[gnso-dataprotection-thickwhois] Conflicts between Whois escrow requirements and data protection laws

[Don Blumenthal <dblumenthal@xxxxxxx>]

Shared for possible relevance.

I had correspondence with Maxim Alzoba from FAITID on another matter and Whois 
conflicts came up. FAITID apparently negotiated non standard escrow language 
because of problems with Russian law after Centrohost received an ICANN breach 
notice.

Here's his summary of what happened. The specific language differences are 
confidential.

===========

 1.
15sep2010
Registrator Centrohost IANA#1426 (now it changed name to Registrar R01) 
received warning on data escrow
(that it must execute data escrow addendum to ICANN registrar contract(RAA 2001 
at that moment of time)
- RDE agreement no later than in two months (by 15oct 2010) and start uploads 
no later than in three months (15 dec2010))

2. our legal dept read through the RDE agreement and found that it will force 
us to breach russian legislation on
personal data protection due to two reasons :

2.1. almost impossible to find a single russian company in the Data Escrow 
business (TPP (Third Party Provider) requirements
of non-affiliation with the industry, 250k USD of liquid assets + 10 years of 
business ..) in Russia ...
(we found the way to comply in this bit after few months - NCC Group , one of 
their UK legal bodies ... which is UK company and falls under the smae
Data Protection EU directive)

2.2. beneficiary of the data could be anyone (and under Russian 152-FZ and
Convention on protection of the rights of individuals in the automated 
processing of the personal data from January, 28th, 1981 ETS № 108we should use 
only countries which used
"adequate means to ensure security"

- so we requested a guidance from our regulator on what should we do

the reason to ask was this: breach of personal data protection russian laws in 
cases where >100k records involved could
lead CEO of the russian company to 5 years term (it sounds horrible, but that 
never happens in real life)

3. regulator issued a letter saying that:
3.1. these countries mentioned are - only those which ratified 95/46/EC
3.2 we have to ensure that the priority order of data beneficiaries are ... 
russian personal data operators ICANN accredited as registrars
, EU (95/46/EC countries) ICANN accredited registrars [ the second tier was 
negotiated with the regulator, since the reference was to 95/46/EC]
also the letter had reference to
Convention on protection of the rights of individuals in the automated 
processing of the personal data from January, 28th, 1981 ETS № 108
(cross border transfer of personal data)

4. tried to negotiate with ICANN / Iron Mountain - but failed ...

5. 12 January 2011 we received NOTICE OF BREACH OF REGISTRAR ACCREDITATION 
AGREEMENT
https://www.icann.org/en/news/correspondence/burnette-to-smekaeva-12jan11-en

5.1 we found temporary workaround - uploaded all data of non-residents and 
resident & non resident companies
(non residents and legal bodies are not protected by the personal data law in 
russia)
and did not upload data of resident private persons (luckily only 5% of all 
domains)

6. we engaged ICANN with all the facts we know and asked them
... were they still trying to force us to break local legislation ?

7. we started work with Tim Cole & NCC Group & ICANN legal
which lead us to ultimately to "russian data escrow contract"

7.1 in which we are exempt from being forced to breach local legislation if 
anything ICANN invents is against russian law
(in this contract or it's amendments)

7.2. we have priority list of beneficiaries
(1tier - russian "personal data operators" who are also ICANN accredited 
registrars,
2nd tier (when all russians failed ) - any european (countries which ratified 
95/46/EC) ICANN acredited registrars
)

7.3. data escrow operator is UK body and works under the same Personal data 
protection directive as we are
95/46/EC
(Russia ratified it too)

!!! in the end .... we managed to change somewhat like 20 or less
lines of the text in the contract  in only 2.5 months  =]

=========

Maxim will send me the relevant laws and regs.

Don