FINAL VERSION SUBMITTED (IF RATIFIED)
The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.
FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC
The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.
DRAFT SUBMITTED FOR DISCUSSION
The first draft submitted will be placed here before the call for comments begins. The Draft should be preceded by the name of the person submitting the draft and the date/time. If, during the discussion, the draft is revised, the older version(S) should be left in place and the new version along with a header line identifying the drafter and date/time should be placed above the older version(s), separated by a Horizontal Rule (available + Insert More Content control).
Revised: Alan Greenberg, 8 Sept 2021, 04:30 am UTC. - https://docs.google.com/document/d/1pBWDtOJFO0clcWd56HGgxNDYJMkpk1682VJlsG8i_O4/edit
Hadia ElMiniawi
9/7/2021 at 09:14 UTC
AT-LARGE ADVISORY COMMITTEE
ALAC Minority Statement – DRAFT (Still to be discussed)
The ALAC recognizes and appreciates the work of the EPDP Phase 2A team, the efforts of the chair, vice chair and the liaison to the GNSO council as well as the dedication and efforts of the ICANN org support staff. The ALAC recognizes as well the importance of the registration data to various community members such as consumer protection agencies, law enforcement authorities and cybersecurity investigators and the crucial role they play in protecting everyday Internet users, registrants, customers, businesses and the entire online population.
Recognizing the important role of the Internet in the everyday life of people all over the world and the role the registration data plays in allowing users to have safe and secure online experience. It is important to strike a balance between the protection of registrants’ personal information and users experience, safety and security. Redacting data that is not protected by data protection laws does not allow the right balance to occur.
The EPDP phase 2A final report includes useful recommendations that from a technical point of view set the foundation for the distinction between legal and natural person data and provide guidance on how such distinction should happen. Nevertheless, the ALAC though supporting the EPDP phase 2A final report in its entirety (This phrase needs further discussion) is concerned about the recommendations usage and the real current benefit to the public.
In this Minority statement, the ALAC is concerned about the following aspects of the recommendations of the Phase 2A final report and their impact on the security and safety of everyday Internet users:
- Not mandating differentiation between legal and natural person data,
- Not mandating the usage of the common data element by all contracted parties,
- Actual policy recommendations related to how and when differentiation between natural and legal persons should happen, and
- Lack of means to contact registrants
Not mandating differentiation between legal and natural person data
According to ICANN Bylaws section 4.6. (e) (i) and (ii) ICANN shall use commercially reasonable efforts to enforce its policies relating to registration directory services, and the board shall cause a periodic review to assess the effectiveness of the then current gTLD registry directory service, and whether its implementation meets the needs of law enforcement, promoting consumer trust, and safeguarding registrant data.
Recognizing, the EU GDPR recital number 14 which says “ this regulation does not cover the processing of personal data, which concerns legal persons, and in particular, undertakings established as legal persons, including the name and the form of the legal person and the contact details of the legal person.
Recognizing, the EDPB letter to ICANN CEO Goran Marby in July of 2018. The letter says “personal data identifying individual employees (or third parties) acting on behalf of the registrant should not be made publically available by default in the context of WHOIS” and says “ If the registrant provides (or the registrar ensures ) generic contact information (e.g. admin@domain.com), the EDPB does not consider that the publication of such data in the context of WHOIS would be unlawful as such.
Recognizing, Bird & Bird legal advice received on 6 April 2021, in relation to comparing the legal risks for contracted parties associated with publishing personal data based on the registrant’s consent on the one hand and publishing personal data based on a registrant’s self identification of the data as either containing legal person data only or also containing natural person data, while taking all necessary safeguards on the other hand. If contracted parties rely on self-characterization in publishing legal person data, while taking all necessary safeguards, including identifying that legal person data does not include personal information they should generally only be liable should they fail to properly address complaint about the data.
The EU GDPR does not protect legal person data, the EDPB letter to ICANN in July of 2018 confirms that if the legal registrant provides (or the registrar ensures) generic contact information, the EDPB does not consider the publication of such data in the context of WHOIS as unlawful, Bird & Bird advice provided in April of 2021, suggests that contracted parties liability is much less should they choose to publish legal person data based on self-characterization rather than publishing legal person data based on consent and ICANN’s bylaw require ensuring that registration data meets the needs of law enforcement and promotes consumer trust.
Taking into consideration all of the above and that the Registration Data Directory Service (RDDS) is a public good that protects the global online users and the GDPR and similar privacy laws are a public good that protect the registration data of registrants. For the benefit of the public, a right balance needs to occur. This right balance cannot be achieved if more data than what is required by law and legislation is redacted.
Accordingly, the ALAC for the benefit of the Internet end users cannot support not mandating differentiation between natural and legal person data.
Not mandating the usage of the common data element by all contracted parties
The proposed common data element/elements in recommendation number one, allows for eight possible different values including “the legal status distinction was not made” and “the presence of personal data wasn’t determined”. Those two statuses allow for contracted parties who do not differentiate to make use of the newly defined field and not only those who choose to make a distinction between the data of legal and natural persons.
According to the EPDP phase 1 and phase 2 final reports recommendations, the contracted parties (CPs) must update their current registration data directory service (RDDS)
Recognizing, RDAP gTLD Profile and the RDDS consistent labeling and display policy, which are community efforts to improve the system used to discover who controls a domain name (The system consists of data retrieval protocols and databases controlled by registries and registrars that contain domain name information).
Mandating the use of the common data element by all contracted parties allows similar processes to be followed by all CPs across the globe, whether they differentiate or not.
However, the deficiency of the recommendation does not only lie in the fact that it does not ensure that the element is used by all CPs, but it goes further to not mandating the usage of the element by CPs that do differentiate. That is, we are creating a common element that no one is required to use, defeating the purpose behind the creation of common ways of doing things and opening the door to fragmentation.
Actual policy recommendations related to how and when differentiation between natural and legal persons should happen
Recommendations number two and three address how, and when differentiation between natural and legal persons needs to happen. However, all what is provided in the recommendations is mere advice. For new registrations, if the distinction between legal and natural person data does not happen at registration time, given the fact that most of the registrars do not interact much with registrants, the chance of actually making the distinction becomes very low. Although, some CPs might choose to differentiate between natural and legal persons, not following a process that in reality allows for differentiation would still lead to no differentiation. The ALAC is of the view that certain aspects of the guidance should be mandatory, such as the time at which the distinction between natural and legal persons happen and the time at which the legal registrant confirms whether the data includes personal information or not happens.
Lack of means to contact registrants
Recommendation number four addressees the issue of publishing a registrant based email address or a registration based email address. However, there was a suggestion to make web forms, which are commonly used to contact registrants more effective, but the suggestion was deemed out of scope. Although, the question posed by council was concerned with email addresses, trying to improve an existing method to contact registrants, could possibly achieve comparable results to email addresses. The ALAC regrets that web forms were not pursued.
To that end, the ALAC appreciates that the team was able to reach consensus regarding the creation of a common data element that will set the technical foundation for differentiating between the data of legal and natural persons. However, because the usage of the field is optional, even by CPs who choose to differentiate the ALAC sees very little current benefit to the public. In addition, the way the rest of the recommendations were formed allow for minimal actual impact on the RDDS and benefit to the public.
