You are welcome Steve,

I guess we will wait for further responses as my brain is fried at the moment, a 16-hour work day will do that you. Though in my little world, it makes sense they are not certified for that aspect. I mean we only send them domain name and name servers, nothing else (in a nutshell).

Slightly off topic, but can you mention those registries, not on the list?  Or perhaps we should do this offlist? Not that I am asking you to do my leg work, but it sounds you hit the same problem as me. A lot of Registries rely on a backend operator. That is where the actual data goes to.

So in some cases, you have to dig deeper and in some cases like very obvious registries you find out  they use a backend in Europe :)

Have a good one,

Theo

Thanks Theo. I did check the Safe Harbor list and found some major registries not on it or not referencing Whois data in their self-certification. Verisign was in the latter category. But awaiting further responses.

Steve



Sent with Good (www.good.com)


-----Original Message-----
From: theo geurts [gtheo@xs4all.nl]
Sent: Wednesday, August 31, 2016 11:49 AM Pacific Standard Time
To: Metalitz, Steven; 'Anderson, Marc'; gnso-impl-thickwhois-rt@icann.org
Subject: Re: [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

Hi Steve,

Good questions, I'll let Marc come up with his own answers.

Just to point out on 1 though, USA back end Registries did rely on Safe Harbor. You can still look them up here: https://safeharbor.export.gov/list.aspx

I already reached out to several of them, and they informed me they are in the process of getting certified for Privacy Shield. I as an EU based Registrar have a duty to make sure that when I send data to USA based companies they are Privacy Shield certified. If they are not certified then I am breaking the law.

Keep in mind though that Privacy Shield itself is just a formality to send data to the USA. Privacy Shield itself is not enough. So as an EU Registrar I cannot put my feet on the table and relax that dealing with a Privacy Shield certified company is enough.

Privacy Shield is a framework, nothing more,  a Privacy Shield certified company can still be in violation of the EU directive. As such an EU Registrar has to make sure that the USA based privacy shield Registry back end provider is not in violation of the directive.
This puts a huge burden on the Registry but also on the Registrar. Within the thin WHOIS model, this no burden does not apply.

The Dutch Government introduced an additional requirement in 2014 that certain IT companies actually have to audit the American companies they do business with.
Currently, this does not apply for Dutch Registrars. But these things, as we know can change (laws change all the time). Though I think I wouldn't mind a few trips to the USA to audit some Registries :)

Best regards,

Theo

On 31-8-2016 17:37, Metalitz, Steven wrote:

Thanks for providing this draft, Marc.  A couple of questions about it on a quick read:

 

(1)     The first two developments to which you cite are the invalidation of the US-EU Safe Harbor Program and the adoption of the EU-US Privacy Shield framework to replace it.  My impression is that US registries generally did not rely upon the Safe Harbor in processing thick Whois data (e.g., receiving Whois data containing personally identifiable information from European registrars and making it available through registry Whois), and so would not have been directly impacted by its invalidation.   Is my impression wrong?  If I am correct then what is the relevance of either the Safe Harbor or the Privacy Shield in this context? 

(2)    The last paragraph refers to data localization laws apart from EU privacy/data protection laws.  Can you be more specific?  I note that the Russian law was referenced in footnotes 2 and 10 of the legal review provided to the IRT in June 2015, are there other issues not covered by that analysis?

(3)    If the IRT were to send this letter,  the GNSO council  might well ask what (if anything) we are asking them to do. How would you respond?    

 

Steve Metalitz

 

Steven J. Metalitz | Partner, through his professional corporation

T: 202.355.7902 | met@msk.com

Mitchell Silberberg & Knupp LLP | www.msk.com

1818 N Street NW, 8th Floor, Washington, DC 20036

 

THE INFORMATION CONTAINED IN THIS E-MAIL MESSAGE IS INTENDED ONLY FOR THE PERSONAL AND CONFIDENTIAL USE OF THE DESIGNATED RECIPIENTS. THIS MESSAGE MAY BE AN ATTORNEY-CLIENT COMMUNICATION, AND AS SUCH IS PRIVILEGED AND CONFIDENTIAL. IF THE READER OF THIS MESSAGE IS NOT AN INTENDED RECIPIENT, YOU ARE HEREBY NOTIFIED THAT ANY REVIEW, USE, DISSEMINATION, FORWARDING OR COPYING OF THIS MESSAGE IS STRICTLY PROHIBITED. PLEASE NOTIFY US IMMEDIATELY BY REPLY E-MAIL OR TELEPHONE, AND DELETE THE ORIGINAL MESSAGE AND ALL ATTACHMENTS FROM YOUR SYSTEM. THANK YOU.

 

From: gnso-impl-thickwhois-rt-bounces@icann.org [mailto:gnso-impl-thickwhois-rt-bounces@icann.org] On Behalf Of Anderson, Marc
Sent: Friday, August 26, 2016 3:21 PM
To: gnso-impl-thickwhois-rt@icann.org
Subject: [Gnso-impl-thickwhois-rt] Draft Thick Whois memo to the GNSO

 

Dear Colleagues,

 

During the IRT meetings held at ICANN 56 Helsinki, Joe Waldron raised concerns with the changing landscape of Privacy Laws, in particular with regard to the EU.  He pointed out that recommendation #3 of the Thick Whois policy directs the IRT to notify the GNSO should privacy issues emerge that were not anticipated by the working group.  The IRT agreed that we have an obligation to notify the GNSO and asked Verisign to draft a proposed memo from the IRT to the GNSO.

 

Please find attached that draft memo outlining the obligation and the reasons why we think it is necessary to provide that notification at this time.

 

Thank you,

Marc

 

 

Marc Anderson mcanderson@verisign.com m: 571.521.9943 t: 703.948.3404 12061 Bluemont Way, Reston, VA 20190 VerisignInc.com

 

 

_______________________________________________
Gnso-impl-thickwhois-rt mailing list
Gnso-impl-thickwhois-rt@icann.org
https://mm.icann.org/mailman/listinfo/gnso-impl-thickwhois-rt