Comment on ICANN 2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention
Mathieu PITTÉ Opinions expressed are my own and do not reflect the views of my employer April 21st 2014 Comment on ICANN “2013 RAA Data Retention Specification Data Elements and Legitimate Purposes for Collection and Retention” 1. ICANN long lasting failure to understand EU privacy laws and to take into account EU data protection authorities contributions From the beginning of the negotiations about the new RAA, and under GAC pressure, ICANN has obviously chosen to favor the opinion of law enforcement agencies and intellectual property owners, while largely disregarding EU data protection authorities comments. On one hand, it has given extensive consideration and deference to law enforcement demands (“How the Proposed 2013 RAA Addresses Law Enforcement Recommendations” ). On the other hand it has, in practice, constantly dismissed privacy authorities’ comments as negligible or not representative of official EU member States positions. While ICANN has received extensive legal advice from the Article 29 Working Party and the European Data Protection Supervisor (On the new RAA topic only, see: 26th September 2012 letter, 6th June 2013 letter, 8th January 2014 letter, 17th April 2014 letter), it has never granted them the full consideration it had given to other institutional stakeholders; for instance: - During the Durban meeting, ICANN Vice President Namazi declared before the GAC that the Article 29 Working Party, which comprises the data protection authorities of EU member states, was “not a legal authority”; - And, in one of its written answers, ICANN quite naively states that “Since the European Commission is a member of the GAC, we encourage the Article 29 Working Party to coordinate with the Commission”. This unfortunately proves again a total lack of understanding of how the privacy protection legal framework works under EU law. Independent national authorities are established to protect citizens data from private companies and public bodies misuse; this means they enjoy a total independence not only from private entities, but also from law enforcement agencies and even from the executive branch of EU member States governments and from the Commission . 2. The legal status of the document under consultation is highly unclear The document under consultation “Description of 2013 RAA data retention specification data elements and potentially legitimate purposes for collection/retention”, if adopted would apparently not be formally part of the 2013 RAA signed by the registrars. It will thus not be legally binding for them. If so, it appears to be more a public relation tool, but in no way can stand as a valid legal instrument useful for registrars if they are to face litigation in any EU jurisdiction. 3. The structure and phrasing of the document are unclear, especially the “Law enforcement and IP owner considerations”. While its purpose is to “clarify” data elements in the Data Retention Specification and describe potentially legitimate purposes, the document under consultation also contains a last part entitled “law enforcement and IP owner considerations”. Presented as “A general note” it doesn’t seek any of the two defined purposes and lengthy restates the various opposing stakeholders’ positions on the subject. 4. The 2013 RAA Data Retention Specification is in breach of EU law and cannot be salvaged by a “clarification document” On this subject, see the European Data Protection Supervisor 17th April 2014 letter, which details the main violations: “[The Specification] should only require collection of personal data, which is genuinely necessary for the performance of the contract between the Registrar and the Registrant (e.g. billing) or for other compatible purposes such as fighting fraud related to domain name registration. This data should be retained for no longer than is necessary for these purposes. It would not be acceptable for the data to be retained for longer periods or for other, incompatible purposes, such as law enforcement purposes or to enforce copyright. Processing contrary to these recommendations would be contrary to three key principles of European data protection law set forth in Directive 95/46/EC. It would violate the principle of purpose limitation under Article 6(1)(b) of Directive 95/46/EC, which prohibits the processing of personal data for incompatible purposes, the requirement under Article 7 of the Directive to have an appropriate legal ground for the processing of data, such as contract, consent or the legitimate interest of the controller, and the requirement of proportionality, including the requirement not to retain data 'longer than is necessary for the purposes for which the data were collected or for which they are further processed' (Article 6(1)(e)). These provisions are specifications of the fundamental rights to privacy and the protection of personal data laid down in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Retention of personal data originally collected for commercial purposes, and subsequently retained for law enforcement purposes, has been the subject of a recent landmark ruling by the European Court of Justice, which held Directive 2006/24/EC to be invalid, as an unjustified interference with those rights. The Court recognised that the retention of personal data might be considered appropriate for the purposes of the detection, investigation and prosecution of serious crime, but judged that the Directive 'exceeded the limits imposed by compliance with the principle of proportionality'. It is reasonable to expect requirements for retaining personal data to be subject to increasing scrutiny and legal challenges in the EU. Further (...) the current European data protection legislation is under reform. The European Parliament voted on 12 March 2014 overwhelmingly in favour of a new General Data Protection Regulation which is designed to replace Directive 95/46/EC and be directly applicable in each of the twenty-eight EU Member States. There is therefore now a more compelling need than ever before for ICANN to apply the waiver of the retention period under the 2013 RAA Data Retention Specification uniformly to all EU Member States as requested in the 'harmonised statement' of the Working Party issued by letter of 6 June 2013” In our opinion, ICANN should abandon any “clarification document” or “waiver” type mechanism as regards the respect of fundamental rights by registrars; on the contrary, it must ensure “that privacy and data protection are embedded by default, when new tools and instruments or new internet policies are designed, for the benefit of all”, and enshrine these principles in the legally binding RAA. 5. Registrars implementing the 2013 RAA now risk administrative and criminal complaints from EU consumers, privacy and digital rights groups Since ICANN has been unable to grant them waivers in due time, most 2013 RAA signatories operating in or directing business towards any EU member states have kept their old privacy and data retention policies unchanged and are now obviously violating the EU Directive (legitimate purpose rule breach, proportionality and length of data retention rule breach) as transposed by Member States into their internal law. The EU Directive and all national implementing measures provide sanctions against such infringements. Now that, in light of the recent landmark ruling of the European Court of Justice invalidating the data retention directive, national supervision authorities and judges are particularly sensitive to digital privacy, the time could be right for EU consumers, privacy and digital rights groups to bring administrative and criminal complaints against all registrars implementing the 2013 RAA. In France, for instance, the law provides for administrative sanctions (by the national supervisory authority, up to 300.000€) and criminal sanctions (5 years imprisonment and a criminal fine up to 1.5M€).