[bc-gnso] FW: Article 29 WP To ICANN - EU Registrars Exempt From New RAA Data Retention Requirements
FYI-- full text of letter attached--while the letter was sent prior to the adoption of the final RAA, I am told that the relevant provisions are materially unchanged. The letter states that " the proposed data retention requirement violates data protection law in Europe" and therefore " relevant registrars targeting individual domain name holders in Europe" would violate data privacy law in 27 EU nations if they complied with it. The finding was based on two major factors: -"The proposed new data retention requirement does not stem from any legal requirement in Europe... Taking into account the diversity of these registrars in terms of size and technical and organisational security measures, and the chance of data breaches causing adverse effects to individuals holding a domain name, the Working Party finds the benefits of this proposal disproportionate to the risk for individuals and their rights to the protection of their personal data." -"the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement." As the new RAA permits any registrar to seek an exemption from ICANN if provisions of the RAA conflict with local law we can assume that all EU-based registrars will do so. While not an unintended loophole, this sure creates an unlevel playing field between EU-based registrars and those in other jurisdictions. http://www.internetnews.me/2013/07/04/article-29-working-party-to-icann-eu-registrars-exempt-from-data-retention-requirements/?utm_source=buffer&utm_campaign=Buffer&utm_content=buffer39245&utm_medium=twitter Domain Industry & Internet NewsDomain Name Industry News Article 29 Working Party To ICANN - EU Registrars Exempt From Data Retention Requirements By Michele Neylon on July 4, 2013 in icann, policy, privacy, registrars The 2013 RAA was approved by ICANN's board of directors less than a week ago. The new contract introduces a number of new obligations on ICANN accredited registrars, among them are several related to data validation, verification and retention. The Article 29 Working Party, however, has written to ICANN and made it very clear that it views these requirements to be unlawful. While the letter dates from earlier this month the text of the contract was not changed drastically prior to its acceptance by ICANN's board. The letter makes reference to the new exemption process that ICANN introduced with this version of the contract, which allows registrars to gain exemptions if contractual obligations conflict with local law. And what is sure to be welcomed by EU based registrars is the letter's aim - to avoid duplication of work by data protection authorities (and registrars): In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe Here's the letter's full text: Subject: Statement on the data protection impact of the revision of the ICANN RAA Dear Mr Crocker and Mr Chehadé, In the context of ICANN' s revision of the Registrar Accreditation Agreement (RAA) and the final RAA Proposal1, the Working Party on the Protection of Individuals with regard to the Processing of Personal Data (Article 29 WP)2 wishes to provide a harmonised statement concerning compliance with European data protection law. Following up on our letter of 27 September 20123 and previous contributions to the process of collecting and disclosing WHOIS data4, this statement specifically addresses the legitimacy of the data retention obligation for registrars, contained in the new RAA. The Working Party notes that ICANN has included a procedure for registrars to request a waiver from these requirements if necessary to avoid a violation of applicable data protection law. Such a waiver request can be based on written guidance from a governmental body of competent jurisdiction providing that compliance with the data retention requirements violates applicable law. In order to avoid unnecessary duplication of work by 27 national data protection authorities in Europe, with this letter, the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe. The final proposed Data Retention specification roughly distinguishes between name and contact details for the domain name holder (specified in 1.1.1 to 1.1.7) and all other types of data a registrar might collect (specified in 1.2.1 to 1.2.3), such as logfiles and billing records containing the 'means and source of payment', logfiles about the communication with the registrar including source IP address, telephone number, e-mail address, Skype handle or instant messaging identifier, as well as the date, time and time zones of communications. Registrars are required to keep the first category of personal data for a period of two years after the contract for the domain has been ended. The second category of personal data must be retained for six months after the contract has ended. The first category of data includes payment data, defined as: 'card on file', current period third party transaction number, or other recurring payment data. The proposed new data retention requirement does not stem from any legal requirement in Europe.5 It entails the extended processing of personal data such as credit card and communication data by a very large number of registrars. The fact that these data may be useful for law enforcement (including copyright enforcement by private parties) does not equal a necessity to retain these data after termination of the contract. Taking into account the diversity of these registrars in terms of size and technical and organisational security measures, and the chance of data breaches causing adverse effects to individuals holding a domain name, the Working Party finds the benefits of this proposal disproportionate to the risk for individuals and their rights to the protection of their personal data. Secondly, the Working Party reiterates its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political rights. The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the proposed data retention requirement violates data protection law in Europe. In general, we repeat that the problem of inaccurate contact details in the WHOIS database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database. In that light, the Working Party welcomes the growing number of registries in Europe that are offering layered access to the WHOIS data. Yours sincerely, On behalf of the Article 29 Working Party About Michele Neylon Michele is founder and managing director of domain registrar and hosting company Blacknight. He also co-hosts the Technology.ie podcast. Site hosted in Ireland by Blacknight © 2013 Domain Industry & Internet News. All Rights Reserved. Philip S. Corwin, Founding Principal Virtualaw LLC 1155 F Street, NW Suite 1050 Washington, DC 20004 202-559-8597/Direct 202-559-8750/Fax 202-255-6172/Cell Twitter: @VLawDC "Luck is the residue of design" -- Branch Rickey Sent from my iPad ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13 Internal Virus Database is out of date. ----- No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13 Internal Virus Database is out of date. Attachment:
ICANN-RAA_data_retention-Article29WP_Letter_to_ICANN.pdf |