[gnso-dow123] RE: what registrars must/may do within 15 days

["Steve Metalitz" <metalitz@xxxxxxxxxxxxx>]

Re the 15-day period for registrars, see
http://www.icann.org/announcements/advisory-03apr03.htm 

-----Original Message-----
From: owner-gnso-dow123@xxxxxxxxx [mailto:owner-gnso-dow123@xxxxxxxxx]
On Behalf Of Bruce Tonkin
Sent: Sunday, June 25, 2006 5:22 AM
To: gnso-dow123@xxxxxxxxxxxxxx
Subject: RE: [gnso-dow123] From the EU Article 29 Data Protection
Working Party

I have extracted a plain text version from the PDF document for those
that had trouble with the attachment.   Please see the PDF document for
footnotes.

See below.

Regards,
Bruce Tonkin


ARTICLE 29 Data Protection Working Party 
 

Brussels, 22 June 2006
D (2006) 8052 
 
Mr. Vinton G. Cerf
Chairman of the Board of Directors
Internet Corporation for Assigned
Names and Numbers (ICANN)
4676 Admiralty Way, Suite 330
Marina del Rey
California 90292 
 
Dear Sirs, 
 
I am writing to you regarding the ongoing discussions on the application
of the data protection principles to the WHOIS directories as well as
the latest development in the field of WHOIS. 
 
The Working Party on the Protection of Individuals with regard to the
Processing of Personal Data (Article 29 WP) is aware of the fact that
WHOIS discussions will take place in the framework of the upcoming
ICANN/GAC meetings to be held in Marrakech on 24 - 30 June 2006. 
 
The Article 29 WP is witnessing the growing importance of the WHOIS
discussions as more and more individuals are registering their own
domain names and in this connection there have been complaints about
improper use of the WHOIS data in several countries. 
 
The Article 29 WP follows closely the work carried out by several ICANN
constituencies in the area of WHOIS directories and intends to
contribute to the ongoing discussions by stressing a number of
fundamental questions arising from the application of the data
protection principles to the WHOIS directories. 
 
>From a data protection point of view, it is essential to determine, in
very clear terms, what is the purpose of the WHOIS and which purpose(s)
can be considered legitimate and compatible with the original purpose.
This is an extremely delicate matter as the purpose of the WHOIS
directories can not be extended to other purposes just because they are
considered useful by some potential users of the directories. 
 
Article 6 c) of the Data protection directive imposes clear limitations
concerning the collection and processing of personal data meaning the
data should be relevant and not excessive for the specific purpose. In
that light it is essential to limit the amount of personal data to be
collected and processed. This should be kept particularly in mind when
discussing the wishes of some parties to increase the uniformity of the
diverse WHOIS directories. 
 
The registration of domain names by individuals raises different legal
questions than the registration by companies or other legal persons. 
 
In the latter case, the publication of certain information about a
company or organisation is often a requirement by law in the framework
of the commercial or professional activities they perform. As a
consequence of the right to object, it should be noted however, that
also in the cases of companies or organisations registering domain
names, individuals can not be forced to have their name published as a
contact point. 
 
In the first case, however, where an individual registers a domain name,
the situation is different and, while it is clear that the identity and
contact information should be known to his/her service provider, there
is no legal ground for justifying the mandatory publication of personal
data referring to this person. Such an application of the personal data
of individuals, for instance their address and telephone number, would
conflict with their right to determine whether their personal data are
included in a public directory and if so which one. 
 
In the light of the proportionality principle, it is necessary to look
for less intrusive methods that would still serve the purpose of the
WHOIS directories without having all data directly available on-line to
everybody. The fact, that personal data are publicly available does not
mean that the requirements of the data protection directive do not apply
to that data. On the contrary, it is perfectly clear from the wording of
the data protection legislation that it applies to personal data made
publicly
available: even after
personal data have been made public, they are still personal and as a
consequence the data subjects can not be deprived of the protection they
are entitled to as regards the processing of their data. 
 
The Article 29 WP also wishes to emphasize its support for the proposals

concerning both accuracy of the data and limitation of bulk access, for
example, direct marketing issues. Bulk use of WHOIS data for direct
marketing is by no means in line with the purpose for which the
directories were set up and are being maintained. The Article 29 WP
encourages ICANN, its constituencies and the WHOIS community to look at
privacy enhancing ways to run the WHOIS directories in such a way that
serves its original purposes whilst protecting the rights of
individuals. It should in any case be possible for individuals to
register domain names without their personal details appearing on a
publicly available register. 
 
The original purposes of the WHOIS directories can however equally be
served by using a layered approach, as details of the person are known
to the ISP that can, in case of problems related to the site, contact
the individual or transmit the information to an enforcement authority
entitled by law to access this information.
This would allow the
public to continue to access technical information as per the original
purpose of WHOIS. 
At the same time access to more sensitive information would be
restricted to law enforcement agencies with adequate authority. This
would allow ICANN to adhere to data protection law as well as maintain
the spirit of cooperation that has allowed the Internet to flourish. 
 
I would like finally to draw your attention to the Article 29 WP Opinion
2/2003
on the application of the data protection principles to the WHOIS
directories, where data protection principles have been spelled out.
Furthermore, a document "Common Position on Privacy and Data Protection
aspects of the Registration of Domain Names on the Internet" prepared by
the International Working Group on Data Protection in Telecommunications
also covers privacy and data protection issues related to the WHOIS
directories. 
 
I wish you successful deliberations at the forthcoming meeting in
Marrakech and look very much forward to your early reply. 
 
Yours sincerely, 
 

Peter Schaar
Chairman 
 
Cc: Governmental Advisory Committee (GAC) Secretariat