Good afternoon, Here are two additional documents assigned to me. The Expert Working Group on gTLD Directory Services (EWG) wasformed by ICANN to help resolve the nearly decade-long deadlock within theICANN community on how to replace the current Whois system. EWG’s mandate is to reexamine and define thepurpose of collecting and maintaining gTLD directory services, to consider howto safeguard the data, and to propose a next generation solution that willbetter serve the needs of the global Internet community. 1) Purposes defined by the EWG EWG concluded the current Whoismodel—giving every user the same anonymous public access to gTLD registrationdata—should be abandoned. Instead, EWGrecommended a paradigm shift whereby gTLD registration data is collected,validated and disclosed for permissible purposes only, with some data elementsbeing accessible only to authenticated requestors that are then heldaccountable for appropriate use. EWGproposed that permissible purposes include domain name control, domain nameresearch, personal data protection, legal actions, technical issue resolution,regulatory/contract enforcement, domain name purchase/sale, individual Internetuse, abuse mitigation, and Internet services provision. 2) Centralized or Federated Model? The selection, implementation anduse of a specific Whois database structure (i.e., centralized or federated)should be informed by applicable legal principles of “personal data” protection,but no uniform definition of “personal data” exists and there are variousdisparities between existing regimes. Thesedifferences in data projection regulation raise significant jurisdictional concerns, as well aspotential regulatory obstacles on the global collection, processing, andtransfer of gTLD registration data that need to be considered when structuring,implementing, and administrating the Whois database replacement platform. · Notwithstanding the territorial nature of data privacy laws,many such laws have extraterritorial reach. · The administration of the Whois database may thus implicatethe laws of (i) the country where the Whois database platform is located, (ii)the country where the data owner/licensor/controller (controller) is located(i.e., where the registrar, registry, and possibly the Whois databaseadministrator are located to the extent such entities dictate the processing ofgTLD registration data), and (iii) the country where the data subjects (e.g.,registrants) are located · The controlling and most relevant law to consider is the lawwhere the data subject (i.e., registrant) resides, as the ultimate goal of dataprotection laws is the protection of individual personal data. Hence, the application of data protectionlaws will depend greatly on (i) where gTLD registration data will be located,(ii) whether ICANN (or the entity administering the database) will be viewed as a controller or processor ofsuch data, and hence have direct compliance obligations, (iii) the obligationsimposed on registrars/registries under their agreements with ICANN with respectto gTLD registration data, and (iv) the extent to which local data protectionlaws apply to registrants. · The distinction between data controller and dataprocessor is important, as controllers are required to comply with applicabledata protection laws, and must impose certain data protection obligations on dataprocessors. Processors are required toabide by the instructions of controllers. · This will influence the data location andtransfer considerations for the Whois replacement platform, whether as acentralized or federated model, and whether the Whois replacement databaseadministrator and/or registrars conduct themselves as controllers in connectionwith gTLD registration data. · The most comprehensive data protection andprivacy compliance legal framework remains to be the E.U. Data ProtectionDirective (E.U. Directive), Directive 95/46/EC of the European Parliament andof the Council of 24 October 1995 on the protection of individuals with regardto the processing of personal data and on the free movement of such data =>baseline for data protection compliance Datacontrollers must process personal data in accordance with the followingrelevant data privacy and protection principles: Purpose limitation: legitimatepurposes only. Data quality and proportionality:accurate and up to date. Transparency: notification of dataproviders Security and confidentiality:protection measures Rights of access, rectification,deletion and objection by data subjects Sensitive data: additionalsecurity measures Direct marketing: “opt-out” mustbe possible Data retention: limited time tosatisfy the purpose Accountability: for data collectors The transfer of personaldata from registrars to ICANN or the designated operator under a centralizedmodel, or the sharing of data between registrars under a federated model, willtherefore likely require data subject consent. Data transfers between ICANN or a designated operator and the registrarslikely also require that certain contractual obligations be imposed throughoutthe system. Choice of accountability and liability of the data controlleror the data processor for any data breach or violation of local laws depends onthe dependance (or independence) of the processor towards the controller inboth models. Sanctions: Regulatory fines, criminal sanctions, and injunctions on dataprocessing. International transfers ofpersonal data in violation of local data protection laws could also lead to aninjunction on data transfers, hampering the effectiveness of the Whoisdatabase replacement platform. The availability ofsuch penalties under local data protection regimes will potentially fuel localregistrar/registry opposition to a Whois database replacement platformunder either of the proposed models. Again, in some countries thetransfer of personal data from registrars to ICANN or the designated operatorunder a centralized model, or the sharing of data between registrars under afederated model, likely will require the consent of the data subjects. Data transfers between ICANN or thedesignated operator and the registrars likely also require that certaincontractual obligations be imposed throughout the system. Other issues: 1) various registrars provide an upgradedfee-paying subscription service that addresses personal data privacy and maywhich to continue with this source of revenues 2) considerable secure storage capacity. Cloud computing may introduce heightened datasecurity concerns and complicate proportionality in processing, internationaltransfer restrictions, and data storage. Conclusion: While technical, political and other considerationswill inform the implementation of the Whois database replacement platform, both models under consideration raisecritical data privacy issues that must be considered. privacy-proxy-registration services-study 14sep10-en Domain names can be registered using a Whois privacy orproxy service, which helps limit the amount of users’ personal information thatis made public via registrar and registry Whois services. The sample of domainnames registered under the top 5 gTLDs indicates that about 18% of them usedthis type of service. Among these, Whois proxy service registrations were themost common. Nathalie Coupet