Once again, my apologies for missing the meeting.  I have listened to the recording, and I can see I missed an interesting meeting.
I would like to offer my views on why the procedure and the remedies discussed are off the mark.  I am not a lawyer, but I did spend ten years in the Canadian government working on the privacy standard which we attempted to take to ISO, and the law which passed parliament and is in force today (PIPEDA).  During that period (the 1990s) I did considerable research on how to legislate privacy for the private sector, particularly in a federal jurisdiction, and had the opportunity to hold workshops with data protection authorities to discuss powers and what provisions work better than others, to consult with the European Commission, and converse with privacy scholars.  It is this experience that I hope might make my remarks useful to the discussion.  I also served two years as the Director of Policy and Research in our federal DPA's office, and spoke many years ago on WHOIS issues on behalf of the office at the Vancouver meeting.   Still, remember that my remarks are those of a non-lawyer and therefore an amateur.

1.  On the issue of whether a data protection authority is legitimate....that is an excellent question.  Unfortunately for those wishing to harmonize, different jurisdictions may have authority...in the Canadian context, it is hard to predict whether or not a provincial data commissioner might think they have jurisdiction.  Where there is none, the federal commissioner assuredly would.  I have written a textbook on our law, but I would not be brave enough to offer a view on that, and I believe it is likely the matter would have to be settled in Court.  With respect, I doubt you will get an authoritative answer from our GAC representative, so I don't think that is a fruitful avenue to explore as I am sure this will be true for many countries.  I really don't think ICANN should put users in the postion of having to take matters to Court to prove a point, and I believe this is where that question would have to be resolved. 

2.  In some countries matters relating to the domain industry might be covered under other laws than data protection law, a point that was made yesterday.  Many of those laws could not necessarily be interpreted reliably until they go to Court, so I believe you are in the same situation there.  The fact is, ICANN matters with respect to privacy and constitutional rights (against search and seizure) have essentially not been litigated.  Are you embarking on a policy route that will ensure the matters do get litigated? 

3.  On the issue of enforcement powers....if I understand the argument here, some parties believe that if a DPA simply writes a letter indicating that in their opinion the requirements imposed by ICANN violate the DP law, this is not sufficient unless the official writing the letter has the power to enforce that opinion.  Unfortunately, not all data protection commissioners have binding powers.  Many new laws are "light touch", where states have decided to see whether organizations will fall in line with the new laws in this relatively young area of law, before loading on criminal sanctions and powers to stop commercial activity.   Some DPAs are more like Ombudsmen than judges.  Some DPAs have the power to take a matter to the Court to request enforcement: this is the case in Canada with the national law.  You are therefore pushing end users who are aggrieved to take registrars to Court.  Volker Greimann made the point yesterday that if ICANN is going to put registrars in legal jeopardy in this way, they should cover the liability.  In my view, he is missing a whole area of financial risk that goes far beyond the Court costs.  IF end users crowd source class action or cases for higher courts to settle this matter and stop what they might regard (rightly or wrongly, it does not matter) as surveillance, it will certainly be the registrars who pay...not just in legal costs and potential damages, but in loss of customer trust and damage to their brands.  If I were a registrar, I would find this totally and utterly unacceptable.

4.  Just to be clear, on the matter of whether a letter from a DPA without enforcement powers is enough.....an end user/registrant who received such an opinion would be well armed to take a civil action against the registrar in question, at least in my jurisdiction.  Tort law increasingly is being used in privacy invasion cases. This would probably be cheaper and easier than fighting it through the higher courts. Damages are often higher too.

5.  I don't actually understand, given what I know about how data protection law works, how this procedure could have been accepted in the first place.  I would suggest that before ICANN attempts to fix the procedure, they need to consult broadly with data protection authorities.  The Article 29 group sent a letter giving an authoritative opinion for Europe.  Many of the DPAs who form that group are legally constrained from offering such an opinion precisely because they have binding powers.....so you have put registrars in a catch-22.  ICANN will not accept a letter from a group that is mandated by the Directive that sets the standard for data protection law in Europe, because they are not actually the body that enforces law, and demands instead that authorities who have enforcement powers send them a letter.   DPAs with enforcement powers are likely to be constrained from offering an opinion, precisely because they have binding powers and the status of a judge.  These are matters well understood in the data protection authority community, why don't you talk to them?  A cynic might be forgiven for suspecting that this Catch 22 was engineered precisely to prevent registrars from abiding by data protection/constitutional requirements, precisely because those who are familiar with DP law easily can spot that Catch 22.   I fear that the letter the registrars are going to get is a summons to Court...but as I said before, I am not a lawyer and I do not pretend to understand European law.   

I doubt that this is helpful, but I did want to get it on the record.  IF you do ask for public comments on this procedure, you may get more informed opinion.  iF you don't, please don't assume that the matter ends there.   Privacy advocates do not have this matter on their radar at the moment, but post-Snowden irritation with business cooperating under the table with law enforcement is at a very high level.  I would suggest that you do not want 500 comments from irate global experts; it may put registrars in more jeopardy.

I will turn my attention now to providing comments on the draft text.  Once again, my apologies for missing this important discussion.
Kind regards,
Stephanie Perrin
NCSG