European privacy watchdog says ICANN’s Whois demands are “unlawful”
European Union privacy officials have told ICANN that it risks forcing registrars to break the law by placing “excessive” demands on Whois accuracy.
In a letter to ICANN yesterday, the Article 29 Working Party said that two key areas in the proposed next version of the Registrar Accreditation Agreement are problematic.
It’s bothered by ICANN’s attempt to make registrars retain data about their customers for up to two years after registration, and by the idea that registrars should re-verify contact data every year.
These were among the requests made by law enforcement, backed up by the Governmental Advisory Committee, that ICANN has been trying to negotiate into the RAA for almost a year.
The letter (pdf) reads:
The Working Party finds the proposed new requirement to re-verify both the telephone number and the e-mail address and publish these contact details in the publicly accessible WHOIS database excessive and therefore unlawful. Because ICANN is not addressing the root of the problem, the proposed solution is a disproportionate infringement of the right to protection of personal data.
The “root cause” points to a much deeper concern the Working Party has.
Whois was designed to help people find technical and operational contacts for domain names, it argues. Just because it has other uses — such as tracking down bad guys — that doesn’t excuse infringing on privacy.
The problem of inaccurate contact details in the WHOIS database cannot be solved without addressing the root of the problem: the unlimited public accessibility of private contact details in the WHOIS database.
It’s good news for registrars that were worried about the cost implications of implementing a new, more stringent RAA.
But it’s possible that ICANN will impose the new requirements anyway, giving European registrars an opt-out in order to comply with local laws.
The letter is potentially embarrassing for the GAC, which seemed to take offense at the Prague meeting this June when it was suggested that law enforcement’s recommendations were not being balanced with the views of privacy watchdogs.
During a June 26 session between the GAC and the ICANN board, Australia’s GAC rep said:
I don’t come here as an advocate for law enforcement only. I come here with an Australian government position, and the Australian government has privacy laws. So you can be sure that from a GAC point of view or certainly from my point of view that in my positions, those two issues have been balanced.
That view was echoed during the same session by the European Commission and the US and came across generally like a common GAC position.
The Article 29 Working Party is an advisory body set up by the EU in 1995. It’s independent of the Commission, but it comprises one representative from the data privacy watchdogs in each EU state.
Pretty stupid argument by European Union, because in most , if not all European countries the publisher and owner of a running website must publish all information about them selfs on the “Impress” (Impressum) page by law. Full Name, adress, tel. Tax ID No. must be included, which pretty much kills privacy of online publishers in europe.
European Union lawmakers killed privacy and now they are the ones shouting?
Stupidity at its finest.
Such laws exist mainly in German speaking areas. There are no such laws in other counties, like the UK or Netherlands.
What I found most interesting was the threat that the individual data protection officials (who make up te Article 29 group) go after registrars that implement the data retention requirements for violations of the national data protection requirements, thereby stressing the fact that the implementation of these requirements would make the position of European registrars untenable.
Dear Kevin,
(For the record, I represented the European Commission in the meeting Governmental Advisory Committee referred to in the article).
I would be curious to know in which way the statement made by the European Commission during the June 26 GAC/Board session is “echoing” the statement made by Australia.
The transcript is available at http://prague44.icann.org/meetings/prague2012/transcript-gac-board-session-26jun12-en.pdf . The statement made by the European Commission is on pp. 8-9.
This is by no means a judgment on the statement of Australia or of any other GAC member; nor it is a judgment on the letter of the Article 29 Working Party which, as you point out, is an independent body.
I would also be very careful with sentences such as “[something] came across generally like a common GAC position”. GAC positions are expressed in GAC Communiqués and/or in letters or documents where it is clearly stated that a particular position is, indeed, a GAC position, as opposed to the position of any particular GAC member.
A clarification would be much appreciated.
Best regards,
Andrea Glorioso
European Commission
Andrea,
The European Commission “echo” I was referring to was:
“Concerning the specific point on privacy law, allow me to say I take exception with the notion that privacy law is muddying up the negotiation. Privacy law is an extremely important part of these negotiations, and just as Australia said, we do not — we, as public authorities, we do not take sides. That is not our job.”
That seems to me to be a restatement of Australia’s view that privacy requirements had already been “balanced” into the position.
If that’s a mischaracterization, I apologize.
With regards the GAC position, I’ll note that every GAC Communique since Singapore has mentioned the “Law Enforcement Recommendations” (that’s the GAC’s choice of words when referring to the RAA negotiations) and none of them until Prague have referred to privacy.
You have to go back to Brussels in June 2010 to find mention of “respect all requirements concerning the processing of personal data, such as privacy”.
It’s easy to come away with the impression that the GAC as a whole has been more aligned recently with the LEA view than with the privacy view.
Cheers,
Kevin
Dear Kevin,
I do not interpret what I said in the way you seem to interpret it, but no big harm done and no need to apologise. I just like to have the record straight.
For the record, the position of the European Commission is that we have been and are considering all the public policy / legal implications of the RAA, but that we are not part of the negotiations and hence we will not formally intervene in the negotiations themselves unless to reply to specific questions. This is, I believe, different from endorsing high-level principles which I tend to believe no-one disagrees with. As usual, the devil is in the details and the negotiating teams are trying to iron out thee details – if we can help, we will.
On the issue of wording: here again I think there is a differet mindset at work. From our perspective, once we say (as we did in Brussels) that there is a need to respect all legal requirements, including those of personal data protection / privacy, there does not seem to be the need to re-iterate the point unless the point seems to be unclear, as was the case in Prague. To be absolutely honest, I *personally* find it even unnecessary to state that all applicable law (which includes privacy, but also all legal obligations linked to criminal investigations) has to be respected.
Happy to discuss further whenever / however possible.
Best regards,
Andrea
The need to re-iterate the point arises from the absence, within the negotiation process, of anyone making the point at all. The registrars are deemed not to have standing to raise any legal requirements in counterpoise to the law enforcement demands. Thus having dismissed the registrars as incompetent in that regard, the absence of any specific concerns of the GAC generally, or GAC members specifically, beyond general platitudes is taken as consent of the GAC to whatever demands are made by law enforcement.
“But it’s possible that ICANN will impose the new requirements anyway, giving European registrars an opt-out in order to comply with local laws.”
This would certainly not be acceptable to non-EU registrars, many of whom currently offer privacy protection similar to the EU in order to compete for European customers.
Especially in view of efforts elsewhere within ICANN’s to restrain / restrict the use of Privacy & Proxy services.
ICANN must not create an uneven playing field, where Registrant Privacy is a market differentiation among Registrars.
ICANN said earlier this week:
“ICANN and the registrars have discussed various processes under which a registrar might seek a waiver of certain elements of the data retention requirements to the extent that they are in conflict with laws applicable to the registrar.”
@Kevin, What is your point? Is ICANN creating an uneven playing field, or no?
What Theo said.
Louise, the “waiver” was prolly intended for extreme special cases and used to remove at that point a “minor” obstacle regarding the 2012 RAA talks.
Now the “minor” obstacle turns to be an obstacle of 27 stories high with a huge neon sign blinking “obstacle” on top.
I expect the “waiver” not to turn up in any further communications from ICANN.