Study Suggestion Number 22

[study-suggestion-response@xxxxxxxxx]

Submitted By:
[Redacted for privacy reasons]

Topic:
Study of Country Code TLD policies for Whois and other personal domain name 
registration data.  To what extent do ccTLD Whois policies reflect national 
data protection laws and priorities?  Have ccTLD Whois policies changed over 
the last few years? Is there any direction or momentum on this issue?

Hypothesis:
ccTLDs more accurately reflect their national laws than the general ICANN Whois 
policy. Should many ccTLDs, or the largest ccTLDs have data protection 
policies, that would show countries' legally requirement of this type of online 
data protection. Should a growing number of countries be adopting data 
protection aspects in their Whois in the last few years, that would show a 
momentum and direction on the Whois issue that merits evaluation and analysis.

How the hypothesis could be falsified:
If many of the largest ccTLDs are not found to have data protection aspects to 
their Whois policy, then the hypothesis about countries having national data 
protection laws would be proven invalid. If ccTLDs without data protection are 
now found to be adopting data protection in their Whois policies, in the last 
few years, than the hypothesis of direction and momentum towards data 
protection in Whois would be proven invalid.

Utility:
Should the hypothesis be proven, then the data protection aspects of numerous 
ccTLDs policies should be compiled, analyzed and studied.  To the extent that 
there are overlapping provisions or principles, they serve as a guide to ICANN 
staff and the GNSO in revising and redrafting the long-standing Whois policies 
of ICANN.

Type of Study Needed:
Detailed questionnaires distributed to the largest ccTLDs, the top 25-30.

Data that needs to be collected:
1. What personal data is collected about the registrant?
2. What personal data is disclosed about the registrant in the public ccTLD 
Whois database?
3. Is the registrant accorded data protection by virtue of registration, or 
does it need to be invoked in some format? For example, is the privacy of the 
Whois database an opt-in or opt-out? If opt-out, what must the registrant show 
or prove to the ccTLD to obtain the opt-out?
4. How is the underlying data provided by the ccTLD to law enforcement? to 
others? What the standards for release of the personal data? What is the 
registrant told about this release under ccTLD policy?
5. Has the policy been challenged? 
6. In the ccTLD's assessment, is the Whois policy working?

Population to be surveyed:
The 25 largest ccTLDs

Sample Size:
I don't think that ICANN must survey every ccTLD. A questionnaire surveying the 
top 25-30 will cover almost every continent and a wide array of legal and 
cultural regimes. This survey group will provide a good source of data, as well 
as a sense of movement direction and moment of Whois policies, if any.

Type of Analysis:
Presentation of raw data in report and table format. A table should layout the 
raw data, as gathered for question 6 above. A report should evaluate the data 
as well as assess movement and direction in the ccTLD Whois arena.