Re: [gnso-dataprotection-thickwhois] Conflicts between Whois escrow requirements and data protection laws

[Don Blumenthal <dblumenthal@xxxxxxx>]

Neither FAITID nor Centrohost is a .org registrar. I'll ask if they have
seen the possibility of conflicts with other parts of whois requirements.
Our conversation, via Skype chat, was focused so that I could understand
the issues better and unfortunately cut short by a scheduled call.

Don

On 2/7/13 3:27 PM, "Alan Greenberg" <alan.greenberg@xxxxxxxxx> wrote:

>It would be rather useful to know if they have a
>similar problem just registering names with .org
>or other thick registries. Is the sending of that
>data subject to the same rules as we are discussing here, or somehow
>different?
>
>Alan
>
>At 07/02/2013 02:52 PM, Don Blumenthal wrote:
>
>>Shared for possible relevance.
>>
>>I had correspondence with Maxim Alzoba from
>>FAITID on another matter and Whois conflicts
>>came up. FAITID apparently negotiated non
>>standard escrow language because of problems
>>with Russian law after Centrohost received an ICANN breach notice.
>>
>>Here's his summary of what happened. The
>>specific language differences are confidential.
>>
>>===========
>>
>>  1.
>>15sep2010
>>Registrator Centrohost IANA#1426 (now it changed
>>name to Registrar R01) received warning on data escrow
>>(that it must execute data escrow addendum to
>>ICANN registrar contract(RAA 2001 at that moment of time)
>>- RDE agreement no later than in two months (by
>>15oct 2010) and start uploads no later than in three months (15 dec2010))
>>
>>2. our legal dept read through the RDE agreement
>>and found that it will force us to breach russian legislation on
>>personal data protection due to two reasons :
>>
>>2.1. almost impossible to find a single russian
>>company in the Data Escrow business (TPP (Third Party Provider)
>>requirements
>>of non-affiliation with the industry, 250k USD
>>of liquid assets + 10 years of business ..) in Russia ...
>>(we found the way to comply in this bit after
>>few months - NCC Group , one of their UK legal
>>bodies ... which is UK company and falls under the smae
>>Data Protection EU directive)
>>
>>2.2. beneficiary of the data could be anyone (and under Russian 152-FZ
>>and
>>Convention on protection of the rights of
>>individuals in the automated processing of the
>>personal data from January, 28th, 1981 ETS ¹
>>108we should use only countries which used
>>"adequate means to ensure security"
>>
>>- so we requested a guidance from our regulator on what should we do
>>
>>the reason to ask was this: breach of personal
>>data protection russian laws in cases where >100k records involved could
>>lead CEO of the russian company to 5 years term
>>(it sounds horrible, but that never happens in real life)
>>
>>3. regulator issued a letter saying that:
>>3.1. these countries mentioned are - only those which ratified 95/46/EC
>>3.2 we have to ensure that the priority order of
>>data beneficiaries are ... russian personal data
>>operators ICANN accredited as registrars
>>, EU (95/46/EC countries) ICANN accredited
>>registrars [ the second tier was negotiated with
>>the regulator, since the reference was to 95/46/EC]
>>also the letter had reference to
>>Convention on protection of the rights of
>>individuals in the automated processing of the
>>personal data from January, 28th, 1981 ETS ¹ 108
>>(cross border transfer of personal data)
>>
>>4. tried to negotiate with ICANN / Iron Mountain - but failed ...
>>
>>5. 12 January 2011 we received NOTICE OF BREACH
>>OF REGISTRAR ACCREDITATION AGREEMENT
>>https://www.icann.org/en/news/correspondence/burnette-to-smekaeva-12jan11
>>-en
>>
>>5.1 we found temporary workaround - uploaded all
>>data of non-residents and resident & non resident companies
>>(non residents and legal bodies are not
>>protected by the personal data law in russia)
>>and did not upload data of resident private
>>persons (luckily only 5% of all domains)
>>
>>6. we engaged ICANN with all the facts we know and asked them
>>... were they still trying to force us to break local legislation ?
>>
>>7. we started work with Tim Cole & NCC Group & ICANN legal
>>which lead us to ultimately to "russian data escrow contract"
>>
>>7.1 in which we are exempt from being forced to
>>breach local legislation if anything ICANN invents is against russian law
>>(in this contract or it's amendments)
>>
>>7.2. we have priority list of beneficiaries
>>(1tier - russian "personal data operators" who
>>are also ICANN accredited registrars,
>>2nd tier (when all russians failed ) - any
>>european (countries which ratified 95/46/EC) ICANN acredited registrars
>>)
>>
>>7.3. data escrow operator is UK body and works
>>under the same Personal data protection directive as we are
>>95/46/EC
>>(Russia ratified it too)
>>
>>!!! in the end .... we managed to change somewhat like 20 or less
>>lines of the text in the contract  in only 2.5 months  =]
>>
>>=========
>>
>>Maxim will send me the relevant laws and regs.
>>
>>Don
>