From: Rafik Dammak Date: Friday, October 19, 2018 To: Cherine Chalaby Subject: NCSG Comment on UAM

Similar documents
MEMORANDUM. Internet Corporation for Assigned Names and Numbers. Thomas Nygren and Pontus Stenbeck, Hamilton Advokatbyrå

Final Issue Report on IGO-INGO Access to the UDRP & URS Date: 25 May 2014

21 December GNSO Council Review of the Hyderabad GAC Communiqué. From: James Bladel, GNSO Chair To: Steve Crocker, ICANN Board

DRAFT WORKING GROUP CHARTER

DRAFT WORKING GROUP CHARTER

Issues Report IDN ccpdp 02 April Bart Boswinkel Issue Manager

The Governmental Advisory Committee

Welcome to Pre-ICANN62 Policy Webinar PRE-ICANN63 POLICY OPEN HOUSE 11 OCTOBER 2018

Proposed Next Steps Readiness for post-transition Bylaws 15 May 2018

August The Board looks forward to the community discussion of this report.

At-Large Advisory Committee Statement.

ICANN Reform: Establishing the Rule of Law

GNSO Working Session on the CWG Rec6 Report. Margie Milam 4 December 2010

26 th Annual Intellectual Property Law Conference

Submission of Adopted GNSO Council Review of the Johannesburg GAC Communiqué

Amended Charter of the Customer Standing Committee (CSC) Date of Adoption from ccnso and GNSO Councils: 27 June 2018 version 2

BYLAWS FOR INTERNET CORPORATION FOR ASSIGNED NAMES AND NUMBERS A California Nonprofit Public-Benefit Corporation

GNSO Report. Dr Bruce Tonkin Chair, GNSO Council ICANN Board Public Forum Marrakech, June 28, 2006

Annex to NGPC Resolution NG01. NGPC Scorecard of 1As Regarding Non- Safeguard Advice in the GAC Beijing Communiqué

Background to and Status of Work on Protections for Names and Acronyms of the Red Cross movement and International Governmental Organizations (IGOs)

2- Sep- 13. Dear ICANN and Economist Intelligence Unit (EIU), Re: Community Priority Evaluation Guidelines

Final GNSO Issue Report on the Protection of International Organization Names in New gtlds

For GNSO Consideration: Uniform Rapid Suspension System (URS) October 2009

Standing Selection Mailing list archives: Committee Mailing List:

11:00 Los Angeles; 14:00 Washington; 19:00 London; 23:00 Islamabad; (Thursday 28 June) 03:00 Tokyo; 04:00 Hobart

Role of Governments in Internet Governance. MEAC-SIG Cairo 2018

GAC Communiqué Buenos Aires, Argentina

Joint SO/AC Working Group (WG) Charter

Independence and Accountability: The Future of ICANN. Comments of the Center for Democracy & Technology. submitted to

Revised ICANN Procedure For Handling WHOIS Conflicts with Privacy Law

EUROPEAN COMMISSION Directorate-General for Communications Networks, Content and Technology

(a) A number of Constituencies, where applicable, organized within the Stakeholder Groups as described in Section 11.5;

dotcoop will cancel, transfer, or otherwise make changes to domain name registrations as rendered by a WIPO ruling.

LABOUR RELATIONS AMENDMENT BILL

Submission to the Joint Committee on the draft Investigatory Powers Bill

Roles and Responsibilities: Standards Drafting Team Activities (Approved by Standards Committee July, 2011)

COMMISSION DECISION. of

RULES OF PROCEDURE OF THE AS-IF PROGRAMME COMMITTEE FOR DEFENCE RESEARCH

Agenda. New gtld Subsequent Procedures PDP WG Avri Doria and Jeff Neuman. Introduction and Timeline Eleeza Agopian

Internet Governance 5+ years after Tunis. Yrjö Länsipuro

Speech to CAJ Conference on 11 June Evelyn Collins, Chief Executive. Equality Commission for Northern Ireland

ARTICLE 29 Data Protection Working Party

Insert title here (75 characters maximum) PRE-ICANN60 POLICY OPEN HOUSE

COMMISSION DECISION. of setting up the Strategic Forum for Important Projects of Common European Interest

Rules of Procedure. Effective: May 4, 2016

T he European Union s Article 29 Data Protection

End user involvement in Internet Governance: why and how

IGO/INGO Identifiers Protection Policy Implementation. Meeting with the IRT ICANN October 2015

GNSO Council Open Mee0ng 7 December 2010

IP JUSTICE JOURNAL: Internet Governance and Online Freedom Publication Series

Internet Service Provider & Connectivity Provider Constituency. Confirmation of Status & Request for Charter Renewal

FCCC/PA/CMA/2018/3/Add.1

Evolving the Ecosystem: Institutional Innovation in Global Internet Governance

Working Group Charter

Enforcement guidelines for regulatory investigations. Guidelines

Application and Agreement.name WHOIS Extensive Search Database

GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

on the Commission Communication on Internet Policy and Governance - Europe`s role in shaping the future of Internet Governance

Framework of engagement with non-state actors

Agenda and resolutions ccnso Council Meeting 18 January 2018

NCUC Africa Regional Webinar:

This English translation is provided for information purposes only. The official version of this document is available in German.

Updates to Module 3: Dispute Resolution Procedures

Impact of the General Data Protection Regulation on the WHOIS system

Summary of Changes to Registry Agreement for New gtlds. (Proposed Final version against v.4)

their institutional Farzaneh Badii: Hamburg Institute of Law and Economics affiliations

UNITED STATES OF AMERICA BEFORE THE FEDERAL ENERGY REGULATORY COMMISSION. North American Electric Reliability ) Docket No. RR16- Corporation )

Opinion 3/2019 concerning the Questions and Answers on the interplay between the Clinical Trials Regulation (CTR) and the General Data Protection

GNSO WHOIS Survey Drafting Team (WSDT) Charter

FCCC/APA/2018/4, paragraphs 16 18; FCCC/SBSTA/2018/6, paragraphs 12 14; and FCCC/SBI/2018/11, paragraphs

Memorandum by. ARTICLE 19 International Centre Against Censorship. Algeria s proposed Organic Law on Information

THE LAW OF DOMAIN NAMES & TRADE-MARKS ON THE INTERNET Sheldon Burshtein

ASSESSMENT AND REVIEW OF THE EFFECTIVENESS OF THE PROTOCOL (ARTICLE

EU Data Protection Law - Current State and Future Perspectives

Issue report for the Cross Community Working Party on ICANN s Corporate and Social Responsibility to Respect Human Rights: Practical recommendations

Framework of engagement with non-state actors

NGPC Agenda 28 September 2013

I BACKGROUND DRAFT TWO. 16 May 2016

North American Electric Reliability Corporation (NERC) Rules of Procedure Effective in Manitoba April 1, 2012

PROVISIONAL AGREEMENT RESULTING FROM INTERINSTITUTIONAL NEGOTIATIONS

THE WORLD BANK INSPECTION PANEL S EARLY SOLUTIONS PILOT APPROACH: THE CASE OF BADIA EAST, NIGERIA

Freedom of Information Act 2000 (Section 50) Decision Notice

UNIFORM RAPID SUSPENSION SYSTEM ( URS ) 11 JANUARY 2012

Background on ICANN s Role Concerning the UDRP & Courts. Tim Cole Chief Registrar Liaison ICANN

The Future of Internet Governance: Should the United States Relinquish Its Authority over ICANN?

rt One Contents Part One

THE REVISED DRAFT PROVISIONS FOR THE PROTECTION OF TRADITIONAL CULTURAL EXPRESSIONS/ EXPRESSIONS OF FOLKLORE: POLICY OBJECTIVES AND CORE PRINCIPLES

P6_TA-PROV(2007)0347 PNR Agreement

COMMISSION DECISION. of setting up the Expert Group on Digital Cultural Heritage and Europeana

Children and Young People (Information Sharing) (Scotland) Bill. Response to the call for evidence. Alistair Sloan

Privacy International's comments on the Brazil draft law on processing of personal data to protect the personality and dignity of natural persons

ANNEX DRAFT OVERARCHING FRAMEWORK OF ENGAGEMENT WITH NON-STATE ACTORS

HAUT-COMMISSARIAT AUX DROITS DE L HOMME OFFICE OF THE HIGH COMMISSIONER FOR HUMAN RIGHTS PALAIS DES NATIONS 1211 GENEVA 10, SWITZERLAND

The Future of Internet Governance: Should the United States Relinquish Its Authority over ICANN?

Environmental Information Regulations Decision Notice

(Note: This draft agreement is subject to approval, and to changes as the evaluation period progresses and additional input is received.

THE FEDERAL LOBBYISTS REGISTRATION SYSTEM

Internet Domain Names: Background and Policy Issues

REGISTRY AGREEMENT ARTICLE 1. DELEGATION AND OPERATION OF TOP LEVEL DOMAIN; REPRESENTATIONS AND WARRANTIES

Reliability Standards Development Procedures

Transcription:

From: Rafik Dammak Date: Friday, October 19, 2018 To: Cherine Chalaby Subject: NCSG Comment on UAM Hi, I am sending here, on behalf of Farzaenh Badiei the NCSG chair, the NCSG submission on UAM. Thank you. Best Regards, Rafik

Non-Commercial Stakeholders Group Representing the interests and concerns of non-commercial Internet users in domain name policy 19 October 2018 Comments of the Non-Commercial Stakeholders Group on the Unified Access Model dated 20 August 2018 The following document outlines the concerns of the Non-Commercial Stakeholder Group (NCSG) with the Draft Framework for a Possible Unified Access Model for Continued Access to 1 Full WHOIS Data, prepared by ICANN org for discussion and released on 20 August 2018. We have divided our comments in this letter into three sections. First, we put forward our procedural concerns regarding this comment process and the manner in which ICANN org has developed the proposed Unified Access Model. Second, we comment substantively on the proposed Unified Access Model itself. We conclude with a series of recommendations that we ask be given serious consideration by ICANN org. 1) Overview At the moment, many of the ICANN community s most active volunteers are occupied by actively contributing to or monitoring the progress of the Expedited Policy Development Process (EPDP) working group, which was chartered to deliver a triage document of the Temporary Specification, an Initial Report, and a proposed model for a system for providing accredited access. Notably, the question of access is meant to be taken up only after the EPDP team finishes its revision of the Temporary Specification, as these deliberations will inform community decisions about the nature of data access and whether or not there is an underlying need for a framework or implementation scheme. The proposed framework, which has received no formal mandate from the community, disproportionately favors stakeholders with a vested interest in preserving unlawful access to WHOIS data, to the detriment of data subjects rights. For this reason, ICANN org s preparation and circulation of a possible unified framework is not only an inappropriate use of scarce resources, but most troublingly of all, a circumvention of established consensus-based multistakeholder processes. Indeed, the very title of the proposed discussion paper lends credence to our concerns. Consider the following words used: - Unified : To reiterate, there is no consensus within the community on whether or not a unified access model is the best approach. This is primarily because unified access does not allow for the consideration of each purpose and request for access based on the 1 Draft Framework for a Possible Unified Access Model, 20 August 2018 https://www.icann.org/en/system/files/files/framework-elements-unified-access-model-for-discussion-20au g18-en.pdf Page 1 of 6

GDPR s requisite principle of data minimization. Moreover, it is not clear whether the access model needs to be global or to vary by jurisdiction. As such, the NCSG rejects ICANN org s preemptive and premature use of this term. - Continued Access The NCSG fundamentally disagrees with the premise of third party actors having continued access to full WHOIS data. As we have indicated in previous communications with ICANN org, such access is (and has been) illegal, flouting data subjects rights and ignoring the risks posed to registrants by allowing commercial actors to harvest their data. In the wake of numerous high-profile scandals resulting from corporate mismanagement of user data, ICANN org minimizes these concerns to its own peril. - to Full WHOIS Data. Sustained references to WHOIS data are loaded and unhelpful, as they perpetuate the concept of a public directory. New protocols, notably RDAP, are capable of delivering fine-tuned access for specific requests in accordance with the proportionality and data limitation principles which bound compliance with GDPR. It is this registration data that should be discussed at present. Even if the EPDP comes to the conclusion that a public directory is necessary, such a directory will bear little resemblance to the unlawful WHOIS directory of the past. Thus, framings premised on Full WHOIS Data must be abandoned. - For discussion. By informally launching a discussion on a topic that falls squarely under the purview of the GNSO, ICANN org has initiated a parallel process that only serves to weaken and undermine the ongoing GNSO policy development process. Managing the personal data of registrants around the world is one of the most important policy debates that has ever been fought out in this transnational, multistakeholder organization. Certain parts of the community (GAC, SSAC, and ALAC) have thereby been granted extraordinary input into the GNSO s decision-making process. This deviation from community norms should not result in an elimination of established process altogether. If ICANN org is seen to be thwarting process and yielding to the clamoring of state and market actors seeking unfettered access to personal data, it threatens to destroy ICANN s legitimacy to set policy as a multistakeholder organization. 2) Section-Specific Comments Section A: Introduction The purpose of the Unified Access Model Document Once again, the community should first assess the need for and feasibility of a unified access model before trying to build one. This document should not be developed any further until such a community mandate has been conferred. Page 2 of 6

Section B: Summary of the Framework Section B discusses using Registration Data Access Protocol to manage requests for personal data the draft asserts: The access model discussed in this paper attempts to provide an alternative, uniform method beyond legal due process for registry operators and registrars to provide continued access to full WHOIS data for legitimate purposes, but recognizes that such an approach may prove to be challenging given the legal parameters of the GDPR, requiring the balancing of legitimate interests with the interests, rights, and freedoms of affected data subjects. Developing a unified approach for proportionate data processing consistent with the GDPR while minimizing the risk of unauthorized and unjustified processing will continue to require careful consideration and consultation with the relevant data protection authorities to develop a legally sustainable solution. This paragraph seems to reveal intentions to push ahead with a WHOIS 2, despite recognizing its unlawfulness. In general, the suggested approach excludes the rights of data subjects and limits opportunities for various ICANN stakeholders, including registries and registrars (as long as legitimate third party interest is at stake) to have a say in the process. Instead, disproportionate influence is given to the GAC, which would determine eligible user groups and counsel ICANN on treatment of private parties, while also deciding on requirements for law enforcement authentication. Aside from lacking the expertise to accredit user groups, centralizing crucial decisions within one Advisory Committee opens the door to capture by parties that have an interest in mining, selling, and otherwise abusing access to personal data. Section C: Background Pages 4 and 5 of the document lay out the background on the importance of access to personal information of the domain name registrants. While the NCSG agrees that an access system should be in place at some point, the urgency of the matter portrayed by ICANN org is based on pressure from certain parts of the community: namely, third parties who do not have a direct relationship with the end-user or registrant. ICANN org appears to have considered only the comments from the parts of the community that have made use of historical access to the personal information of domain name registrants. However, letters lamenting lack of access do not create legitimate grounds for access to personal information. ICANN org must demonstrate community consensus on the dire urgency of immediate access to justify driving the unified access model outside of the GNSO policy development process. Page 3 of 6

Section C continues: Additionally, various parts of the community, including governments and European data protection authorities have called for community work to develop a unified approach for accessing non-public WHOIS data. We think this is a flawed and selective interpretation of advice received from the DPAs. In the discussion document, a quote from the Article 29 Working Party is used to justify the statement above, disregarding that the very next lines goes on to say: It should also be clarified how access shall be limited in order to minimize risks of unauthorized access and use (e.g. by enabling access on the basis of specific queries only as opposed to bulk transfers and/or other restrictions on searches or reverse directory services, including mechanisms to restrict access to fields to what is necessary 2 to achieve the legitimate purpose in question. In the same letter, the DPAs welcome[d] the decision of ICANN to propose an interim model which involves layered access. Thus, it appears that the only advice from DPAs that ICANN org has accepted and reproduced are quotes that could be bent into support for unified access. Terms: Nonpublic WHOIS vs. Personal or sensitive information Non-public WHOIS data is the personal and sensitive information of domain name registrants. This data is protected under GDPR, which is why ICANN had to make it non-public earlier this year. We ask ICANN org and encourage the ICANN community to replace the term non-public WHOIS with personal and/or sensitive data. 3) Summary of Objections The NCSG objects to an access model based on eligible user groups. The disclosure of the personal and sensitive data of domain name registrants to third parties must occur only in accordance with the legal grounds outlined in Articles 4 and 6 of the GDPR. Article 4 outlines the conditions within which data transfers are lawful, and Article 6 comprehensively lists the conditions under which the processing of personal data shall be lawful. In certain circumstances, the disclosure of this personal data may be justified under Article 6(1)(f) of the GDPR, which states the disclosure of data may be justified where:...processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden 2 https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-11apr18-en.pdf Page 4 of 6

by the interests or fundamental rights and freedoms of the data subject which require protection of personal data... As the GDPR clearly states, third party interests in data processing must be balanced against the interests of the data subject. The personal rights of the data subject must be interpreted narrowly and on a case-by-case basis. In order to do so, each request has to be processed individually, based on strict criteria. User groups are too broad a categorization and do not allow for a narrow interpretation of legitimate interest. Our recommendation here is consistent with the advice that the Article 29 Working Party has previously offered: An interest must be sufficiently clearly articulated to allow the balancing test to be carried out against the interests and fundamental rights of the data subject. Moreover, the interest at stake must also be 'pursued by the controller'. This requires a real and present interest, something that corresponds with current activities or benefits that are expected in the very near future. In other words, interests that are too vague or 3 speculative will not be sufficient. The NCSG objects to the GAC being responsible for defining the eligible parties with legitimate interest The problem with granting access based on eligible user groups is demonstrated right away when ICANN wants to describe how such eligibility should be determined. ICANN believes the 4 GAC should determine such eligibility since public policy issues should be considered. Unfortunately, the current composition of GAC does not allow this, and we believe they have neither the resources nor the expertise to be able to fulfill this role. While GAC in its communiques urge ICANN to come up with an access model to domain name registrants personal information, the Data Protection Authorities and the European Data Protection Board inform ICANN that there should be a clear distinction between various data processing activities and the respective purposes pursued by stakeholders and do not solely recommend access mechanisms should be in place. There are many more criteria that the EDPB has highlighted for 5 ICANN in order to be compliant with GDPR. GAC acknowledges the importance of compliance with GDPR but it has not acknowledged under what legal terms should this access be provided and does not have the expertise to do so because DPAs are not a part of GAC as opposed to law enforcement and consumer protection agencies. The NCSG objects to parties with legitimate interests establishing their own requirements for authentication. 3 Article 29 Data Protection Working Party: WP 2017, p. 24. 4 See proposed access model dated 20 August 2018, p. 9. 5 https://edpb.europa.eu/sites/edpb/files/files/news/icann_letter_en.pdf Page 5 of 6

By giving stakeholders the power to establish their own requirements, ICANN is permitting, even incentivizing, these actors to set out weak requirements and broad boundaries in order to best deliver valuable data access to their constituents. This approach contravenes the principles of data minimization and moreover elevates the interests of third parties above the rights of the data subjects. The NCSG objects to granting unlimited access to third parties based on self-described, pre-defined legitimate interests. Third parties should be granted access only to individual records, in accordance with the legitimate purpose of the request, and should not have bulk access to registration data. This is the only answer compliant with the GDPR. Access to all-you-can-eat, unlimited full registration records should not be allowed by user groups and not determined by authenticating bodies. The NCSG believes disclosure of domain name registrants data should be carried out by registrars only. The guidelines and suggestions ICANN is providing in the Unified Access document are unacceptable. Despite being called framework and guidelines, it provides unworkable solutions such as defining eligible user groups through GAC or having authenticating bodies that might lack neutrality. ICANN s UAM suggested framework is unworkable for the community as most of the groups are excluded from deciding on very critical issues and GAC and interest groups themselves have been suggested to be in charge of formulating safeguards.the document does not provide any legal clarity for the community. The community should come up with an acceptable, consensus-based framework that complies with the law that is cross jurisdictional. ICANN does not have to come up with a model to provide guidelines and legal clarity for the community. This document should be discarded as many of the aspects of its model are not in the interest of data subjects. Page 6 of 6

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback