FINAL VERSION TO BE SUBMITTED IF RATIFIED
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
FIRST DRAFT SUBMITTED
The ALAC does not support the Implementation Advisory Group’s proposed alternative ‘triggers'. The whole policy framework on which the 'triggers' are based is contrary to the growing body of inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.
The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.
Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used. Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws.
There are two fundamental reasons why the policy is unworkable. The first is the bizarre requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws. The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.
This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’. The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.
The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2). Of the two proposals, the Alternative Trigger process is far simpler and preferable. Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis.
There are, however, difficulties with the Alternative Trigger proposal, as follows.
- It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
- The onus is on individual registries/registrars to invoke the process. There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
- Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
- It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.
The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised . His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction. This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area.
His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information. This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.