ICANN ICANN Email List Archives


<<< Chronological Index >>>    <<< Thread Index >>>

Comment on ICANN 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention

  • To: comments-retention-21mar14@xxxxxxxxx
  • Subject: Comment on ICANN 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention
  • From: Mathieu Pitté <mathieu.pitte@xxxxxxxxx>
  • Date: Tue, 22 Apr 2014 02:01:51 +0200

Mathieu PITTÉ

Opinions expressed are my own and do not reflect the views of my employer

April 21st 2014

on ICANN “2013 RAA Data Retention Specification Data Elements
and Legitimate Purposes for Collection and Retention”

1. ICANN long lasting failure to understand EU privacy laws and to take
into account EU data protection authorities contributions

 From the beginning of the negotiations about the new RAA, and under GAC
pressure, ICANN has obviously chosen to favor the opinion of law
enforcement agencies and intellectual property owners, while largely
disregarding EU data protection authorities comments.

On one hand, it has given extensive consideration and deference to law
enforcement demands (“How the Proposed 2013 RAA Addresses Law Enforcement
Recommendations” ).

On the other hand it has, in practice, constantly dismissed privacy
authorities’ comments as negligible or not representative of official EU
member States positions. While ICANN has received extensive legal advice
from the Article 29 Working Party and the European Data Protection
Supervisor (On the new RAA topic only, see: 26th September 2012 letter, 6th
June 2013 letter, 8th January 2014 letter, 17th April 2014 letter), it has
never granted them the full consideration it had given to other
institutional stakeholders; for instance:

- During the Durban meeting, ICANN Vice President Namazi declared before
the GAC that the Article 29 Working Party, which comprises the data
protection authorities of EU member states, was “not a legal authority”;

- And, in one of its written answers, ICANN quite naively states that
“Since the European Commission is a member of the GAC, we encourage the
Article 29 Working Party to coordinate with the Commission”.

This unfortunately proves again a total lack of understanding of how the
privacy protection legal framework works under EU law. Independent national
authorities are established to protect citizens data from private companies
and public bodies misuse; this means they enjoy a total independence not
only from private entities, but also from law enforcement agencies and even
from the executive branch of EU member States governments and from the
Commission .

2. The legal status of the document under consultation is highly unclear

The document under consultation “Description of 2013 RAA data retention
specification data elements and potentially legitimate purposes for
collection/retention”, if adopted would apparently not be formally part of
the 2013 RAA signed by the registrars. It will thus not be legally binding
for them.

If so, it appears to be more a public relation tool, but in no way can
stand as a valid legal instrument useful for registrars if they are to face
litigation in any EU jurisdiction.

3. The structure and phrasing of the document are unclear, especially the
“Law enforcement and IP owner considerations”.

While its purpose is to “clarify” data elements in the Data Retention
Specification and describe potentially legitimate purposes, the document
under consultation also contains a last part entitled “law enforcement and
IP owner considerations”. Presented as “A general note” it doesn’t seek any
of the two defined purposes and lengthy restates the various opposing
stakeholders’ positions on the subject.

4. The 2013 RAA Data Retention Specification is in breach of EU law and
cannot be salvaged by a “clarification document”

On this subject, see the European Data Protection Supervisor 17th April
2014 letter, which details the main violations:

“[The Specification] should only require collection of personal data, which
is genuinely necessary for the performance of the contract between the
Registrar and the Registrant (e.g.  billing) or for other compatible
purposes such as fighting fraud related to domain name  registration. This
data should be retained for no longer than is necessary for these purposes.
It would not be acceptable for the data to be retained for longer periods
or for other, incompatible purposes, such as law enforcement purposes or to
enforce copyright.

Processing contrary to these recommendations would be contrary to three key
principles of European data protection law set forth in Directive 95/46/EC.
It would violate the principle of purpose limitation under Article 6(1)(b)
of Directive 95/46/EC, which prohibits the processing of personal data for
incompatible purposes, the requirement under Article 7 of the Directive to
have an appropriate legal ground for the processing of data, such as
contract, consent or the legitimate interest of the controller, and the
requirement of proportionality, including the requirement not to retain
data 'longer than is necessary for the purposes for which the data were
collected or for which they are further processed' (Article 6(1)(e)). These
provisions are specifications of the fundamental rights to privacy and the
protection of personal data laid down in Articles 7 and 8 of the Charter of
Fundamental Rights of the European Union.

Retention of personal data originally collected for commercial purposes,
and subsequently retained for law enforcement purposes, has been the
subject of a recent landmark ruling by the European Court of Justice, which
held Directive 2006/24/EC to be invalid, as an unjustified interference
with those rights. The Court recognised that the retention of personal data
might be considered appropriate for the purposes of the detection,
investigation and prosecution of serious crime, but judged that the
Directive 'exceeded the limits imposed by compliance with the principle of
proportionality'. It is reasonable to expect requirements for retaining
personal data to be subject to increasing scrutiny and legal challenges in
the EU.

Further (...) the current European data protection legislation is under
reform. The European Parliament voted on 12 March 2014 overwhelmingly in
favour of a new General Data Protection Regulation which is designed to
replace Directive 95/46/EC and be directly applicable in each of the
twenty-eight EU Member States. There is therefore now a more compelling
need than ever before for ICANN to apply the waiver of the retention period
under the 2013 RAA Data Retention Specification uniformly to all EU Member
States as requested in the 'harmonised statement' of the Working Party
issued by letter of 6 June 2013”

In our opinion, ICANN should abandon any “clarification document” or
“waiver” type mechanism as regards the respect of fundamental rights by
registrars; on the contrary, it must ensure “that privacy and data
protection are embedded by default, when new tools and instruments or new
internet policies are designed, for the benefit of all”, and enshrine these
principles in the legally binding RAA.

5. Registrars implementing the 2013 RAA now risk administrative and
criminal complaints from EU consumers, privacy and digital rights groups

Since ICANN has been unable to grant them waivers in due time, most 2013
RAA signatories operating in or directing business towards any EU member
states have kept their old privacy and data retention policies unchanged
and are now obviously violating the EU Directive (legitimate purpose rule
breach, proportionality and length of data retention rule breach) as
transposed by Member States into their internal law.

The EU Directive and all national implementing measures provide sanctions
against such infringements. Now that, in light of the recent landmark
ruling of the European Court of Justice invalidating the data retention
directive, national supervision authorities and judges are particularly
sensitive to digital privacy, the time could be right for EU consumers,
privacy and digital rights groups to bring administrative and criminal
complaints against all registrars implementing the 2013 RAA.

In France, for instance, the law provides for administrative sanctions (by
the national supervisory authority, up to 300.000€) and criminal sanctions
(5 years imprisonment and a criminal fine up to 1.5M€).

<<< Chronological Index >>>    <<< Thread Index >>>

Privacy Policy | Terms of Service | Cookies Policy