AT-LARGE GATEWAY

At-Large Website

ALAC

RALOs

At-Large Regional Policy Engagement Program (ARPEP)

At-Large Governance

At-Large Reports

Policy Comments & Advice

Working Groups

ICANN Meetings

At-Large Summit (ATLAS III)

At-Large Review Implementation Plan Development

ALAC and RALO Elections, Selections, and Appointments

At-Large Priority Activities - 2021

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Public Comment CloseStatement
Name 

Status

Assignee(s)

Call for
Comments Open		Call for
Comments
Close 		Vote OpenVote CloseDate of SubmissionStaff Contact and EmailStatement Number

07 July 2017

Revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law: Process and Next Steps

ADOPTED

13Y, 0N, 1A

Christopher Wilkinson

Assisted by:

Olivier Crépin-Leblond, Bastian Goslings, Werner Hülsmann, Andrei Kolesnikov, Yrjö Länsipuro, Annette Mühlberg, Valentina Pavel, Rainer Rodewald, and Erich Schweighofer 

02 June 2017

26 June 2017

07 July 2017

12 July 2017

07 July 2017

Eleeza Agopian
eleeza.agopian@icann.org

AL-ALAC-ST-0717-01-01-EN

Hide the information below, please click here 

Brief Overview

Purpose: This public comment proceeding seeks to obtain community input on the effectiveness of the updated ICANN Procedure for Handling WHOIS Conflicts with Privacy Law (WHOIS Procedure), which was recently revised to incorporate an "Alternative Trigger," in addition to the existing trigger to invoke the procedure.

Current Status: This assessment is posted for public comment in response to a Generic Names Supporting Organization (GNSO) Council request. Public comment is sought on the assessment of the practicality and feasibility of the additional trigger recently added to the WHOISProcedure, in comparison to the existing trigger to invoke the WHOIS Procedure as well as other triggers.

Next Steps: ICANN will review and summarize the feedback and report back accordingly to the GNSO Council. As directed by the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law, this assessment is intended to inform the next periodic review of the WHOIS Procedure, which will commence no later than 1 October 2017.

Section I: Description and Explanation

In response to a Generic Names Supporting Organization (GNSO) Council request, ICANN staff has published an assessment of the revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law (WHOIS Procedure), which was made effective on 18 April 2017. Specifically, this paper is intended to collect input on the assessment of the practicality and feasibility of the "Alternative Trigger" recently added in Step One of the WHOIS Procedure, in comparison to the existing trigger to invoke the procedure as well as other triggers previously discussed by the community. Given that the WHOIS Procedure has recently been updated, and no registrar or registry operator to date has formally invoked the procedure, this analysis is based on community discussions and input received during the previous review of the procedure that will allow for evaluation of the triggers required for invoking the procedure. It also draws upon ICANN's experience administering other processes where a contracted party is seeking ICANN's approval for new services, or waiving certain contractual requirements, as a point of comparison for the implementation of the procedure.

The existing trigger in the original WHOIS Procedure allows a registry operator or ICANN-accredited registrar to invoke the procedure if they are in receipt of a notification of an action that its compliance with WHOIS obligations are prevented by local laws. With the additional trigger, a registry operator or ICANN-accredited registrar may now also invoke the procedure by providing ICANN with a written statement from the applicable government agency responsible for enforcing its data privacy laws indicating that a WHOIS obligation in an ICANN contract conflicts with such applicable national law.

This paper outlines a set of questions for discussion that the ICANN community, including contracted parties, data protection agencies, law enforcement and other relevant parties may want to consider regarding the revised WHOIS Procedure and the process itself. The community is encouraged to offer thoughtful comments on utility of the triggers in the updated WHOISProcedure or suggestions on how to move forward with the review. Feedback is especially important to ensure that all issues that need to be considered are identified and examined in the upcoming review.

Section II: Background

In November 2005, the GNSO concluded a policy development process (PDP) establishing a procedure to allow gTLD registry operators and ICANN-accredited registrars to demonstrate when they are prevented by local laws from fully complying with the provisions of their respective ICANN contracts regarding personal data in WHOIS. The ICANN Board of Directors adopted the recommendations in May 2006 and directed staff to develop such a procedure. A contracted party that credibly demonstrates that it is legally prevented from complying with its WHOIS obligations can invoke the procedure, which became effective in January 2008. To date, the procedure has never been invoked. ICANN launched a review of the procedure in May 2014 and concluded that review with the recently adopted update to the WHOIS Procedure.

Following a Call for Volunteers addressed to all interested parties, an Implementation Advisory Group (IAG) was formed to review the implementation of the policy recommendations and began its work in January 2015. The IAG devoted most of its time to discussing whether additional triggers to invoke the procedure should be incorporated and, if so, how to ensure that they remain consistent with the existing policy.

In May 2016, the IAG submitted its final report [PDF, 155 KB] to the GNSO Council and recommended that the WHOIS Procedure be revised to incorporate an "Alternative Trigger," in addition to the existing trigger to invoke the procedure. In February 2017, the GNSO Council passed a resolution adopting IAG's recommendation and confirmed that the modification to the WHOIS Procedure does not change the intent of the original GNSO policy recommendations.

Section III: Relevant Resources

Section IV: Additional Information

Section V: Reports

Staff Contact

Eleeza Agopian
eleeza.agopian@icann.org

 

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote. 

 

FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

ICANN Procedure For Handling WHOIS Conflicts with Privacy Law

The At-Large Advisory Committee wishes to respond to the public consultation. Although At-Large members participated in the WHOIS-IAG during 2016, we do not believe that the comments of our members as well of others looking for a truly implementable solution were adequately taken into consideration by the IAG and the ICANN staff in the final draft now under public consultation.

I.          The procedure, as eventually revised on the basis of the IAG report, would include significant shortcomings which ALAC does not accept:

  1. The Procedure does not create a level playing field among Registrars. On the contrary, Registrars (and some Registries) subject to privacy laws would have to undertake an onerous case-by-case procedure to obtain the right from ICANN to respect their domestic privacy laws. Whereas Registrars operating out of other jurisdictions would be free to ignore privacy laws which pertain elsewhere. That outcome is inconsistent with ICANN's responsibility for maintaining the conditions of fair competition among Registries and Registrars.
  2. The Procedure is manifestly inefficient: We have been informed that the pre-existing procedure has hardly ever been used! Which means in practice, that Registrars subject to privacy laws have effectively functioned outside applicable local law and their Registrants' personal data have been potentially exposed to bulk downloads and other abuses, without their authorisation and possibly without their knowledge.

    We see no elements in the revised procedure to suggest that in future the procedure would be more regularly used and implemented.
  3. The Procedure still requires that the local agency responsible for compliance shall be empowered to enforce the law (Paragraphs 1a), ii), (f) and (g) of the Procedure). On the contrary there are many regulatory agencies responsible for the implementation of public policy that do not have, in and of themselves, the power of enforcement. ICANN's position presupposes that applicable law can be ignored until it is “enforced”. ALAC cannot support such an anti-social attitude to applicable laws.
  4. The International Legal environment for privacy protection is rapidly evolving:
    We understand that, at least in the European Union and associated countries, the General Data Protection Regulation (GDPR) will shortly introduce a more stringent, uniform and enforceable data protection law throughout that jurisdiction. This would render the proposed ICANN Procedure obsolete.

Independently of the EU GDPR, the ALAC rejects the proposed Procedure for the reasons outlined in Points 1-3, above.

Although this is not the place to address the GDPR in detail, and if our recommendations below are not retained, we suggest that the proposed Procedure should be put on hold, until the implications of GDPR for ICANN have been thoroughly reviewed.



II.        Alternative approaches

The ALAC recommends that ICANN adopt an entirely different approach to the protection of privacy in all DNS related applications, notably WHOIS and its successor implementations. It proposes two alternative approaches, one long term and one short term:

II.A     The preferred long-term policy would be for ICANN to study globally, international best practice in privacy protection, which might arrive in the form of GDPR or indeed any other local privacy law.

It is not unusual for ICANN to implement best practice that goes beyond current applicable local laws:

- Trademark protection in the DNS clearly goes beyond anything that can be ensured on the basis of national laws alone;

- we are not aware of any network security policies elsewhere which go beyond SSAC's advice and implementation in ICANN's operations;

- we expect that the global protection of geographical terms and geographical indications throughout the DNS will in due course in practice extend beyond those provided for by national laws alone.

Accordingly, we have no hesitation to formally request that ICANN study global best practices in the matter of the protection of personal data with the aim to find a satisfactory solution for all parties.

II.B      In the short term, we note that the WHOIS IAG was offered an alternative “easier” solution to the issue in the form of a “block exemption” for EU-based and other Registries and Registrars subject to local privacy laws incompatible with ICANN contracts and procedures. That option was rejected by the IAG and ICANN staff.

The ALAC prefers this option at the present time, as a short term solution until another more elaborate long term solution is found. II.B is the only solution that would be immediately workable.

The ALAC is on record for supporting accurate WHOIS records and whilst understanding the complexity of this topic, it is sensitive of the need to balance the Privacy of individuals with the identification of companies trading on the Internet and the needs of those dealing with cyber abuses such as phishing, malware and spam. The ALAC understands that ICANN will be attempting to satisfy GDPR issues as a matter of priority, but as an interim short term position we would support a block exemption.

 

FIRST DRAFT SUBMITTED

The first draft submitted will be placed here before the call for comments begins.

DRAFT Rev 2 02/06/2017

ICANN Procedure For Handling WHOIS Conflicts with Privacy Law

Response to the public consultation

The At Large Advisory Committee wishes to respond to the public consultation. Although a few of our members participated in the WHOIS-IAG during 2016, we are not satisfied that their advice and other contributions have been adequately taken into consideration by the IAG and the ICANN staff in the final draft now under public consultation.

I. The procedure, as eventually revised on the basis of the IAG report, would include still significant shortcomings which ALAC cannot accept in the interest of the privacy of Internet users.:

  1. The Procedure does not create a level playing field among Registrars. On the contrary, Registrars (and some Registries) subject to privacy laws would have to undertake an onerous case-by-case procedure to obtain the right from ICANN to respect their domestic privacy laws. Whereas Registrars operating out of other jurisdictions would be free to ignore privacy laws which pertain elsewhere. (Point 5, below refers.) That outcome is inconsistent with ICANN's responsibility for maintaining the conditions of fair competition among Registries and Registrars.

  2. The Procedure is manifestly inefficient: We have been informed that the pre-existing procedure has hardly ever been used! Which means in practice, that Registrars subject to privacy laws have effectively functioned outside applicable local law and their Registrants' personal data have been potentially exposed to bulk downloads and other abuses, without their authorisation and possibly without their knowledge. Although we see some elements in the revised procedure that in future the procedure would be more regularly used and implemented, however, it is still far too bureaucratic: 

  3. The revised Procedure would still require a “notification of an investigation, litigation, regulatory processing or other governmental or civil action”, or, as an alternative trigger, a written statement from the agency, e.g. the local data protection authority, that Registry or Registrar may violate local law in fulfilling the he RAA. It is an excessive work for many Data Protection Authorities, Registries and Registrars, to establish evident facts. No Registry or Registrar based in Europe can comply with both GDPR and RAA. ALAC cannot support such an anti-social attitude to applicable laws where Registries and Registrars have to be subject to a formal investigation procedure in order to start the procedure.

  4. The international legal environment for privacy protection is rapidly evolving: We understand that – at least in the European Union and associated countries – the General Data Protection Regulation (GDPR) – will shortly introduce a more stringent, uniform and enforceable data protection law throughout that jurisdiction. This would render the proposed ICANN Procedure obsolete and superfluous

  5. The Procedure is not inclusive: ICANN's position ignores that several million .com/.net/.org domain etc. names are registered by European individuals or businesses  with a US-based registrar that publishes personal data that are not allowed to be published under the GDPR. Although this is not the place to address the GDPR in detail, we suggest that the proposed Procedure should be put on hold, until the implications of GDPR for ICANN have been thoroughly reviewed.

    Meanwhile – independently of the EU GDPR – ALAC rejects the proposed Procedure for the reasons outlined in Points 1-3, above.

II. An Alternative approach:

ALAC recommends that ICANN adopt an entirely different approach to the proaction of privacy in all DNS related applications, notably WHOIS and its successor implementations.

II.A The preferred policy would be for ICANN to implement globally, international best practice in privacy protection. Currently that would appear to be the EU GDPR, although there may well be enhancements arising from better implementations elsewhere.

It is not unusual for ICANN to implement best practice that goes beyond current applicable local laws:

  • Trademark protection in the DNS clearly goes beyond anything that can be ensured on the basis of national laws alone;
  • we are not aware of any network security policies elsewhere which go beyond SSAC's advice and implementation in ICANN's operations;
  • we expect that the global protection of geographical terms and geographical indications throughout the DNS will in due course in practice extend beyond those provided for by national laws alone.

Accordingly, we have no hesitation to formally request that ICANN implement global best practice in the matter of the protection of personal data.

II.B We note that the WHOIS IAG was offered an alternative 'easier' solution to the issue in the form of a 'block exemption' for EU-based and other Registries and Registrars subject to local privacy laws incompatible with ICANN contracts and procedures. That option was also rejected by the IAG and ICANN staff.

ALAC does not support this option at the present time, on the understanding that:

(a) the 'Best Practices' option II.A will be implemented quickly, and

(b) the proposed Procedure will be withdrawn.

  • No labels