Hi all,
ccTLDs and gTLDs cannot be viewed as the same as they are subject to different regulatory regimes and fall under different models of registration.
For example, in many of the listed ccTLDs, the registrant is
assumed to have a direct contractual relationship with the
registry, so the ability to collect and process data is different
for such registries compared to gTLD registries that have no such
relationship.
While the topics you raise are important and worth further
deliberation, I would propose that these be postponed until after
the ePDP concludes and be included in subsequent, proper policy
work as they are highly contentious issues and focussing on these
now has the potential to derail or at least significantly delay
our output. As we are on a strict timeline, we should focus on the
uncontentious issues first to ensure the Temp Spec can be replaced
in time.
The distinction between legal and natural personas is a red
herring as it does not solve any of the issues. Any data provided
by legal persons may still contain personal data of natural
persons in many of the fields that would be near impossible to
detect for contracted parties.
Further, even if such a distinction were to be found to provide
additional benefits, making such a distinction may perhaps be
possible for new registrations going forward, but it is definitely
near impossible with regard to already existing registrations as
it would require receiving a whois update from all current
registrants. Given the high amount of reluctance in parts of the
community to accept any form of grandfathering or dual system as I
have experienced in the Whois RT2 deliberations, such a dual
system where domain names would be treated different based on
their registration gate, I cannot in good conscience support this
as a way forward either.
But I also have significant doubts that contracted parties could
even rely on such self-declarations of our customers without
facing additional liabilities for public disclosure.
As far as accuracy "verification" goes (which in many cases is
closer to the validation requirements currently included in the
RAA), this is an issue relegated entirely to the contracts of the
contracted parties. Work on this issue is currently ongoing
between ICANN and registrars. Opening this issue up here would
create a double track and be in violation of the process currently
included in the contracts. Many of the ccTLDs also do not face the
same issue that most gTLDs face in that they do not aspire to a
global registrant base and can perform their
validation/verification on a national level, which naturally
reduces costs and provides better results. As soon as
international registrations enter into the picture, the accuracy
of these verification sources drops to unacceptable percentages.
As one example, when Nominet introduced their verification scheme,
the numbers of "failed verifications" for registrations of
registrants outside the UK were horrendous, and Nominet was quick
to treat such registrations with much more leeway than those
inside the UK.
Additionally, in our experience higher requirements on data
accuracy usually lead to more incidents of identity theft since
abusers of the system will always find ways around. Just because a
data set is accurate that does not mean it actually belongs to the
registrant.
Geographic distinction assumes that it is feasible for contracted
parties to differentiate accurately for each data set they receive
which data protection standards apply to that set. That
determination cannot simply be made based on the country code
provided by the registrant however. Further, for many registrars
that process their data in other jurisdictions, that distinction
is pointless. It also places a significant burden on contracted
parties that would have to implement and operate multiple systems
of whois.
Data access: Just so we do not resort to cherry picking, we
should also look at how these registries handle requests for data
access. These registries provide access based on law enforcement,
parties identified in a court order and someone with legitimate
interest. In case of the latter, the legal department makes the
judgement on that. This is exactly what is already in the Temp
Spec, where the registrar makes the judgement regarding the
purported legitimate interest and informs the requester
accordingly.
Best,
Volker
RrSG Alternate