ソースの表示

Comment Close
Date

Statement
Name

Status

Assignee(s)

Call for
Comments Open

Call for
Comments
Close

Vote Open

Vote Close

Date of Submission

Staff Contact and Email

Statement Number

2015/11/17

IAG Initial Report and Proposed Revisions to the ICANN Procedure for Whois Conflicts with Privacy Laws

No Statement

(The ALT decided that Holly Raiche would submit a personal Statement on this topic)

Main penholders:

Holly Raiche Carlton Samuels

Assisted by:

Christopher Wilkinson

n/a

Jamie Hedlund jamie.hedlund@icann.org

n/a

For information about this Public Comment, please click here

Comments Forum

Brief Overview

Purpose: Public comment is sought on Implementation Advisory Group's proposals to improve the current Whois Conflicts Procedure.

Current Status: The Implementation Advisory Group seeks public comment on its proposed revisions to the existing Whois Conflicts Procedure.

Next Steps: The Implementation Advisory Group will incorporate public comments into its preliminary report and submit a final report to GNSO Council for its consideration.

Section I: Description, Explanation, and Purpose

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law, which recommended the creation of a procedure to address conflicts between a contracted party's Whois obligations and local/national privacy laws or regulations. A contracted party that credibly demonstrates that it is legally prevented from complying with its Whois obligations can invoke the procedure, which became effective in January 2008. The procedure defines a credible demonstration as one in which the contracted party has received "notification of an investigation, litigation, regulatory proceeding or other government or civil action that might affect its compliance." The procedure has never been invoked. ICANN launched a review of the procedure in May 2014. An Implementation Advisory Group (IAG) was formed and began its work in January 2015. The IAG devoted most of its time discussing whether additional triggers to invoke the procedure should be incorporated and if so how to ensure that they remain consistent with the existing policy. The IAG now submits its initial report for public comment and to the GNSO Council.

Section II: Background

In November 2005, the Generic Names Supporting Organization (GNSO) concluded a policy development process (PDP) on Whois conflicts with privacy law which recommended that, "In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via the gTLD Whois service, ICANN should:

Develop and publicly document a procedure for dealing with the situation in which a registrar or registry can credibly demonstrate that it is legally prevented by local/national privacy laws or regulations from fully complying with applicable provisions of its ICANNcontract regarding the collection, display and distribution of personal data via Whois.
Create goals for the procedure which include:
- Ensuring that ICANN staff is informed of a conflict at the earliest appropriate juncture;
- Resolving the conflict, if possible, in a manner conducive to ICANN's Mission, applicable Core Values, and the stability and uniformity of the Whois system;
- Providing a mechanism for the recognition, if appropriate, in circumstances where the conflict cannot be otherwise resolved, of an exception to contractual obligations to those registries/registrars to which the specific conflict applies with regard to collection, display and distribution of personally identifiable data via Whois; and
- Preserving sufficient flexibility for ICANN staff to respond to particular factual situations as they arise."

The ICANN Board of Directors adopted the recommendations in May 2006 and the final procedure was made effective in January 2008. Although to date no registrar or registry operator has formally invoked the Procedure, concerns have been expressed both by public authorities as well as registrars and registry operators concerning potential conflicts between Whois contractual obligations and local law.

Given that the Whois Procedure has not been invoked and yet numerous concerns have arisen from contracted parties and the wider community, ICANN launched a review as provided for in Step Six of the Procedure, which calls for an annual review of the Procedure's effectiveness. Thereview was launched with the publication of a paper for public comment on 22 May 2014. The paper outlined the Procedure's steps and invited public comments on a series of questions. Following review of the public comments received, this Implementation Advisory Group (IAG) was formed to consider the need for changes to how the Procedure is invoked and used. A few common themes were discerned from some of the suggestions in the public comments, which may allow for changes to implementation of the Procedure in line with the underlying policy.

Section III: Relevant Resources

Policy recommendation and advice on a procedure for handling conflicts between a registrar/registry's legal obligations under privacy laws and their contractual obligations toICANN: http://gnso.icann.org/en/issues/whois-privacy/council-rpt-18jan06.htm
Whois Conflicts Procedure: https://www.icann.org/resources/pages/whois-privacy-conflicts-procedure-2008-01-17-en
Initial Report on the Implementation Advisory Group Review of Existing ICANN Procedure for Handling Whois Conflicts with Privacy Laws [PDF, 617 KB]

Section IV: Additional Information

Appendices 1-4 [PDF, 564 KB]

Section V: Reports

Staff Contact

Jamie Hedlund

jamie.hedlund@icann.org

FINAL VERSION TO BE SUBMITTED IF RATIFIED

The final version to be submitted, if the draft is ratified, will be placed here by upon completion of the vote.

FINAL DRAFT VERSION TO BE VOTED UPON BY THE ALAC

The final draft version to be voted upon by the ALAC will be placed here before the vote is to begin.

FIRST DRAFT SUBMITTED

The ALAC does not support the Implementation Advisory Group’s proposed alternative ‘triggers'. The whole policy framework on which the 'triggers' are based is contrary to the growing body of inernational law on data protection. Instead, the ALAC supports the “Minority Views’ of Stephanie Perrin and Christopher Wilkinson and their alternative proposals to address the Whois conflicts issues.

The original goal of this policy (concluded by the GNSO in November 2005) was to develop procedures that could reconcile mandatory laws on data protection with the requirements on registries and registrars under contract with ICANN for the collection, display and distribution of WHOIS personal information.

Unfortunately, the Task Force charged with implementing the policy adopted a ‘solution’ that is virtually unworkable and has never been used. Under the ‘solution’ the registrar/registry should notify ICANN within 30 days of situations (an inquiry, litigation or threat of sanctions) when the registry/registrar can demonstrate that it cannot comply with WHOIS obligations due to local or national data protection laws.

There are two fundamental reasons why the policy is unworkable. The first is the bizarre requirement that registrars and registries must seek ICANN permission to comply with their applicable local laws. The second obvious flaw is that it means registrars/registries must wait until there is an ‘inquiry or investigation' etc of some sort before the process can be triggered.

This Implementation Working Group (IWG) was formed to ‘ consider the need for changes to how the procedure is invoked and used’. The difficulty with that approach is that it does not address the basic flaws in the processes proposed: it still assumes that ICANN has a role in determining registry/registrar compliance with applicable local law and it still believes that solution lies in legal events that ‘trigger’ a resolution process.

The IWG report proposes an “Alternative Trigger’ (Appendix 1) or a Written Legal Opinion (Dual Trigger) (Appendix 2). Of the two proposals, the Alternative Trigger process is far simpler and preferable. Indeed, the language suggests that the process might be used to reconcile ICANN WHOIS requirements with relevant data protection law more generally, and not on just on a case by case basis.

There are, however, difficulties with the Alternative Trigger proposal, as follows.

It relies on advice from law firms (whose advice would not bind the relevant data protection agency), or on data protection agencies themselves (who are most often reluctant to provide such advice)
The onus is on individual registries/registrars to invoke the process. There are many smaller registries/registrars that would not have the resources to fund such advice, particularly if it is needed on a case by case basis
Because laws/regulations on the handling of personal information vary from area to area (whether national or regional), different registries/registrars will be bound by different sets of requirements – in order to comply with the same contractual terms
It is also not clear why GAC advice is included in both proposed ‘triggers’. The expertise of individual GAC members relates to ICANN’s remit: domain names, IP addresses and protocols - not data protection laws.

The ALAC supports both of the proposals made by Christopher Wilkinson (Appendix 4) which address the issues raised . His first proposal is – at the least – a ‘block exemption’ for all registries/registrars in the relevant jurisdiction. This would eliminate the ‘case by case’ approach to the issue and provide certainty for all registries/registrars (whether large or small) in that area.

His second proposal - a better approach - is his call for a ‘best practice’ policy on the collection, retention and revealing of WHOIS information. This would ensure that, regardless of the jurisdiction of the registrar/registries – and registrants – all would receive the same privacy protection.