RE: [gnso-dow123] From the EU Article 29 Data Protection Working Party

["Bruce Tonkin" <Bruce.Tonkin@xxxxxxxxxxxxxxxxxx>]

I have extracted a plain text version from the PDF document for those
that had trouble with the attachment.   Please see the PDF document for
footnotes.

See below.

Regards,
Bruce Tonkin


ARTICLE 29 Data Protection Working Party 
 

Brussels, 22 June 2006 
D (2006) 8052 
 
Mr. Vinton G. Cerf 
Chairman of the Board of Directors 
Internet Corporation for Assigned 
Names and Numbers (ICANN) 
4676 Admiralty Way, Suite 330 
Marina del Rey 
California 90292 
 
Dear Sirs, 
 
I am writing to you regarding the ongoing discussions on the application
of the 
data protection principles to the WHOIS directories as well as the
latest development in 
the field of WHOIS. 
 
The Working Party on the Protection of Individuals with regard to the
Processing 
of Personal Data (Article 29 WP) is aware of the fact that WHOIS
discussions will take 
place in the framework of the upcoming ICANN/GAC meetings to be held in
Marrakech 
on 24 - 30 June 2006. 
 
The Article 29 WP is witnessing the growing importance of the WHOIS 
discussions as more and more individuals are registering their own
domain names and in 
this connection there have been complaints about improper use of the
WHOIS data in 
several countries. 
 
The Article 29 WP follows closely the work carried out by several ICANN 
constituencies in the area of WHOIS directories and intends to
contribute to the ongoing 
discussions by stressing a number of fundamental questions arising from
the application 
of the data protection principles to the WHOIS directories. 
 
>From a data protection point of view, it is essential to determine, in
very clear 
terms, what is the purpose of the WHOIS and which purpose(s) can be
considered 
legitimate and compatible with the original purpose. This is an
extremely delicate matter 
as the purpose of the WHOIS directories can not be extended to other
purposes just 
because they are considered useful by some potential users of the
directories. 
 
Article 6 c) of the Data protection directive imposes clear limitations
concerning 
the collection and processing of personal data meaning the data should
be relevant and 
not excessive for the specific purpose. In that light it is essential to
limit the amount of 
personal data to be collected and processed. This should be kept
particularly in mind 
when discussing the wishes of some parties to increase the uniformity of
the diverse 
WHOIS directories. 
 
The registration of domain names by individuals raises different legal
questions 
than the registration by companies or other legal persons. 
 
In the latter case, the publication of certain information about a
company or 
organisation is often a requirement by law in the framework of the
commercial or 
professional activities they perform. As a consequence of the right to
object, it should be 
noted however, that also in the cases of companies or organisations
registering domain 
names, individuals can not be forced to have their name published as a
contact point. 
 
In the first case, however, where an individual registers a domain name,
the 
situation is different and, while it is clear that the identity and
contact information should 
be known to his/her service provider, there is no legal ground for
justifying the 
mandatory publication of personal data referring to this person. Such an
application of 
the personal data of individuals, for instance their address and
telephone number, would 
conflict with their right to determine whether their personal data are
included in a public 
directory and if so which one. 
 
In the light of the proportionality principle, it is necessary to look
for less 
intrusive methods that would still serve the purpose of the WHOIS
directories without 
having all data directly available on-line to everybody. The fact, that
personal data are 
publicly available does not mean that the requirements of the data
protection directive do 
not apply to that data. On the contrary, it is perfectly clear from the
wording of the data 
protection legislation that it applies to personal data made publicly
available: even after 
personal data have been made public, they are still personal and as a
consequence the 
data subjects can not be deprived of the protection they are entitled to
as regards the 
processing of their data. 
 
The Article 29 WP also wishes to emphasize its support for the proposals

concerning both accuracy of the data and limitation of bulk access, for
example, direct 
marketing issues. Bulk use of WHOIS data for direct marketing is by no
means in line 
with the purpose for which the directories were set up and are being
maintained. The 
Article 29 WP encourages ICANN, its constituencies and the WHOIS
community to look 
at privacy enhancing ways to run the WHOIS directories in such a way
that serves its 
original purposes whilst protecting the rights of individuals. It should
in any case be 
possible for individuals to register domain names without their personal
details appearing 
on a publicly available register. 
 
The original purposes of the WHOIS directories can however equally be
served 
by using a layered approach, as details of the person are known to the
ISP that can, in 
case of problems related to the site, contact the individual or transmit
the information to 
an enforcement authority entitled by law to access this information.
This would allow the 
public to continue to access technical information as per the original
purpose of WHOIS. 
At the same time access to more sensitive information would be
restricted to law 
enforcement agencies with adequate authority. This would allow ICANN to
adhere to 
data protection law as well as maintain the spirit of cooperation that
has allowed the 
Internet to flourish. 
 
I would like finally to draw your attention to the Article 29 WP Opinion
2/2003 
on the application of the data protection principles to the WHOIS
directories, where data 
protection principles have been spelled out. Furthermore, a document
"Common 
Position on Privacy and Data Protection aspects of the Registration of
Domain Names on 
the Internet" prepared by the International Working Group on Data
Protection in 
Telecommunications also covers privacy and data protection issues
related to the 
WHOIS directories. 
 
I wish you successful deliberations at the forthcoming meeting in
Marrakech and 
look very much forward to your early reply. 
 
Yours sincerely, 
 

Peter Schaar 
Chairman 
 
Cc: Governmental Advisory Committee (GAC) Secretariat