Hi all, Thanks to Lynn and Kathy for continuing our discussions on these important issues. These were key issues I struggled with in drafting the accessibility/privacy part of the gaps chapter, which I circulated yesterday for comment. After reading the public submissions to our discussion paper, it seems clear that some people are worried about the privacy implications of WHOIS. It was raised by many respondents to our paper, and acknowledged as a valid concern by many others. However, I don't see a compelling case for us to catalogue all potential applicable privacy or data protection laws as a way to take this forward. In practice, I think this would be very difficult, and arguably of limited use. Even if every GAC member provided details of every potentially applicable law, this would not cover every country, and would only cover contributing countries at a set point in time. Further, what would we do with this data? How would we reconcile the inevitable differences? Arguably, any conflict with national law (whether it relates to 'sensitive' information, or other personal information) is intended to be addressed by ICANN's consensus procedure. The consensus procedure was developed by the ICANN community to deal with specific conflicts with national law. Whether and how it has been used may therefore provide us some guidance about any actual conflicts and how they've been handled. I see that Denise has undertaken to get back to us shortly with an answer to this - thanks Denise! The answer to this may provide useful insights into whether that particular procedure is effective or needs modification to deal with specific legal situations, and it could also clarify the potential extent of existing legal conflicts. For the procedure to be effective, there is no need to catalogue applicable laws in advance. Personally, I can't see any way to replace this (or a similar) case-by-case procedure with a more prescriptive universal mechanism based on a survey of applicable laws, nor any way to anticipate all potential legal conflicts in advance. There is then the additional question of whether we're only interested in situations where there is a conflict with a national law? If so, then we need to consider whether there needs to be any additional protections beyond the existing procedure. On balance, my position is that we should consider some way to acknowledge the privacy concerns of individuals, including those that may not be addressed by ICANN's existing consensus procedures and policies. The problem is how to do this without facilitating the unregulated and widely abused privacy/proxy situation that we now have. This is what I tried to address in the draft gaps chapter. The proposed recommendations at the end of that chapter are intended to provide a framework for a balanced, open and accountable privacy regime, while acknowledging that much of the detail (such as what data could be 'protected' or 'limited', and standardised processes for release of that data when needed) would rightly be developed through existing ICANN community (and cross community) processes. I look forward to further discussion on this as we move forward. Cheers, Peter From: rt4-whois-bounces@icann.org [mailto:rt4-whois-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Wednesday, 17 August 2011 2:30 PM To: rt4-whois@icann.org; lynn@goodsecurityconsulting.com Subject: Re: [Rt4-whois] Applicable laws Dear Lynn and All, I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon! Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends. Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy. In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection. These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well. Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow. All the best, Kathy Since data privacy is an area of specialization for me, I would like to offer a couple of comments on the dialogue about privacy laws. Although WHOIS data contains personal data, it does not have any data elements that are considered to be "sensitive" in nature. The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc. For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including: 1) OECD Guidelines on the Protection of Privacy and Transborder Flows 2) UN Guidelines Concerning Computerized Personal Data Files 3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data 4) APEC Privacy Framework Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection. At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority. Hope these brief comments are helpful. Lynn _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois -- ------------------------------------------------------------------------------- The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties. If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments. Please consider the environment before printing this email. -------------------------------------------------------------------------------
Dear Peter and all, Please note that there is one occasion where the procedure for handling WHOIS conflicts with privacy law has been applied in practice, relating to .TEL, see http://www.icann.org/en/announcements/announcement-2-19oct07.htm (announcement of Telnic's proposed change and opening of a public comment period) and http://www.icann.org/en/minutes/minutes-18dec07.htm (the Board minutes with the decision on the matter). In this case, the procedure is invoked as a "draft Procedure", since the .TEL matter was addressed before the procedure was formally in force , see http://www.icann.org/en/processes/icann-procedure-17jan08.htm. Denise may have additional information to supply when the sun rises in California- I just wanted to provide this piece well before our call today. Very best regards Olof From: rt4-whois-bounces@icann.org [mailto:rt4-whois-bounces@icann.org] On Behalf Of Nettlefold, Peter Sent: Wednesday, August 17, 2011 9:39 AM To: rt4-whois@icann.org Cc: Kathy Kleiman Subject: [Rt4-whois] FW: Applicable laws [SEC=UNOFFICIAL] Hi all, Thanks to Lynn and Kathy for continuing our discussions on these important issues. These were key issues I struggled with in drafting the accessibility/privacy part of the gaps chapter, which I circulated yesterday for comment. After reading the public submissions to our discussion paper, it seems clear that some people are worried about the privacy implications of WHOIS. It was raised by many respondents to our paper, and acknowledged as a valid concern by many others. However, I don't see a compelling case for us to catalogue all potential applicable privacy or data protection laws as a way to take this forward. In practice, I think this would be very difficult, and arguably of limited use. Even if every GAC member provided details of every potentially applicable law, this would not cover every country, and would only cover contributing countries at a set point in time. Further, what would we do with this data? How would we reconcile the inevitable differences? Arguably, any conflict with national law (whether it relates to 'sensitive' information, or other personal information) is intended to be addressed by ICANN's consensus procedure. The consensus procedure was developed by the ICANN community to deal with specific conflicts with national law. Whether and how it has been used may therefore provide us some guidance about any actual conflicts and how they've been handled. I see that Denise has undertaken to get back to us shortly with an answer to this - thanks Denise! The answer to this may provide useful insights into whether that particular procedure is effective or needs modification to deal with specific legal situations, and it could also clarify the potential extent of existing legal conflicts. For the procedure to be effective, there is no need to catalogue applicable laws in advance. Personally, I can't see any way to replace this (or a similar) case-by-case procedure with a more prescriptive universal mechanism based on a survey of applicable laws, nor any way to anticipate all potential legal conflicts in advance. There is then the additional question of whether we're only interested in situations where there is a conflict with a national law? If so, then we need to consider whether there needs to be any additional protections beyond the existing procedure. On balance, my position is that we should consider some way to acknowledge the privacy concerns of individuals, including those that may not be addressed by ICANN's existing consensus procedures and policies. The problem is how to do this without facilitating the unregulated and widely abused privacy/proxy situation that we now have. This is what I tried to address in the draft gaps chapter. The proposed recommendations at the end of that chapter are intended to provide a framework for a balanced, open and accountable privacy regime, while acknowledging that much of the detail (such as what data could be 'protected' or 'limited', and standardised processes for release of that data when needed) would rightly be developed through existing ICANN community (and cross community) processes. I look forward to further discussion on this as we move forward. Cheers, Peter From: rt4-whois-bounces@icann.org<mailto:rt4-whois-bounces@icann.org> [mailto:rt4-whois-bounces@icann.org]<mailto:[mailto:rt4-whois-bounces@icann.org]> On Behalf Of Kathy Kleiman Sent: Wednesday, 17 August 2011 2:30 PM To: rt4-whois@icann.org<mailto:rt4-whois@icann.org>; lynn@goodsecurityconsulting.com<mailto:lynn@goodsecurityconsulting.com> Subject: Re: [Rt4-whois] Applicable laws Dear Lynn and All, I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon! Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends. Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy. In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection. These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well. Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow. All the best, Kathy Since data privacy is an area of specialization for me, I would like to offer a couple of comments on the dialogue about privacy laws. Although WHOIS data contains personal data, it does not have any data elements that are considered to be "sensitive" in nature. The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc. For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including: 1) OECD Guidelines on the Protection of Privacy and Transborder Flows 2) UN Guidelines Concerning Computerized Personal Data Files 3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data 4) APEC Privacy Framework Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection. At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority. Hope these brief comments are helpful. Lynn _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois -- ------------------------------------------------------------------------------- The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties. If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments. Please consider the environment before printing this email. -------------------------------------------------------------------------------
There was also a situation with .NAME in which they negotiated a different Whois policy. I think it may have been upfront, as part of the contract, but I seem to recall discussions about ICANN's procedure for handling Whois conflicts with privacy law as part of the overall discussion. (Background: .NAME, which focused on personal email addresses based on last names, was based in the EU, and I believe in a Scandanavian country, and they consulted with their data protection commissioner from the start.) Best, Kathy
Dear Peter and all,
Please note that there is one occasion where the procedure for handling WHOIS conflicts with privacy law has been applied in practice, relating to .TEL, see http://www.icann.org/en/announcements/announcement-2-19oct07.htm (announcement of Telnic's proposed change and opening of a public comment period) and http://www.icann.org/en/minutes/minutes-18dec07.htm (the Board minutes with the decision on the matter).
In this case, the procedure is invoked as a "draft Procedure", since the .TEL matter was addressed before the procedure was formally in force , see http://www.icann.org/en/processes/icann-procedure-17jan08.htm.
Denise may have additional information to supply when the sun rises in California-- I just wanted to provide this piece well before our call today.
Very best regards
Olof
*From:*rt4-whois-bounces@icann.org [mailto:rt4-whois-bounces@icann.org] *On Behalf Of *Nettlefold, Peter *Sent:* Wednesday, August 17, 2011 9:39 AM *To:* rt4-whois@icann.org *Cc:* Kathy Kleiman *Subject:* [Rt4-whois] FW: Applicable laws [SEC=UNOFFICIAL]
Hi all,
Thanks to Lynn and Kathy for continuing our discussions on these important issues.
These were key issues I struggled with in drafting the accessibility/privacy part of the gaps chapter, which I circulated yesterday for comment.
After reading the public submissions to our discussion paper, it seems clear that some people are worried about the privacy implications of WHOIS. It was raised by many respondents to our paper, and acknowledged as a valid concern by many others.
However, I don't see a compelling case for us to catalogue all potential applicable privacy or data protection laws as a way to take this forward. In practice, I think this would be very difficult, and arguably of limited use. Even if every GAC member provided details of every potentially applicable law, this would not cover every country, and would only cover contributing countries at a set point in time. Further, what would we do with this data? How would we reconcile the inevitable differences?
Arguably, any conflict with national law (whether it relates to 'sensitive' information, or other personal information) is intended to be addressed by ICANN's consensus procedure. The consensus procedure was developed by the ICANN community to deal with specific conflicts with national law. Whether and how it has been used may therefore provide us some guidance about any actual conflicts and how they've been handled. I see that Denise has undertaken to get back to us shortly with an answer to this - thanks Denise! The answer to this may provide useful insights into whether that particular procedure is effective or needs modification to deal with specific legal situations, and it could also clarify the potential extent of existing legal conflicts.
For the procedure to be effective, there is no need to catalogue applicable laws in advance. Personally, I can't see any way to replace this (or a similar) case-by-case procedure with a more prescriptive universal mechanism based on a survey of applicable laws, nor any way to anticipate all potential legal conflicts in advance.
There is then the additional question of whether we're only interested in situations where there is a conflict with a national law?If so, then we need to consider whether there needs to be any additional protections beyond the existing procedure.
On balance, my position is that we should consider some way to acknowledge the privacy concerns of individuals, including those that may not be addressed by ICANN's existing consensus procedures and policies. The problem is how to do this without facilitating the unregulated and widely abused privacy/proxy situation that we now have.
This is what I tried to address in the draft gaps chapter. The proposed recommendations at the end of that chapter are intended to provide a framework for a balanced, open and accountable privacy regime, while acknowledging that much of the detail (such as what data could be 'protected' or 'limited', and standardised processes for release of that data when needed) would rightly be developed through existing ICANN community (and cross community) processes.
I look forward to further discussion on this as we move forward.
Cheers,
Peter
*From:*rt4-whois-bounces@icann.org <mailto:rt4-whois-bounces@icann.org> [mailto:rt4-whois-bounces@icann.org] <mailto:[mailto:rt4-whois-bounces@icann.org]> *On Behalf Of *Kathy Kleiman *Sent:* Wednesday, 17 August 2011 2:30 PM *To:* rt4-whois@icann.org <mailto:rt4-whois@icann.org>; lynn@goodsecurityconsulting.com <mailto:lynn@goodsecurityconsulting.com> *Subject:* Re: [Rt4-whois] Applicable laws
Dear Lynn and All, I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon!
Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends.
Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy. In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection.
These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well.
Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow.
All the best, Kathy
Since data privacy is an area of specialization for me, I would like to offer a couple of
comments on the dialogue about privacy laws.
Although WHOIS data contains personal data, it does not have any data elements that are
considered to be "sensitive" in nature. The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc.
For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including:
1) OECD Guidelines on the Protection of Privacy and Transborder Flows
2) UN Guidelines Concerning Computerized Personal Data Files
3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data
4) APEC Privacy Framework
Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection. At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority.
Hope these brief comments are helpful.
Lynn
_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org <mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois
--
*-------------------------------------------------------------------------------*
The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties.
If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments.
Please consider the environment before printing this email.
*-------------------------------------------------------------------------------*
_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org https://mm.icann.org/mailman/listinfo/rt4-whois
--
But Peter, Isn't the question of laws the very essence of what the GAC should be advising ICANN on? The Affirmation of Commitments sets out a very clear guideline: and requires our (WRT) evaluation "subject to Applicable Laws." It is a key important definitional question; it is a key important legal one. We have addressed the first, but not the second in detail. It is key that the ICANN community grow to understand the key laws that fit under Applicable Law. It's not just a "we've been contacted by law enforcement and need to change our Whois policy" (the "after-the-fact" discussion which is what the narrow current procedure requires) -- but a proactive, upfront approach that allows registrars and registries to operate within the bounds of their laws from the start and seems entirely consistent with the wording of the Affirmation of Commitments. If GAC can't provide guidance on these key legal issues, who can? Best, Kathy Peter wrote: <<However, I don't see a compelling case for us to catalogueall potential applicable privacy or data protection lawsas a way to take this forward. In practice, I think this wouldbe very difficult, and arguably of limited use. Even if every GAC member provided details of every potentially applicable law, this would not cover every country, and would only cover contributing countries at a set point in time. Further, what would we do with this data? How would we reconcile the inevitabledifferences?
Arguably, any conflict with national law (whether it relates to 'sensitive' information, or other personal information) is intended to be addressed by ICANN's consensus procedure. Theconsensus procedurewas developed by the ICANN community to deal with specificconflicts with national law. Whether and how it has been used may therefore provide us some guidance about any actual conflicts and how they've been handled. I see that Denise has undertaken to get back to us shortly with an answer to this - thanks Denise! Theanswerto this mayprovide useful insights into whether that particular procedure is effective or needs modificationto deal with specific legal situations, and it could also clarify the potential extent of existing legal conflicts.
For the procedure to be effective, there is no need to catalogue applicable laws in advance. Personally, I can't see any way to replace this (or a similar) case-by-case procedurewith a more prescriptiveuniversal mechanismbased on a survey of applicable laws,nor any way to anticipate all potential legal conflicts in advance.
There is then the additional question of whether we're only interested in situations where there is a conflict with a national law?If so, then we need to consider whether there needs to be any additional protections beyond the existing procedure.
On balance, my position is that we should considersome way to acknowledge the privacy concernsof individuals, including those that may not be addressed by ICANN's existing consensus procedures and policies. The problem is how to do this without facilitating the unregulated and widely abused privacy/proxy situation that we now have.
This is what I tried to address in the draft gaps chapter. The proposed recommendations at the end of that chapter are intended to provide a framework for a balanced, open and accountable privacy regime, while acknowledging that much of the detail (such as what data could be 'protected' or 'limited', and standardised processes for release of that data when needed) would rightly be developed through existing ICANN community (and cross community) processes.
I look forward to further discussion on this as we move forward.
Cheers,
Peter
*From:*rt4-whois-bounces@icann.org [mailto:rt4-whois-bounces@icann.org] *On Behalf Of *Kathy Kleiman *Sent:* Wednesday, 17 August 2011 2:30 PM *To:* rt4-whois@icann.org; lynn@goodsecurityconsulting.com *Subject:* Re: [Rt4-whois] Applicable laws
Dear Lynn and All, I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon!
Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends.
Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy. In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection.
These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well.
Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow.
All the best, Kathy
Since data privacy is an area of specialization for me, I would like to offer a couple of
comments on the dialogue about privacy laws.
Although WHOIS data contains personal data, it does not have any data elements that are
considered to be "sensitive" in nature. The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc.
For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including:
1) OECD Guidelines on the Protection of Privacy and Transborder Flows
2) UN Guidelines Concerning Computerized Personal Data Files
3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data
4) APEC Privacy Framework
Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection. At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority.
Hope these brief comments are helpful.
Lynn
_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org <mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois
--
*-------------------------------------------------------------------------------*
The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties.
If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments.
Please consider the environment before printing this email.
*-------------------------------------------------------------------------------*
_______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org https://mm.icann.org/mailman/listinfo/rt4-whois
--
I think the point Peter is making, and I concur, is that it is impossible to exhaustively list "all" applicable laws. As a thought exercise, while we *might* be able to do it at any point in time, consider that laws change and what was applicable today may not be applicable tomorrow, or vice versa. Additionally, "the law" is not just what is written, but how that writing is interpreted over time. Interpretation is subject to change and consequently so is "the law". IMO, applicable law is grey, not black and white. I'm comfortable with the ambiguity, both the fact and necessity of it. On Aug 17, 2011, at 7:34 AM, Kathy Kleiman wrote: But Peter, Isn't the question of laws the very essence of what the GAC should be advising ICANN on? The Affirmation of Commitments sets out a very clear guideline: and requires our (WRT) evaluation "subject to Applicable Laws." It is a key important definitional question; it is a key important legal one. We have addressed the first, but not the second in detail. It is key that the ICANN community grow to understand the key laws that fit under Applicable Law. It's not just a "we've been contacted by law enforcement and need to change our Whois policy" (the "after-the-fact" discussion which is what the narrow current procedure requires) -- but a proactive, upfront approach that allows registrars and registries to operate within the bounds of their laws from the start and seems entirely consistent with the wording of the Affirmation of Commitments. If GAC can't provide guidance on these key legal issues, who can? Best, Kathy Peter wrote: <<However, I don’t see a compelling case for us to catalogue all potential applicable privacy or data protection laws as a way to take this forward. In practice, I think this would be very difficult, and arguably of limited use. Even if every GAC member provided details of every potentially applicable law, this would not cover every country, and would only cover contributing countries at a set point in time. Further, what would we do with this data? How would we reconcile the inevitable differences? Arguably, any conflict with national law (whether it relates to ‘sensitive’ information, or other personal information) is intended to be addressed by ICANN’s consensus procedure. The consensus procedure was developed by the ICANN community to deal with specific conflicts with national law. Whether and how it has been used may therefore provide us some guidance about any actual conflicts and how they’ve been handled. I see that Denise has undertaken to get back to us shortly with an answer to this - thanks Denise! The answer to this may provide useful insights into whether that particular procedure is effective or needs modification to deal with specific legal situations, and it could also clarify the potential extent of existing legal conflicts. For the procedure to be effective, there is no need to catalogue applicable laws in advance. Personally, I can’t see any way to replace this (or a similar) case-by-case procedure with a more prescriptive universal mechanism based on a survey of applicable laws, nor any way to anticipate all potential legal conflicts in advance. There is then the additional question of whether we’re only interested in situations where there is a conflict with a national law? If so, then we need to consider whether there needs to be any additional protections beyond the existing procedure. On balance, my position is that we should consider some way to acknowledge the privacy concerns of individuals, including those that may not be addressed by ICANN’s existing consensus procedures and policies. The problem is how to do this without facilitating the unregulated and widely abused privacy/proxy situation that we now have. This is what I tried to address in the draft gaps chapter. The proposed recommendations at the end of that chapter are intended to provide a framework for a balanced, open and accountable privacy regime, while acknowledging that much of the detail (such as what data could be ‘protected’ or ‘limited’, and standardised processes for release of that data when needed) would rightly be developed through existing ICANN community (and cross community) processes. I look forward to further discussion on this as we move forward. Cheers, Peter From: rt4-whois-bounces@icann.org<mailto:rt4-whois-bounces@icann.org> [mailto:rt4-whois-bounces@icann.org] On Behalf Of Kathy Kleiman Sent: Wednesday, 17 August 2011 2:30 PM To: rt4-whois@icann.org<mailto:rt4-whois@icann.org>; lynn@goodsecurityconsulting.com<mailto:lynn@goodsecurityconsulting.com> Subject: Re: [Rt4-whois] Applicable laws Dear Lynn and All, I wanted to say how much I appreciate Lynn posting the key regional data protection frameworks to the group. I think they are very important, and she and I have discussed the need for us to look at them more closely in relation to the Whois data. I hope we can do this soon! Regarding sensitive vs private data, I wanted to add my views as an attorney who specializes in the area of data protection and privacy since starting my telecommunications practice in 1993. While sensitive data may focus on the areas of financial, birth, religion, health, and let's add political affiliation and sexual orientation, that's not where the story ends. Data protection and privacy laws certainly consider home address, home phone number, and now cell phone data as "private" or "personal data." Certainly telecommunications laws in the US, as one example, regularly protect the right of a person to "opt-out" of sharing their home address or home phone number in a public directory as a matter of personal privacy. In fact, opt-out in directories was chosen by a majority of Californians when last I researched it (and the state protects privacy as part of its state constitution) because home addresses and home phone numbers are considered very personal information, and worthy of protection. These are the very elements that have been such an issue of controversy within the ICANN arena. Over the last decade, as part of the history of Whois within ICANN, at least four Data Protection Commissioners and their senior staffs have warned ICANN about the problems of this data, and its data protection implications. They are very concerned with the elements now collected and published in the Whois. I will gather their letters to ICANN and share them, as well as notes of the speeches they have given. I would like to request that we ask ICANN Staff to work with us on this important matter as well. Ultimately, I do not think this is a matter for us to decide on (which may relieve everyone greatly). As many of you know, I have been thinking about this issue a great deal. I will be submitting a recommendation to our Team asking that GAC provide ICANN with clear information about relevant applicable laws, including data protection laws, and their guidance, based on these laws, as to the elements of the Whois now published. I'll distribute this before our meeting tomorrow. All the best, Kathy Since data privacy is an area of specialization for me, I would like to offer a couple of comments on the dialogue about privacy laws. Although WHOIS data contains personal data, it does not have any data elements that are considered to be "sensitive" in nature. The focus and priority of data protection authorities throughout the world is on protection of sensitive data such as financial account details, date of birth, religious affiliations, medical conditions, etc. For global, multi-national organizations who need to develop and maintain policies regarding the collection and use of personal data, there are multi-lateral privacy frameworks and principles that have been accepted and are well established including: 1) OECD Guidelines on the Protection of Privacy and Transborder Flows 2) UN Guidelines Concerning Computerized Personal Data Files 3) EU Directive 95/46/EC on the Protection of Individuals with Regard to the Processing of Personsal Data and on the Free Movement of Such Data 4) APEC Privacy Framework Since ICANN is headquartered in the State of California and the United States, I would note that California has an Office of Privacy Protection. At the national level, the U.S. Federal Trade Commission has been accepted as the equivalent of a Data Protection Authority. Hope these brief comments are helpful. Lynn _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois -- ------------------------------------------------------------------------------- The information transmitted is for the use of the intended recipient only and may contain confidential and/or legally privileged material. Any review, re-transmission, disclosure, dissemination or other use of, or taking of any action in reliance upon, this information by persons or entities other than the intended recipient is prohibited and may result in severe penalties. If you have received this e-mail in error please notify the Security Advisor of the Department of Broadband, Communications and the Digital Economy, 38 Sydney Ave, Forrest ACT 2603, telephone (02) 6271-1376 and delete all copies of this transmission together with any attachments. Please consider the environment before printing this email. ------------------------------------------------------------------------------- _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois -- _______________________________________________ Rt4-whois mailing list Rt4-whois@icann.org<mailto:Rt4-whois@icann.org> https://mm.icann.org/mailman/listinfo/rt4-whois
participants (4)
-
Kathy Kleiman -
Nettlefold, Peter -
Olof Nordling -
Smith, Bill