Study Suggestion Number 23
Submitted By: [Redacted for privacy reasons] Topic: Data protection laws of countries around the world Hypothesis: The laws of the countries should shape and guide the policies of ICANN, particularly in an area viewed as having an impact on issues of human rights. How the hypothesis could be falsified: The hypothesis above could be proven invalid if an international survey did not find that data protection was an issue impacting human rights in the countries surveyed, or if no laws to protect data privacy are found. Utility: The study results can provide considerable guidance to the GNSO if, for example, it is found that entire regions of the world have data protection laws. In that case, aspects of these laws should inform and guide changes and improvements to ICANN's Whois policies. The Constituencies can then review changes to Whois, the GNSO debate, and changes be adopted by consensus policy. Type of Study Needed: A legal comparison of national data protection laws Data that needs to be collected: There are legal treatises compiling national laws. Also many national laws are available online. Subscription services make national laws available, and their international collection improves daily. Population to be surveyed: If the largest 30-35 countries are surveyed and reviewed, that should be sufficient to cover countries in every region of the world. Sample Size: As above, if the largest 30-35 countries are surveyed and reviewed, that should be sufficient to cover countries in every region of the world Type of Analysis: What do national laws say that private companies may collect from subscribers, customers? What may privacy companies disclose? Is data protection ever the default (opt-in)? Is it a right that is available to all on request (opt-out)? When must access to the underlying data be provided to law enforcement? When must access to the underlying data be provided to private third parties, e.g., potential litigants? When is the registrant informed of requests by private third parties? Is the registrant under law required to receive an opportunity to contest the disclosure of underlying personal data prior to it taking place?