[registrars] Revised draft for TF2

Cute, Brian A. bcute at networksolutions.com
Tue Apr 13 20:44:44 UTC 2004 

Paul,

The RAA already contains the obligation to obtain consent that you suggest is the answer to this problem: 


"3.7.7 Registrar shall require all Registered Name Holders to enter into an electronic or paper registration agreement with Registrar including at least the following provisions:

						.		.		.


3.7.7.4 Registrar shall provide notice to each new or renewed Registered Name Holder stating:

3.7.7.4.1 The purposes for which any Personal Data collected from the applicant are intended;

3.7.7.4.2 The intended recipients or categories of recipients of the data (including the Registry Operator and others who will receive the data from Registry Operator);

3.7.7.4.3 Which data are obligatory and which data, if any, are voluntary; and

3.7.7.4.4 How the Registered Name Holder or data subject can access and, if necessary, rectify the data held about them.

3.7.7.5 The Registered Name Holder shall consent to the data processing referred to in Subsection 3.7.7.4."


This is important for a couple of reasons:  1) what happens if a registrant refuses consent to registrar #1 because they are not comfortable with the stated purpose and subsequent use of their data?  2) what if that registrant registers with a registrar that requests consent for a narrower purpose and subsequent use because that registrar is complying with stricter local laws than registrar #1?  Isn't that a competition issue?  

This scenario WILL play itself out.  Put the legal arguments aside for a moment.  Individuals from non U.S. countries have, in many cases, an extremely high awareness of their privacy rights under national law and WILL gravitate to service providers who offer them what THEY deem to be the requisite level of data protection.  The only way to rectify this competition issue is for registrar #1 to provide the requisite level of data protection expected by the registrant under the registrant's local law.  Unless registrar #1 can provide the requisite level of data protection, it cannot compete for this customer.  Moreover, the suggestion that a registrar that complies with its local law should lose its accreditation runs directly counter to 3.7.2 of the RAA:

"3.7.2 Registrar shall abide by applicable laws and governmental regulations."


One of ICANN's obligations under the RAA is to "[2.3.2] not unreasonably restrain competition and, to the extent feasible, promote and encourage robust competition;"

Although there appears to be a difference of opinion as to whether the EU directive renders current whois or bulk whois practices 100% illegal or nearly 100% illegal, that is ultimately a question for the 15 EU Member State courts and I would suggest that registrars keep their own counsel on such questions.  At a minimum, certain EU based registrars, apparently acting on advice of local counsel, have taken a position on these issues.    

What many multinational companies do when faced with a patchwork of legal obligations -- as a matter of compliance and internal administrative efficiencies -- is determine which jurisdiction "sets the bar the highest" and then conform to that standard.  In that manner, there is certainty of compliance with every jurisdiction in which it operates.  This is a common sense approach.  Advocating contract changes that will perpetuate the explicit contradictions and tensions in the RAA is not a common sense approach.

Brian







-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org]On Behalf Of Paul Stahura
Sent: Tuesday, April 13, 2004 2:28 PM
To: Ross Rader; Rob Hall
Cc: registrars at dnso.org
Subject: RE: [registrars] Revised draft for TF2



1) Our GC informs me that publishing whois, even in bulk form, is not
flat-out illegal in the EU.  Providing bulk access does not require a court
order.  A court order is one means, but not the only means.  The data
subject can also consent (see next point).  No nations laws (at least that I
am aware of) prevent anyone from becoming a registrar in their jurisdiction.
The most stringent laws require informed consent.  Informed consent can be
given to individualized whois searches and to bulk access.  The basic
question is whether the data subject is informed of how the personal
information is going to be published, who will have access to it, how it
will be used, and what the known risks of disclosure are. 

2)  Consent.

	a)	Consent is the basic criteria, both in the EU and in many
other jurisdictions (even, to a lesser extent, in the US).  Registrants can
consent to having their personal information published in the whois. They do
have to be informed about what third parties are going to have access to the
data and what uses these third parties will put to the data (such as if the
third parties will be searching for TM violators or if the third parties are
known to sell the data further downstream).  Consent can be given to
individualized one-of WHOIS publications in response to specific searches.
Consent can also be given to the bulk publication of whois, provided the
bulk purchasers and their uses of the information are disclosed.  The
disclosure requirement is pretty steep, inasmuch as even known *risks* of
down-stream disclosure must be identified to achieve truly informed consent.


	b)	Consent can be obtained a priori, which, in the context of
domain name registration, mean that the ICANN required registration
agreement would include language requiring the registrant to consent to
disclosure of the personal information according to the whois and transfers
policies developed by ICANN.  This consent would link to the whois and
transfers policies, where a complete statement of the purposes, third party
access, and risks would be found.  This consent can even contractually
stipulate that the ICANN whois and transfers policies may change over time,
following ICANN's consensus procedures. 

	c) 	Consent can also be obtained after the fact, "ex post
facto."  Ex post facto consent is *almost* workable in the transfers
context.  The non-EU gaining registrar would have to include the consent
language in the transfer authorization process and in the transfer consent
email. Not an inconsiderable burden, but also not totally out of the
question.  However, after-the-fact consent would certainly not satisfy the
IP community's desire for whois information.  The IP community has no
convenient means through which it can obtain individualized ex post facto
consent. 

An ex post facto approach to obtaining consent may be an acceptable burden
to registrars in the context of transfers.  In this case, simply leave the
IP community to figure out and lobby for an a priori
ICANN-registration-agreement approach. And even then some registrars will be
playing by different rules outside the context of transfers. However, it is
unlikely that the IP community is asleep at the switch, in which case
registrars just might as well accept and work with an a priori
ICANN-registration-agreement approach to this issue.

Bottom line, eNom advocates before-hand consent because it is fairer across
registrars. ICANN should require registrars to get consent from registrants
to disclose the whois information according to the whois and transfer
policies established by ICANN from time to time.  Make that a "must have" in
the registration agreement. I really doubt if a requirement to get consent
would be illegal in any jurisdiction on the planet, therefore no registrar
would be in violation of their agreement with ICANN.  


-----Original Message-----
From: owner-registrars at gnso.icann.org
[mailto:owner-registrars at gnso.icann.org] On Behalf Of Ross Wm. Rader
Sent: Tuesday, April 13, 2004 9:31 AM
To: Rob Hall
Cc: registrars at dnso.org
Subject: Re: [registrars] Revised draft for TF2

On 4/13/2004 10:02 AM Rob Hall noted that:

Rob, inline...

> Can you tell me on what basis you say buk whois is 100% illegal in Europe
?
> 
> My understanding of your privacy laws is that you must inform the user of
> how their information will be disseminated.  Is it not true that if you
tell
> the user that you will publish their information, and give it to whoever
> applies under your bulk whois contract, that you are covered legally ?
> 
> You have informed the user of how their information is to be used, and
> distributed. It is then the users choice to continue given that they now
> know the playing field.
> 

Is your issue with the registrar constituency advocating that the bulk 
whois provisions in the contract be eliminated or the logic that 
Thomas has used to justify that position?


> You also make a statement that seems to unlink whois and transfers.  But
> they are in fact directly linked.
>

I didn't draw this same conclusion - which passage are you referring to?


> I also believe that one of the primary reasons we have a distributed whois
> for com/net is to promote competition, not lessen it.  I am at a loss as
to
> how making whois information available to the public hurts competition.  I
> believe just the opposite occurs.

I think Thomas is saying that having two standards in place (i.e. one 
based in ICANN policy and the other based in local legislation) will 
create "forum shopping". Not sure if competition is especially germane 
to this particular point.

> 
> I believe that if you unilaterally break your ICANN contract for any
reason,
> you should face enforement and penalties.  If a big european telco broke
> their ICANN contract by not providing whois anymore, I suspect they would
be
> found in breach, and no longer have a contract.  Exactly as would any
> non-european registrar who broke their contract.
> 

The key here is for the GNSO to develop policy that can be applied 
equally across all relevant jurisdictions. The current policy 
regarding Whois plays extremely close to this line - many of the 
proposals completely cross it. Any proposal that can't be implemented 
by registrars because of legal considerations needs to be discarded to 
avoid the conditions you are concerned about.

-- 


                        -rwr








                 "Don't be too timid and squeamish about your actions.
                                            All life is an experiment.
                             The more experiments you make the better."
						- Ralph Waldo Emerson

Got Blog? http://www.blogware.com
My Blogware: http://www.byte.org

More information about the registrars mailing list