Background
ICANN published its Call for Volunteers for the Implementation Advisory Group to Review Existing ICANN Procedure for Handling WHOIS Conflicts with Privacy Laws on 14 October 2014. The IAG will work with ICANN staff on reviewing the current steps of the Procedure and identifying possible changes to the procedure to facilitate resolution of issues where WHOIS requirements conflict with applicable laws. The IAG is expected to explore whether any of the Procedure's elements ought to be amended in order to strike this balance. Any recommended changes made will need to be in line with the Procedure's underlying policy, which was adopted by the GNSO Council in 2005. As a result, recommended changes to the implementation of the procedure, if any, will be shared with the GNSOCouncil to ensure that these do not conflict with the intent of the original policy recommendations.
Draft Statement of Work
Background
In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on WHOIS conflicts with privacy law which recommended that “In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD WHOIS service, ICANN should:
- Develop and publicly document a procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via WHOIS.
- Create goals for the procedure which include:
- Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
- Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the WHOIS system;
- Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via WHOIS; and
- Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise”.[1]
The ICANN Board adopted the recommendations in May 2006 and the final Procedure was made effective in January 2008. Although to date no registrar or registry operator has formally invoked the Procedure, concerns have been expressed both by public authorities as well as registrars and registry operators concerning potential conflicts between WHOIS contractual obligations and local law.
Given that the WHOIS Procedure has not been invoked and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review as provided for in Step Six of the Procedure, which calls for an annual review of the Procedure’s effectiveness. The review was launched with the publication of a paper for public comment on 22 May 2014.[2] The paper outlined the Procedure’s steps and invited public comments on a series of questions. The body of public comment was analyzed by ICANN staff, and the proposed next step is the formation of an IAG to consider changes to how the Procedure is enacted and used. ICANN staff found common themes among some of the suggestions in the public comments, which may allow for changes to implementation of the Procedure in line with the underlying policy.
The IAG’s recommendation will then be shared with the GNSO Council to determine the next steps.
Mission and Scope
The IAG on the WHOIS National Law Conflicts Procedure is tasked with providing the GNSO Council suggestions on how to improve the current Procedure. The IAG’s mission is to make the Procedure more accessible to contracted parties. Considering that, to date, no party has invoked the Procedure, the IAG’s recommended changes should work toward amending the Procedure in line with the current GNSO policy to provide a more useful tool.
The IAG’s mission and scope will focus on changes to the Procedure and not ICANN’s contractual requirements. Any recommendations made by the IAG will be forwarded to the GNSO Council to determine whether implementation of the Procedure ought to be changed.
As part of its deliberations, the IAG should, at a minimum, consider the following issues that were highlighted in the recent Report of Public Comments on this topic. Those issues include:
- Process: Should the Procedure be revised to allow for invocation prior to contracting?
- If adopted, how would that alter the contracting process?
- What parties would be most appropriate to include at this early stage of the Procedure?
- Trigger: What triggers would be appropriate for invoking the Procedure?
- Would evidence from a data protection authority that the contract is in conflict with national laws be sufficient to trigger the Procedure? If so, how would ICANN define which data protection authority is an acceptable authority? Would the authority have to be a nationally representative body? Should a regional body’s opinion carry the same weight as a national or local authority?
- Similarly, would an official opinion from a government agency provide enough evidence? If so, which agencies would be most appropriate? Would it have to be an agency tasked with data protection? What about a consumer trust bureau or treasury department that includes consumer protections in its mandate? Or would a foreign ministry provide the best source of information? Which bodies would be considered authoritative enough to provide a creditable opinion?
- Would evidence of a conflict from ICANN-provided analysis provide sufficient information to invoke the Procedure? What type of evidence should this analysis cite?
- If the Procedure allowed for a written opinion from a nationally recognized law firm to provide sufficient evidence for a trigger? What types of firms could be considered nationally recognized? Should it be accredited or made to prove its competency? If so, how? What if ICANN receives contradictory opinions from two firms? How is it to determine the more valid argument?
- Public comment: How should public comments be incorporated into the Procedure?
- What role should comments have in ICANN’s decision-making process?
- What length of public comment period is appropriate to ensure that the Procedure is completed in a timely fashion?
- How should comments be analyzed?
- Should public comments be treated as a safeguard in case a decision is flawed?
The IAG should invite participation from other ICANN Supporting Organizations and Advisory Committees, including the GAC.
Membership criteria:
The IAG will be open to all interested in participating. New members who join after certain parts of work has been completed are expected to review previous documents and meeting transcripts. Observers are also welcome to join the IAG. Observers may listen to conference calls, but will not be allowed to provide feedback or contribute to the community wiki, to ensure that volunteers are fully engaged in the IAG’s work.
Important document links:
- ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
- Call for volunteers
- Paper for public comment
Deliverables and timeframe:
The IAG is expected to begin its work in January 2015 and produce its recommendations by June 2015. The group is scheduled to meet via monthly conference call. The recommendations, in the form of a final report, will be presented for public comment in May 2015 and finalized in a report to be submitted in June 2015 to the GNSO Council, which will then determine whether to recommend changes to the implementation of the Procedure.