Here is the Review of the ICANN Procedure for Handling WHOIS Conflicts with Privacy Law
Requirements from past
accreditation agreements are unchanged:
Registrars must notify
registrants:
[UP-D1-R01] 1) Of the purposes
for the collection of any personal data
[UP-D1-R02] 2) The intended
recipients of the data
[DE-D1-R01] 3) Which data are
obligatory
[SM-D1-R01] 4) How to access
and rectify any data
[OQ-D1-R01] 5) Data collection
may only be conducted with the consent of the registrant.
These requirements are broadly
consistent with data privacy and protection expectations and legal requirements
in most jurisdictions, and they have underpinned the successful operation of
the Internet’s shared registration system for at least the past 15 years.
During the negotiation of the 2013 RAA, some registrars
expressed concerns that local or national data protection and other privacy
laws might make it difficult for them to comply with the new requirements,
while law enforcement and intellectual property owners advocated for retention
of information in the Data Retention Specification. Accordingly, the 2013 RAA’s
Data Retention Specification includes a provision concerning waivers
to deal with cases where compliance with the data collection and/or retention
requirements might be prohibited by applicable law. Indeed, ICANN
contracted parties are obligated to abide by any applicable laws.
|
Comparison of available processes
|
Whois Procedure RSEP
|
RAA Data Retention
Waiver*
|
|
How the procedure starts
|
Notify ICANN after receiving notice
of investigation, litigation, regulatory proceeding or other civil action
|
Registry submits request to ICANN,
which completes a preliminary determination
|
Based on a written opinion from a
nationally recognized law firm, or ruling or written guidance from a
government body, registrar may apply to ICANN for a waiver. Note: If ICANN
has previously waived compliance with the requirements for a registrar
located in the same jurisdiction and the applying registrar is subject to the
same applicable law, the registrar may request the same waiver.
|
|
Consultation/negotiation process
|
Consult with ICANN and relevant
national government
|
ICANN may approve the request,
refer the matter to a Competition Authority, and/or refer the request to
RSTEP for a security and stability review
|
ICANN will discuss the matter with
registrar in good faith in an effort to reach a resolution.
|
|
Resolution
|
Board approves or rejects staff
recommendation, seeks additional information, schedules public comment or
refers to the GNSO for review and comment.
|
The request is approved or denied
by ICANN; some requests have required Board review and approval.
|
Registrar works with ICANN to reach
a solution and ICANN may issue a waiver or modify the requirements.
|
|
|
|
|
|
|
*Data Retention
Waiver:
1) Registrars must present
ICANN with an opinion from a law firm or a ruling or guidance from a
governmental body of competent jurisdiction that states that collecting or
retaining one or more data elements in the
manner required by the specification violates applicable law. A general
assertion that the data collection and Data Retention Specification
requirements are unlawful is not sufficient. Rather, the waiver request must
specify the applicable law, the specific allegedly offending data collection
and/or retention requirement(s), and the manner in which the collection and/or
retention violates the law. This specificity helps ICANN to determine the
appropriate limitations on the scope and duration of data collection and
retention requirements when granting the waiver. This will also help ICANN
balance the interests of the registrar, governments, and the broader Internet
community when considering granting such waivers.
2) The 2013 RAA calls for ICANN
and the registrar to discuss data retention waiver requests in good faith in
an effort to reach a mutually acceptable resolution. The Data Retention
Specification contemplates potential future modifications to the Whois
Procedure in section 2: “Until such time as ICANN's Procedure for Handling
Whois Conflicts with Privacy Law is modified to include conflicts relating to
the requirements of this Specification and if ICANN agrees with Registrar’s
determination, ICANN’s office of general counsel may temporarily or permanently
suspend compliance and enforcement of the affected provisions of the Data
Retention Specification and grant the waiver request. Prior to granting any
exemption, ICANN will post its determination on its website for a period of
thirty (30) calendar days.” ICANN contemplates that waivers should be tailored
to limit the scope and/or duration of data collection and retention as
necessary to comply with local law, but will not completely eliminate all
requirements for data collection and retention.
Because each country may
interpret its data privacy requirements differently, ICANN is working through
each of the submitted requests to change Whois data retention requirements,
country-by-country. The complexity and diversity of national privacy laws
has resulted in considerable investments of time and resources by ICANN and
registrars alike. In countries with data privacy laws applicable to registrars,
ICANN has found that restrictions generally permit the retention of
registration data, but only for legitimate purposes, and for a period no longer
than is necessary for the purposes for which the data were collected or for
which they are further processed. What constitutes a legitimate purpose and
how long data can be retained are complicated questions, and the answers may
vary from one country to the next, even within the EU. All EU member states are
subject to the same data privacy directive, but individual member state’s
legislation implementing the data privacy directive may differ in significant
respects.7
In all, 15 requests to
waive the Data Retention Specification in the 2013 RAA have been submitted by
registrars, all from within the European Union.
For example, on 24
January 2014 ICANN posted the first “Notice of Preliminary Determination to
Grant Registrar Data Retention Waiver Request” to Registrar OVH SAS in France. The waiver, which was approved 12 March 2014,
permits OVH SAS to maintain certain information specified in part of the Data
Retention Specification for the duration of its sponsorship of each
registration and for a period of 1 additional year thereafter, rather than 2 years thereafter. The data that ICANN requires to be retained
for 180 days would continue to be retained for that 180 day period. ICANN and
its outside counsel have been engaged in talks with several other registrars
about their waiver requests. On 21 March 2014, ICANN posted another “Notice of
Preliminary Determination to Grant Registrar Data Retention Waiver Request” for
NAMEWEB BVBA, based in Belgium. The waiver would grant NAMEWEB BVBA the same
exemption as OVH SAS.
On 7 May
2014, a “Notice of Potential Grant of Registrar Data Retention Waiver Request,”
was posted for registrar Blacknight Internet Solutions Ltd., which is based in
Ireland. In this instance, the waiver would change the 2-year retention
requirement to 1 year, and the 180 days to 90 days.
The EU’s Article
29 Working Party has also written to ICANN to express its concerns about
the legality of the requirements of the 2013 RAA within the EU. ICANN has
also received correspondence from the European Data Protection Supervisor
urging ICANN to waive the retention period under the 2013 RAA Data Retention
Specification to all registrars operating in EU member states.
https://www.icann.org/public-comments/whois-conflicts-procedure-2014-05-22-en
Nathalie Coupet