<<<
Chronological Index
>>> <<<
Thread Index
>>>
[bc-gnso] FW: New ICA Webpost on EU Registrar Exemption from RAA Data Retention Requirements
- To: "bc-gnso@xxxxxxxxx" <bc-gnso@xxxxxxxxx>
- Subject: [bc-gnso] FW: New ICA Webpost on EU Registrar Exemption from RAA Data Retention Requirements
- From: Phil Corwin <psc@xxxxxxxxxxx>
- Date: Mon, 8 Jul 2013 17:03:36 +0000
FYI, just posted this at the ICA website...
http://internetcommerce.org/RAA_data_retention_loophole
EU Registrars Empowered to Seek New RAA Data Retention Exemption
ICANN's Board approved the new Registrar Accreditation Agreement (RAA) on June
27th, and its Resolution doing so noted that "the Board has accepted the GAC
Advice in the Beijing Communiqué that the "the 2013 Registrar Accreditation
Agreement should be finalized before any new gTLD contracts are approved."" --
and cited as a "highlight" that "The 12 Law Enforcement Recommendations that
served as the impetus for these negotiations are all addressed" including "new
data retention obligations"[1]. However, a newly disclosed June 6th letter
reveals that ICANN was already aware that EU-based registrars would have solid
grounds to seek an exemption from those very data retention obligations.
That letter[2], sent to CEO Fadi Chehade and Board Chairman Steve Crocker, was
signed by Jacob Kohnstamm, Chairman of The Article 29 Working Party on the
Protection of Individuals with regard to the Processing of Personal Data, is
composed of representatives from the national data protection authorities of
the EU Member States, the European Data Protection Supervisor and the European
Commission.
The letter unequivocally states that "the proposed data retention requirement
violates data protection law in Europe" and therefore "relevant registrars
targeting individual domain name holders in Europe" would violate data privacy
law in 27 EU nations if they complied with it.
These findings were based on two major factors:
* "The proposed new data retention requirement does not stem from any legal
requirement in Europe... Taking into account the diversity of these registrars
in terms of size and technical and organisational security measures, and the
chance of data breaches causing adverse effects to individuals holding a domain
name, the Working Party finds the benefits of this proposal disproportionate to
the risk for individuals and their rights to the protection of their personal
data."
* "[T]he Working Party reiterates its strong objection to the introduction
of data retention by means of a contract issued by a private corporation in
order to facilitate (public) law enforcement...The fact that these personal
data can be useful for law enforcement does not legitimise the retention of
these personal data after termination of the contract. Because there is no
legal ground for the data processing, the proposed data retention requirement
violates data protection law in Europe."
The letter also makes this observation:
"The Working Party notes that ICANN has included a procedure for registrars to
request a waiver from these requirements if necessary to avoid a violation of
applicable data protection law. Such a waiver request can be based on written
guidance from a governmental body of competent jurisdiction providing that
compliance with the data retention requirements violates applicable law.
In order to avoid unnecessary duplication of work by 27 national data
protection authorities in Europe, with this letter, the Working Party wishes to
provide a single statement for all relevant registrars targeting individual
domain name holders in Europe."
The Data Retention Specification (DRS) of the new RAA did not change in any
material way between the June 6th transmittal of the Article 29 WP letter and
the Board's approval of the RAA three weeks later, so the letter appears to
provide EU-based registrars with solid grounds for seeking an exemption from
the requirements.
The DRS authorizes a registrar to provide written notice to ICANN and request a
waiver with a specific term or condition upon:
"receipt of either (i) a written legal opinion from a nationally recognized law
firm in the applicable jurisdiction that states that the collection and/or
retention of any data element specified herein by Registrar is reasonably
likely to violate applicable law (the "Opinion") or (ii) a ruling of, or
written guidance from, a governmental body of competent jurisdiction providing
that compliance with the data collection and/or retention requirements of this
Specification violates applicable law."
The Article 29 WP letter fits squarely within the second provision and we
expect EU-based registrars to seek exemptions soon after the sign the new RAA.
The DRS specifies that after receipt of the waiver request a good faith
discussion, ICANN's General Counsel may grant a temporary or permanent waiver.
Once ICANN has granted such a waiver to a registrar based in a particular
"jurisdiction" (which may well be interpreted to constitute the entire EU,
rather than a particular member nation) ICANN is generally obliged to grant a
similar waiver to any other registrar in the jurisdiction.
It is also possible that registrars outside the EU may seek a similar waiver,
probably based upon a legal opinion obtained from an EU-based law firm. As
noted above, the letter states that compliance would be unlawful for "relevant
registrars targeting individual domain name holders in Europe" (emphasis
added), and an argument could be made that if a registrar based outside the EU
markets extensively to EU registrants, and they comprise some meaningful
portion of its customers, it must likewise seek a waiver or risk legal
violation - as well as the loss of its EU customers. It also remains to be seen
whether, in a world increasingly concerned about cyber-privacy, EU-based
registrars will gain a competitive advantage with registrants through their
ability to seek waivers - and what the reaction will be from their overseas
counterparts, including those in the U.S.
The new RAA will be required for all registrars that wish to sell domains in
new gTLDs. In addition, many renewing registry agreements require that they
only utilize registrars who have entered into the new RAA once a threshold
based upon registrars serving a specified percentage of their registrants is
reached.
The dialogue within the GAC, and between it and ICANN's Board, is already
likely to be crowded in the upcoming Durban meeting, given recent actions by
ICANN's New gTLD Program Committee that have frozen hundreds of new gTLD
applications - primarily for "closed generics" and for strings involving
regulated industries and/or with restricted registration policies - so it
remains to be seen whether the possibility of EU-based registrars waiving out
of the data retention provisions of the DRS will be added to the lengthy list
of agenda matters requiring discussion.
The most ironic portion of the Article 29 WP letter is its objection to "the
introduction of data retention by means of a contract issued by a private
corporation in order to facilitate (public) law enforcement". ICANN is indeed a
private, non-profit corporation and, lacking sovereign or intergovernmental
agency authority, must rely solely on contracts to enforce compliance by
registries and registrars. And those data retention provisions were inserted at
the insistence of law enforcement officials -- many of them from EU member
nations -- and were accepted by ICANN under strong urging from nation states
participating in the GAC. Indeed, had ICANN failed to include them in the
final RAA it would undoubtedly have faced strong criticism from the GAC. But
now EU registrars can readily arbitrage the differing viewpoints of law
enforcement officials and data protection authorities and obtain a waiver from
those requirements.
[1] See
https://www.icann.org/en/groups/board/documents/resolutions-27jun13-en.htm#2.b
and also http://blog.icann.org/2013/06/board-approves-raa/
2 Full text available at
http://www.internetnews.me/wp-content/uploads/2013/07/20130606_Letter_to_ICANN.pdf
Philip S. Corwin, Founding Principal
Virtualaw LLC
1155 F Street, NW
Suite 1050
Washington, DC 20004
202-559-8597/Direct
202-559-8750/Fax
202-255-6172/cell
Twitter: @VlawDC
"Luck is the residue of design" -- Branch Rickey
________________________________
________________________________
No virus found in this message.
Checked by AVG - www.avg.com<http://www.avg.com>
Version: 2013.0.3345 / Virus Database: 3199/6413 - Release Date: 06/15/13
Internal Virus Database is out of date.
________________________________
[1] See
https://www.icann.org/en/groups/board/documents/resolutions-27jun13-en.htm#2.b
and also http://blog.icann.org/2013/06/board-approves-raa/
[2] Full text available at
http://www.internetnews.me/wp-content/uploads/2013/07/20130606_Letter_to_ICANN.pdf
<<<
Chronological Index
>>> <<<
Thread Index
>>>
|