AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

Versions Compared

Old Version 1

changes.mady.by.user Ariel Liang

Saved on

compared with

New Version Current

changes.mady.by.user Ariel Liang

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment Close
Date		Statement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number
 IAG Initial Report and Proposed Revisions to the ICANN Procedure for Whois Conflicts with Privacy Laws
Status
colourGrey
titleTBC
TBCTBCTBCTBCTBC

No Statement

(The ALT decided that Holly Raiche would submit a personal Statement on this topic)

Main penholders:

Holly Raiche Carlton Samuels

Assisted by:

Christopher Wilkinson

n/an/an/an/an/aTBC
Jamie Hedlund jamie.hedlund@icann.org
TBCn/a

For information about this Public Comment, please click here 
Toggle Cloak

Cloak
visibletrue
bluedefranceAliceblue2dashed

Brief Overview

Purpose: Public comment is sought on Implementation Advisory Group's proposals to improve the current Whois Conflicts Procedure.

Current Status: The Implementation Advisory Group seeks public comment on its proposed revisions to the existing Whois Conflicts Procedure.

Next Steps: The Implementation Advisory Group will incorporate public comments into its preliminary report and submit a final report to GNSO Council for its consideration.

Section I: Description, Explanation, and Purpose

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law, which recommended the creation of a procedure to address conflicts between a contracted party's Whois obligations and local/national privacy laws or regulations.  A contracted party that credibly demonstrates that it is legally prevented from complying with its Whois obligations can invoke the procedure, which became effective in January 2008. The procedure defines a credible demonstration as one in which the contracted party has received "notification of an investigation, litigation, regulatory proceeding or other government or civil action that might affect its compliance." The procedure has never been invoked. ICANN launched a review of the procedure in May 2014. An Implementation Advisory Group (IAG) was formed and began its work in January 2015. The IAG devoted most of its time discussing whether additional triggers to invoke the procedure should be incorporated and if so how to ensure that they remain consistent with the existing policy. The IAG now submits its initial report for public comment and to the GNSO Council.

Section II: Background

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law which recommended that, "In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD Whois service, ICANN should:

  • Develop and publicly document a procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANNcontract regarding the collection, display and distribution of personal data via Whois.
  • Create goals for the procedure which include:
    • Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
    • Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the Whois system;
    • Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via Whois; and
    • Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise."

The ICANN Board of Directors adopted the recommendations in May 2006 and the final procedure was made effective in January 2008. Although to date no registrar or registry operator has formally invoked the Procedure, concerns have been expressed both by public authorities as well as registrars and registry operators concerning potential conflicts between Whois contractual obligations and local law.

Given that the Whois Procedure has not been invoked and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review as provided for in Step Six of the Procedure, which calls for an annual review of the Procedure's effectiveness. Thereview was launched with the publication of a paper for public comment on 22 May 2014. The paper outlined the Procedure's steps and invited public comments on a series of questions. Following review of the public comments received, this Implementation Advisory Group (IAG) was formed to consider the need for changes to how the Procedure is invoked and used. A few common themes were discerned from some of the suggestions in the public comments, which may allow for changes to implementation of the Procedure in line with the underlying policy.

Section III: Relevant Resources

Section IV: Additional Information

Section V: Reports

Staff Contact

Jamie Hedlund
jamie.hedlund@icann.org

 

FINAL VERSION TO BE SUBMITTED IF RATIFIED

...

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

 

...

FIRST DRAFT SUBMITTED

The ALAC does not support  the Implementation Advisory Group’s proposed alternative ‘triggers'.  The whole policy framework on which the 'triggers' are based is contrary to the growing body of  inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.

The first draft submitted will be placed here before the call for comments beginsoriginal goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.   

Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used.  Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws. 

There are two fundamental reasons why the policy is unworkable. The first is the bizarre  requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws.  The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.

This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’.  The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.

The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2).  Of the two proposals, the Alternative Trigger process is far simpler and preferable.  Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis. 

There are, however, difficulties with the Alternative Trigger proposal, as follows.

  • It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
  • The onus is on individual registries/registrars to invoke the process.  There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
  • Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
  • It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.

The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised .  His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction.  This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area. 

His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information.  This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.