Task Forces
appear to have enough information, input, or time to appropriately recommend
any sweeping changes to the status quo prior to or by the time of meeting in
KL in July.
I support Ross' draft statement. I cannot support the current drafts of
either of the other task forces.
Tim
-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Jean-Michel Becar
Sent: Thursday, April 08, 2004 8:12 PM
To: Paul Stahura
Cc: 'Rob Hall'; Registrars Mail List
Subject: Re: [registrars] Draft for TF2
The problem is a law is a law and a contract is always subject to the law
and not the opposite. So if in Japan we have a law which doesn't allow us to
give the personal data to a third party we cannot. So I don't see your
point. How can you be in favor of outlaw business???
I remenber the time of the test bed agreement signature is was in 1999, we
knew we would have some problem with the whois according to the registrar
country but at that time we were too impatient to start so we postponed the
question. But today here we are and we have to find a solution. cause
someday many registrars will be declare outlaw and what? we have to move to
somewhere else? Seriously guys ;-)
So for transfer I don't think there is no privacy violation in anycase
because the registrant is asking himself the transfer, so I don't think the
privacy local laws will be a problem. Now in terms of egality amongst the
registrars... yeah some registrars will have different PUBLIC whois output
according to their local law. Hey guys this is competition :-) so let's
enjoy a little bit of differentiation here, let's try to make the registrar
business less boring. ( I like to take the formula one example where each
time a new regulation appeared everybody aggreed to say it would slow down
the cars but was never the case, the engineers always found smart ways to
come up with something better and only because they had been pushed by the
regulation...without regulation we would have today the same cars as 10
years ago)
regards,
Jean-Michel
Paul Stahura wrote:
>Rob's point is well taken. The EU privacy restrictions do prohibit
>transmitting personal identification information to any country which
>does not have privacy laws at least as protective as those of the EU.
>The US is on the list of countries which do not have adequate privacy
>laws. European registrars, right now, could shut down WHOIS and
>transfers on this basis. I'm a little surprised that no one has made
>this claim yet, or is transmitting the information for purposes of
>transfer somehow not a violation?
>
>Since we are probably all forming European establishments to take
>advantage of the lowest VAT tax rate (in Madera), then in thinking
>about it, I guess thin-registry transfers from EU registrars will just
>have to be to these EU establishments.
>
>This doesn't speak to Barbados. Will all domain name registrars
>migrate to or become mired in the country with the strictest privacy
>rules?
>
>If the statement stays in, would EU registrars, for example, be allowed
>to not transmit the whois data to thick registries located in the US,
>while
the
>rest of us have to?
>
>One solution Rob suggests (if there is a conflict between local law and
>ICANN contract) is for the registrar to move its location to one where
>it can comply with its ICANN contract (if the local law is in
>contradiction), but another solution may be something like "all for one
>and one for all".
>
>For example
>"If one Registrar is in breach with its ICANN contract due to local
>jurisdiction regarding the collection, display and distribution of
>personal data, then all registrars are able to cure the breach the same
>way that one registrar does" or some kind of lowest-common-denominator
>language which allows us all to have the same contract with ICANN.
>
>I agree with Rob, we all need to be bound by the same ICANN contract
>provisions no matter what country you are located in.
>
>
>
>
>-----Original Message-----
>From: owner-registrars at gnso.icann.org
>[mailto:owner-registrars at gnso.icann.org] On Behalf Of Rob Hall
>Sent: Thursday, April 08, 2004 3:53 PM
>To: Registrars Mail List
>Subject: RE: [registrars] Draft for TF2
>
>Thomas et al.
>
>I note that the TF2 report has the following statement:
>
>"No Registrar should be forced to be in breach with its local
>jurisdiction regarding the collection, display and distribution of
>personal data to be able to provide ICANN approved domain registrations
>regardless whether the WHOIS service is provided by themselves or
>another party. "
>
>
>I am very concerned with this statement. While I know my position may
>be unpopular, I believe it critical to the Registrar Industry.
>
>All ICANN Registrars were created equally and must be treated equally.
>Our contract with ICANN actually speaks to this equality, and I believe
>it must be maintained.
>
>The above statement would seem to imply that all Registrars must not
>behave in the same fashion, and that therefore ICANN should not treat
>them
equally.
>
>While I sympathize with Registrars who's governments may pass
>legislation making it difficult for them to adhere to their contractual
>requirements, I don't believe that the answer is for ICANN to simply
ignore, nor just not
>enforce, those provisions. Rather, I believe that if our government is
>about to put into place legislation that makes it impossible for us to
>be a Registrar, it is incumbent on us to educate them as to the
>ramifications of their actions. If a government were to put into place
>legislation that prevented a Registrar from complying with their ICANN
>contract, then I believe the Registrar has at least 2 choices: Move to
>a different jurisdiction, or stop being a Registrar.
>
>But to say that a Registrar should not have to comply with provisions
>of a contract they voluntarily entered into simply because their local
>jurisdiction prohibits it, is wrong.
>
>I won't even begin to speak to how many people (Registrars included)
>have interpreted current privacy laws in ways that benefit their
>business case, but are not quite factual. Most privacy legislation I
>have seen attempts
to
>ensure that data providers are informed of how their data will be used.
>It is then their choice as to whether they purchase the domain or not,
>given that they now are aware of how the information will be used.
>
>Take for example, NameScout, which is incorporated in the Barbados. Is
>it really fair for NameScout to claim that because we are in the
>Barbados that there is a local law that says I can not publish ANY
>whois information, nor can I allow any domain transfers to another
>Registrar. As the only domain Registrar in the Barbados, should we
>lobby for a local law that totally contradicts our contractual ICANN
>obligations, and then be able to stand up and say "sorry, but we can't
>comply with those obligations, and you can't make us)".
>
>In fact, I suspect we would immediately see some forum (read Country)
>shopping to base Registrars in.
>
>While I am all for attempting to find rules for whois that currently
>meet all countries privacy rules, these rules tend to be very dynamic,
>and I
fear
>that much effort will be spent and will be quickly outdated (if a
>common position can even be found). Our efforts need to focus on
>fixing what is broken within the Whois service. If that can be done
>with privacy rules in mind, so much the better. If the new solution
>violates some jurisdictions new privacy laws, then perhaps we are
>better with the status quo (although
I
>doubt it). Either that, or we move ahead with the new solution, without
>any exemption for local laws.
>
>I understand the frustration with local laws that may hamstring our
>businesses. But we must take care not to simply open loopholes that
>create contractual inequities between Registrars simply because of
>their location. Like it or not, ICANN is a California corporation that
>we voluntarily
choose
>to contract with. We are a Registrar solely by virtue of this contract.
>Without it, we are not an ICANN Registrar.
>
>Rob.
>
>
More information about the registrars
mailing list