Additional triggers and privacy law
Hello all, I am not in favor in creating a "trigger" based on the data retention waiver. First of all, that process was horrible and costly, and I can only conclude that there still Registrars out there that started in 2013, still not have obtained a waiver in 2017. We as an IRT concluded that it is up to the Registrars own due diligence to determine if there is an issue with privacy laws. The rationale behind that is/was simple: 2011, 76 countries having data privacy laws. 2016, 109 countries having privacy laws. 2017, 35 more countries are currently drafting privacy laws. As mentioned before this is a moving target and not up to us to address. That being said, the current solution when it comes to the migration and issues with privacy law is not a solution. I appreciate the fact that Verisign noted it during the comment period, but as several Registrars has mentioned in the past, it is not a good solution. After the latest GNSO meeting I hoped to see some progress on the WHOIS IAG matter, but frankly, with the current speed, I am afraid that the WHOIS IAG will be overtaken by stationary objects. That either means there is a problem or there is not, and I would like to get some input from the IRT on it. If there is no problem, please provide me with some info on why it is not an issue. If it is an issue then how do we address it? We can't tell Registrars you must migrate WHOIS data before X date and if there is a problem then just break the law. We also cannot create a situation that if a Registrar can not migrate the data, run into compliance issues that might end up in de-accreditation of that Registrar, I think we all agree that is just plain silly and the wrong message. My solution here would be, and it is not great, to be honest, that until the matter can be resolved the Registry operator supports both thin and thick whois registrations and shall carry the burden for both systems. The Registrar might also carry a burden here. As they might come into a situation, they are forced to implement RDAP at some point as the rest of the world moves to RDAP. I already see ccTLDs Registries announce RDAP, go figure ;) Would the above solve the issue? And yes I am aware that the above language cannot be added to the draft in its current state, but I am sure staff can come up with something workable here. If the whole idea is plain silly, feel free to kick me under the table here. Theo
Good evening all, I tend to stand with Theo here - forcing (which this is) a registrar to break potential laws is unacceptable and will lead to prosecution of registrar, or worse, ICANN suspension and termination of the registrar - namely throwing the registrar under a bus. The "you have to complete migration by X date", has so many "what if's" between now and that "X" date because law keeps changing. I do not see how we as an IRT can jeopardise a registrants rights. I think Theo had a very good idea, Verisign running a Thin and Thick whois. Its not hard for them to achieve as simply if contacts exist show them at the whois.verisign-grs.com layer, if not, like now, they simply push it onto the registrars (in our case) whois.netearthone.com. Yes Theo is completely correct in that the registrar has operating costs here, which they already have, and should/when RDAP comes into play potentially more costs, but these costs are easier to swallow than the cost of a lawsuit and fine from a local DPA which could run in $100,000's or millions of dollars. ICANN also needs to consider their side of the table, should a registrar be terminated through this policy for not providing data to Verisign, will ICANN indemnify the gaining registrar of the data against any legal action from a DPA because of the migration of data to THICK - or - should ICANN simply indemnify the registrar now as it is forcing registrars through policy to break their local laws ? Kind regards, Chris From: "theo geurts" <gtheo@xs4all.nl> To: gnso-impl-thickwhois-rt@icann.org Sent: Saturday, 21 January, 2017 19:30:06 Subject: [Gnso-impl-thickwhois-rt] Additional triggers and privacy law Hello all, I am not in favor in creating a "trigger" based on the data retention waiver. First of all, that process was horrible and costly, and I can only conclude that there still Registrars out there that started in 2013, still not have obtained a waiver in 2017. We as an IRT concluded that it is up to the Registrars own due diligence to determine if there is an issue with privacy laws. The rationale behind that is/was simple: 2011, 76 countries having data privacy laws. 2016, 109 countries having privacy laws. 2017, 35 more countries are currently drafting privacy laws. As mentioned before this is a moving target and not up to us to address. That being said, the current solution when it comes to the migration and issues with privacy law is not a solution. I appreciate the fact that Verisign noted it during the comment period, but as several Registrars has mentioned in the past, it is not a good solution. After the latest GNSO meeting I hoped to see some progress on the WHOIS IAG matter, but frankly, with the current speed, I am afraid that the WHOIS IAG will be overtaken by stationary objects. That either means there is a problem or there is not, and I would like to get some input from the IRT on it. If there is no problem, please provide me with some info on why it is not an issue. If it is an issue then how do we address it? We can't tell Registrars you must migrate WHOIS data before X date and if there is a problem then just break the law. We also cannot create a situation that if a Registrar can not migrate the data, run into compliance issues that might end up in de-accreditation of that Registrar, I think we all agree that is just plain silly and the wrong message. My solution here would be, and it is not great, to be honest, that until the matter can be resolved the Registry operator supports both thin and thick whois registrations and shall carry the burden for both systems. The Registrar might also carry a burden here. As they might come into a situation, they are forced to implement RDAP at some point as the rest of the world moves to RDAP. I already see ccTLDs Registries announce RDAP, go figure ;) Would the above solve the issue? And yes I am aware that the above language cannot be added to the draft in its current state, but I am sure staff can come up with something workable here. If the whole idea is plain silly, feel free to kick me under the table here. Theo _______________________________________________ Gnso-impl-thickwhois-rt mailing list Gnso-impl-thickwhois-rt@icann.org https://mm.icann.org/mailman/listinfo/gnso-impl-thickwhois-rt
participants (2)
-
Chris Pelling -
theo geurts