Here is the Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law

 Requirements from past accreditation agreements are unchanged:
Registrars must notify registrants:
[UP-D1-R01] 1) Of the purposes for the collection of any personal data
[UP-D1-R02] 2) The intended recipients of the data
[DE-D1-R01] 3) Which data are obligatory
[SM-D1-R01] 4) How to access and rectify any data
[OQ-D1-R01] 5) Data collection may only be conducted with the consent of the registrant.
These requirements are broadly consistent with data privacy and protection expectations and legal requirements in most jurisdictions, and they have underpinned the successful operation of the Internet’s shared registration system for at least the past 15 years.
 
During the negotiation of the 2013 RAA, some registrars expressed concerns that local or national data protection and other privacy laws might make it difficult for them to comply with the new requirements, while law enforcement and intellectual property owners advocated for retention of information in the Data Retention Specification. Accordingly, the 2013 RAA’s Data Retention Specification includes a provision concerning waivers to deal with cases where compliance with the data collection and/or retention requirements might be prohibited by applicable law. Indeed, ICANN contracted parties are obligated to abide by any applicable laws.

Comparison of available processes   
                      
                               
Whois Procedure         RSEP                      
               RAA Data Retention      
                      Waiver*           
How the procedure starts
Notify ICANN after receiving notice of investigation, litigation, regulatory proceeding or other civil action
Registry submits request to ICANN, which completes a preliminary determination
Based on a written opinion from a nationally recognized law firm, or ruling or written guidance from a government body, registrar may apply to ICANN for a waiver. Note: If ICANN has previously waived compliance with the requirements for a registrar located in the same jurisdiction and the applying registrar is subject to the same applicable law, the registrar may request the same waiver.
Consultation/negotiation process
Consult with ICANN and relevant national government
ICANN may approve the request, refer the matter to a Competition Authority, and/or refer the request to RSTEP for a security and stability review
ICANN will discuss the matter with registrar in good faith in an effort to reach a resolution.
Resolution
Board approves or rejects staff recommendation, seeks additional information, schedules public comment or refers to the GNSO for review and comment.
The request is approved or denied by ICANN; some requests have required Board review and approval.
Registrar works with ICANN to reach a solution and ICANN may issue a waiver or modify the requirements.
 
*Data Retention Waiver:
1) Registrars must present ICANN with an opinion from a law firm or a ruling or guidance from a governmental body of competent jurisdiction that states that collecting or retaining one or more data elements in the manner required by the specification violates applicable law. A general assertion that the data collection and Data Retention Specification requirements are unlawful is not sufficient. Rather, the waiver request must specify the applicable law, the specific allegedly offending data collection and/or retention requirement(s), and the manner in which the collection and/or retention violates the law. This specificity helps ICANN to determine the appropriate limitations on the scope and duration of data collection and retention requirements when granting the waiver. This will also help ICANN balance the interests of the registrar, governments, and the broader Internet community when considering granting such waivers.
 
2) The 2013 RAA calls for ICANN and the registrar to discuss data retention waiver requests in good faith in an effort to reach a mutually acceptable resolution. The Data Retention Specification contemplates potential future modifications to the Whois Procedure in section 2: “Until such time as ICANN's Procedure for Handling Whois Conflicts with Privacy Law is modified to include conflicts relating to the requirements of this Specification and if ICANN agrees with Registrar’s determination, ICANN’s office of general counsel may temporarily or permanently suspend compliance and enforcement of the affected provisions of the Data Retention Specification and grant the waiver request. Prior to granting any exemption, ICANN will post its determination on its website for a period of thirty (30) calendar days.” ICANN contemplates that waivers should be tailored to limit the scope and/or duration of data collection and retention as necessary to comply with local law, but will not completely eliminate all requirements for data collection and retention.
Because each country may interpret its data privacy requirements differently, ICANN is working through each of the submitted requests to change Whois data retention requirements, country-by-country. The complexity and diversity of national privacy laws has resulted in considerable investments of time and resources by ICANN and registrars alike. In countries with data privacy laws applicable to registrars, ICANN has found that restrictions generally permit the retention of registration data, but only for legitimate purposes, and for a period no longer than is necessary for the purposes for which the data were collected or for which they are further processed. What constitutes a legitimate purpose and how long data can be retained are complicated questions, and the answers may vary from one country to the next, even within the EU. All EU member states are subject to the same data privacy directive, but individual member state’s legislation implementing the data privacy directive may differ in significant respects.7
In all, 15 requests to waive the Data Retention Specification in the 2013 RAA have been submitted by registrars, all from within the European Union.
For example, on 24 January 2014 ICANN posted the first “Notice of Preliminary Determination to Grant Registrar Data Retention Waiver Request” to Registrar OVH SAS in France. The waiver, which was approved 12 March 2014, permits OVH SAS to maintain certain information specified in part of the Data Retention Specification for the duration of its sponsorship of each registration and for a period of 1 additional year thereafter, rather than 2 years thereafter. The data that ICANN requires to be retained for 180 days would continue to be retained for that 180 day period. ICANN and its outside counsel have been engaged in talks with several other registrars about their waiver requests. On 21 March 2014, ICANN posted another “Notice of Preliminary Determination to Grant Registrar Data Retention Waiver Request” for NAMEWEB BVBA, based in Belgium. The waiver would grant NAMEWEB BVBA the same exemption as OVH SAS.
On 7 May 2014, a “Notice of Potential Grant of Registrar Data Retention Waiver Request,” was posted for registrar Blacknight Internet Solutions Ltd., which is based in Ireland. In this instance, the waiver would change the 2-year retention requirement to 1 year, and the 180 days to 90 days.
The EU’s Article 29 Working Party has also written to ICANN to express its concerns about the legality of the requirements of the 2013 RAA within the EU. ICANN has also received correspondence from the European Data Protection Supervisor urging ICANN to waive the retention period under the 2013 RAA Data Retention Specification to all registrars operating in EU member states.  


https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en


 
Nathalie Coupet