Re: [gnso-dataprotection-thickwhois] Conflicts between Whois escrow requirements and data protection laws

[Alan Greenberg <alan.greenberg@xxxxxxxxx>]

Can you also verify that they do meet the 
requirements for whois publications. That is, 
they were restricted from shipping the data to an 
escrow agent, but do allow the data to be viewed without restriction.
Alan

At 07/02/2013 06:37 PM, Don Blumenthal wrote:
> Neither FAITID nor Centrohost is a .org registrar. I'll ask if they have
> seen the possibility of conflicts with other parts of whois requirements.
> Our conversation, via Skype chat, was focused so that I could understand
> the issues better and unfortunately cut short by a scheduled call.
>
> Don
>
> On 2/7/13 3:27 PM, "Alan Greenberg" <alan.greenberg@xxxxxxxxx> wrote:
>
> >It would be rather useful to know if they have a
> >similar problem just registering names with .org
> >or other thick registries. Is the sending of that
> >data subject to the same rules as we are discussing here, or somehow
> >different?
> >
> >Alan
> >
> >At 07/02/2013 02:52 PM, Don Blumenthal wrote:
> >
> >>Shared for possible relevance.
> >>
> >>I had correspondence with Maxim Alzoba from
> >>FAITID on another matter and Whois conflicts
> >>came up. FAITID apparently negotiated non
> >>standard escrow language because of problems
> >>with Russian law after Centrohost received an ICANN breach notice.
> >>
> >>Here's his summary of what happened. The
> >>specific language differences are confidential.
> >>
> >>===========
> >>
> >>  1.
> >>15sep2010
> >>Registrator Centrohost IANA#1426 (now it changed
> >>name to Registrar R01) received warning on data escrow
> >>(that it must execute data escrow addendum to
> >>ICANN registrar contract(RAA 2001 at that moment of time)
> >>- RDE agreement no later than in two months (by
> >>15oct 2010) and start uploads no later than in three months (15 dec2010))
> >>
> >>2. our legal dept read through the RDE agreement
> >>and found that it will force us to breach russian legislation on
> >>personal data protection due to two reasons :
> >>
> >>2.1. almost impossible to find a single russian
> >>company in the Data Escrow business (TPP (Third Party Provider)
> >>requirements
> >>of non-affiliation with the industry, 250k USD
> >>of liquid assets + 10 years of business ..) in Russia ...
> >>(we found the way to comply in this bit after
> >>few months - NCC Group , one of their UK legal
> >>bodies ... which is UK company and falls under the smae
> >>Data Protection EU directive)
> >>
> >>2.2. beneficiary of the data could be anyone (and under Russian 152-FZ
> >>and
> >>Convention on protection of the rights of
> >>individuals in the automated processing of the
> >>personal data from January, 28th, 1981 ETS ©ö
> >>108we should use only countries which used
> >>"adequate means to ensure security"
> >>
> >>- so we requested a guidance from our regulator on what should we do
> >>
> >>the reason to ask was this: breach of personal
> >>data protection russian laws in cases where >100k records involved could
> >>lead CEO of the russian company to 5 years term
> >>(it sounds horrible, but that never happens in real life)
> >>
> >>3. regulator issued a letter saying that:
> >>3.1. these countries mentioned are - only those which ratified 95/46/EC
> >>3.2 we have to ensure that the priority order of
> >>data beneficiaries are ... russian personal data
> >>operators ICANN accredited as registrars
> >>, EU (95/46/EC countries) ICANN accredited
> >>registrars [ the second tier was negotiated with
> >>the regulator, since the reference was to 95/46/EC]
> >>also the letter had reference to
> >>Convention on protection of the rights of
> >>individuals in the automated processing of the
> >>personal data from January, 28th, 1981 ETS ©ö 108
> >>(cross border transfer of personal data)
> >>
> >>4. tried to negotiate with ICANN / Iron Mountain - but failed ...
> >>
> >>5. 12 January 2011 we received NOTICE OF BREACH
> >>OF REGISTRAR ACCREDITATION AGREEMENT
> >>https://www.icann.org/en/news/correspondence/burnette-to-smekaeva-12jan11
> >>-en
> >>
> >>5.1 we found temporary workaround - uploaded all
> >>data of non-residents and resident & non resident companies
> >>(non residents and legal bodies are not
> >>protected by the personal data law in russia)
> >>and did not upload data of resident private
> >>persons (luckily only 5% of all domains)
> >>
> >>6. we engaged ICANN with all the facts we know and asked them
> >>... were they still trying to force us to break local legislation ?
> >>
> >>7. we started work with Tim Cole & NCC Group & ICANN legal
> >>which lead us to ultimately to "russian data escrow contract"
> >>
> >>7.1 in which we are exempt from being forced to
> >>breach local legislation if anything ICANN invents is against russian law
> >>(in this contract or it's amendments)
> >>
> >>7.2. we have priority list of beneficiaries
> >>(1tier - russian "personal data operators" who
> >>are also ICANN accredited registrars,
> >>2nd tier (when all russians failed ) - any
> >>european (countries which ratified 95/46/EC) ICANN acredited registrars
> >>)
> >>
> >>7.3. data escrow operator is UK body and works
> >>under the same Personal data protection directive as we are
> >>95/46/EC
> >>(Russia ratified it too)
> >>
> >>!!! in the end .... we managed to change somewhat like 20 or less
> >>lines of the text in the contract  in only 2.5 months  =]
> >>
> >>=========
> >>
> >>Maxim will send me the relevant laws and regs.
> >>
> >>Don
> >