[bc-gnso] FW: New ICA Webpost on EU Registrar Exemption from RAA Data Retention Requirements

[Phil Corwin <psc@xxxxxxxxxxx>]

FYI, just posted this at the ICA website...


http://internetcommerce.org/RAA_data_retention_loophole

EU Registrars Empowered to Seek New RAA Data Retention Exemption

ICANN's Board approved the new Registrar Accreditation Agreement (RAA) on June 
27th, and its Resolution doing so noted that "the Board has accepted the GAC 
Advice in the Beijing Communiqué that the "the 2013 Registrar Accreditation 
Agreement should be finalized before any new gTLD contracts are approved."" -- 
and cited as a "highlight" that "The 12 Law Enforcement Recommendations that 
served as the impetus for these negotiations are all addressed" including "new 
data retention obligations"[1]. However, a newly disclosed June 6th letter 
reveals that ICANN was already aware that EU-based registrars would have solid 
grounds to seek an exemption from those very data retention obligations.
That letter[2], sent to CEO Fadi Chehade and Board Chairman Steve Crocker, was 
signed by Jacob Kohnstamm, Chairman of The Article 29 Working Party on the 
Protection of Individuals with regard to the Processing of Personal Data, is 
composed of representatives from the national data protection authorities of 
the EU Member States, the European Data Protection Supervisor and the European 
Commission.
The letter unequivocally states that "the proposed data retention requirement 
violates data protection law in Europe" and therefore "relevant registrars 
targeting individual domain name holders in Europe" would violate data privacy 
law in 27 EU nations if they complied with it.
These findings were based on two major factors:

  *   "The proposed new data retention requirement does not stem from any legal 
requirement in Europe... Taking into account the diversity of these registrars 
in terms of size and technical and organisational security measures, and the 
chance of data breaches causing adverse effects to individuals holding a domain 
name, the Working Party finds the benefits of this proposal disproportionate to 
the risk for individuals and their rights to the protection of their personal 
data."
  *   "[T]he Working Party reiterates its strong objection to the introduction 
of data retention by means of a contract issued by a private corporation in 
order to facilitate (public) law enforcement...The fact that these personal 
data can be useful for law enforcement does not legitimise the retention of 
these personal data after termination of the contract. Because there is no 
legal ground for the data processing, the proposed data retention requirement 
violates data protection law in Europe."
The letter also makes this observation:
"The Working Party notes that ICANN has included a procedure for registrars to 
request a waiver from these requirements if necessary to avoid a violation of 
applicable data protection law. Such a waiver request can be based on written 
guidance from a governmental body of competent jurisdiction providing that 
compliance with the data retention requirements violates applicable law.
In order to avoid unnecessary duplication of work by 27 national data 
protection authorities in Europe, with this letter, the Working Party wishes to 
provide a single statement for all relevant registrars targeting individual 
domain name holders in Europe."
The Data Retention Specification (DRS) of the new RAA did not change in any 
material way between the June 6th transmittal of the Article 29 WP letter and 
the Board's approval of the RAA three weeks later, so the letter appears to 
provide EU-based registrars with solid grounds for seeking an exemption from 
the requirements.
The DRS authorizes a registrar to provide written notice to ICANN and request a 
waiver with a specific term or condition upon:
"receipt of either (i) a written legal opinion from a nationally recognized law 
firm in the applicable jurisdiction that states that the collection and/or 
retention of any data element specified herein by Registrar is reasonably 
likely to violate applicable law (the "Opinion") or (ii) a ruling of, or 
written guidance from, a governmental body of competent jurisdiction providing 
that compliance with the data collection and/or retention requirements of this 
Specification violates applicable law."
The Article 29 WP letter fits squarely within the second provision and we 
expect EU-based registrars to seek exemptions soon after the sign the new RAA. 
The DRS specifies that after receipt of the waiver request a good faith 
discussion, ICANN's General Counsel may grant a temporary or permanent waiver. 
Once ICANN has granted such a waiver to a registrar based in a particular 
"jurisdiction" (which may well be interpreted to constitute the entire EU, 
rather than a particular member nation) ICANN is generally obliged to grant a 
similar waiver to any other registrar in the jurisdiction.
It is also possible that registrars outside the EU may seek a similar waiver, 
probably based upon a legal opinion obtained from an EU-based law firm. As 
noted above, the letter states that compliance would be unlawful for "relevant 
registrars targeting individual domain name holders in Europe" (emphasis 
added), and an argument could be made that if a registrar based outside the EU 
markets extensively to EU registrants, and they comprise some meaningful 
portion of its customers, it must likewise seek a waiver or risk legal 
violation - as well as the loss of its EU customers. It also remains to be seen 
whether, in a world increasingly concerned about cyber-privacy, EU-based 
registrars will gain a competitive advantage with registrants through their 
ability to seek waivers - and what the reaction will be from their overseas 
counterparts, including those in the U.S.
The new RAA will be required for all registrars that wish to sell domains in 
new gTLDs. In addition, many renewing registry agreements require that they 
only utilize registrars who have entered into the new RAA once a threshold 
based upon registrars serving a specified percentage of their registrants is 
reached.
The dialogue within the GAC, and between it and ICANN's Board, is already 
likely to be crowded in the upcoming Durban meeting, given recent actions by 
ICANN's New gTLD Program Committee that have frozen hundreds of new gTLD 
applications - primarily for "closed generics" and for strings involving 
regulated industries and/or with restricted registration policies - so it 
remains to be seen whether the possibility of EU-based registrars waiving out 
of the data retention provisions of the DRS will be added to the lengthy list 
of agenda matters requiring discussion.
The most ironic portion of the Article 29 WP letter is its objection to "the 
introduction of data retention by means of a contract issued by a private 
corporation in order to facilitate (public) law enforcement". ICANN is indeed a 
private, non-profit corporation and, lacking sovereign or intergovernmental 
agency authority, must rely solely on contracts to enforce compliance by 
registries and registrars. And those data retention provisions were inserted at 
the insistence of law enforcement officials -- many of them from EU member 
nations -- and were accepted by ICANN under strong urging from nation states 
participating in the GAC.  Indeed, had ICANN failed to include them in the 
final RAA it would undoubtedly have faced strong criticism from the GAC. But 
now EU registrars can readily arbitrage the differing viewpoints of law 
enforcement officials and data protection authorities and obtain a waiver from 
those requirements.
[1] See 
https://www.icann.org/en/groups/board/documents/resolutions-27jun13-en.htm#2.b 
and also http://blog.icann.org/2013/06/board-approves-raa/
2 Full text available at 
http://www.internetnews.me/wp-content/uploads/2013/07/20130606_Letter_to_ICANN.pdf




Philip S. Corwin, Founding Principal
Virtualaw LLC
1155 F Street, NW
Suite 1050
Washington, DC 20004
202-559-8597/Direct
202-559-8750/Fax
202-255-6172/cell

Twitter: @VlawDC

"Luck is the residue of design" -- Branch Rickey


________________________________
________________________________
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13
Internal Virus Database is out of date.

________________________________

[1] See 
https://www.icann.org/en/groups/board/documents/resolutions-27jun13-en.htm#2.b 
and also http://blog.icann.org/2013/06/board-approves-raa/

[2] Full text available at 
http://www.internetnews.me/wp-content/uploads/2013/07/20130606_Letter_to_ICANN.pdf