Combined WHOIS Task Force (1, 2, 3) of the GNSO Council
Preliminary task force report on a policy recommendation and advice on a procedure for handling conflicts between a registrar/registry's legal obligations under privacy laws and their contractual obligations to ICANN
For public comment from 12 September 2005 to 02 October 2005
Table of contents
1 Introduction & background
2 Constituency statements
2.1 Commercial and Business User Constituency
1 Relevant provisions of the Registrar Accreditation Agreement
1 Introduction & background
Article X, Section 1 of the ICANN Bylaws (http://www.icann.org/general/bylaws.htm#X ) states "the Generic Names Supporting Organization (GNSO), (which) shall be responsible for developing and recommending to the ICANN Board substantive policies relating to generic top-level domains." This preliminary task force report and the consensus policy recommendation therein refers only to the generic top level domain space.
This document is the Preliminary Task Force Report on a consensus policy recommendation and advice on a procedure for handling WHOIS conflicts with local or national privacy laws. It is comprised of the proposed recommendation and advice, background information, the task force vote and the constituency statements. This report was the subject of a task force vote held on Tuesday, 6th September, 2005.
In December 2003, WHOIS Task Force 2 was tasked with "document(ing) examples of existing privacy laws in regard to display/transmittal of data". (Task Force 2 terms of reference, point 4 of 'tasks and milestones';available at http://gnso.icann.org/issues/whois-privacy/tor2.shtml).
Task Force 2's preliminary report was published for public comment in June 2004 (available at http://gnso.icann.org/issues/whois-privacy/Whois-tf2-preliminary.html#P…). The report found, in section 2.3, that:
"After documenting and reviewing the examples of local privacy laws it is the Task Force's finding that different nations have very different privacy laws and that the determination whether they are applicable to the gTLD WHOIS situation is not an easy one. However, situations have arisen in which privacy laws or regulations have conflicted with WHOIS-related contractual obligations with ICANN.
The Task Force believes that there is an ongoing risk of conflict between a registrars' or registries' legal obligations under local privacy laws and their contractual obligations to ICANN.
Since the variety of the existing local privacy laws does not allow for a one-size-fits-all solution, the registrars and registries encountering such local difficulties should be allowed an exception from the contractual WHOIS obligation for the part of the WHOIS data in question by the local regulation, after proving the existence of such a conflict with a law or regulation. In addition, a procedure should be established for seeking to resolve such conflicts with local authorities as new regulations evolve in a way that promotes stability and uniformity of the WHOIS system. Such steps will undoubtedly achieve a greater legal certainty and foster the international competition on the domain name market."
The report recommended (section 3.3) that ICANN:
"...develop and implement a procedure for dealing with the situation where a registrar (or registry, in thick registry settings) can credibly demonstrate that it is legally prevented by local mandatory privacy law or regulations from fully complying with applicable provisions of its ICANN contract regarding the collection, display and distribution of personal data via Whois. The goal of the procedure should be to resolve the conflict in a manner conducive to stability and uniformity of the Whois system."
The report gave details for the steps to be included in such a procedure:
Except in those cases arising from a formal complaint or contact by a local law enforcement authority that will not permit consultation with ICANN prior to resolution of the complaint under local law, the procedure should be initiated using the following steps:
On 30 November 2004, the WHOIS Task Forces 1 and 2 produced Recommendation 1 — A Procedure for conflicts, when there are conflicts between a registrar's of registry's legal obligations under local privacy laws and their contractual obligations to ICANN (available at http://gnso.icann.org/issues/whois-privacy/whois-tf-conflict-30nov04.pdf). This recommendation was presented to the GNSO Council during the GNSO public forum at the ICANN meeting in Capetown in December 2004.
On February 17, 2005, the WHOIS task forces 1, 2 and 3 were combined into a single combined WHOIS Task Force. (http://www.gnso.icann.org/meetings/minutes-gnso-17feb05.html). On 2nd June 2005, the combined WHOIS task force was chartered by the GNSO Council with terms of reference and a set of tasks that required it to conclude its work on the 'conflicts' policy recommendation:
"(5) Determine how to resolve differences between a Registered Name Holder's, gTLD Registrar's, or gTLD Registry's obligation to abide by all applicable laws and governmental regulations that relate to the WHOIS service, as well as the obligation to abide by the terms of the agreements with ICANN that relate to the WHOIS service. [Note this task refers to the current work in the WHOIS task force called 'Recommendation 2', A Procedure for conflicts, when there are conflicts between a registrar's of registry's legal obligations under local privacy laws and their contractual obligations to ICANN." (available at http://gnso.icann.org/policies/terms-of-reference.html)
Accordingly, Task force members continued to develop the recommendation through June 2005. The task force voted on May 24, 2005 to divide its work into a recommendation for consensus policy accompanied by advice for a procedure. Constituency statements on the recommendation were solicited by 21 July 2005.
1.1 Text of recommendation and advice on a procedure
This is the final version of the recommendation and advice voted on by the task force. The constituency statements responded to an earlier version of this text.
WHOIS Task Force policy recommendation and advice on Whois conflicts with national and local privacy laws
Task Force 2 spent over a year collecting data and working on the conflict between a registrar/registry's legal obligations under privacy laws and their contractual obligations to ICANN. Its report included the statement: "The Task Force believes that there is an ongoing risk of conflict between a registrar's or registry's legal obligations under local privacy laws and their contractual obligations to ICANN. TF2 Report, Section 2.3, http://www.gnso.icann.org/issues/whois-privacy/Whois-tf2-preliminary.html.
By vote of the Task Force, now merged, on May 24, 2005, the work of Task Force 2 is hereby divided into a recommendation for "consensus policy" accompanied by "well-developed advice for a procedure."
I. Task Force Policy for WHOIS Conflicts with Privacy Law
CONSENSUS POLICY RECOMMENDATION
In order to facilitate reconciliation of any conflicts between local/national mandatory privacy laws or regulations and applicable provisions of the ICANN contract regarding the collection, display and distribution of personal data via Whois, ICANN should:
II. Text of Recommended Procedure
WELL-DEVELOPED ADVICE ON A PROCEDURE FOR HANDLING WHOIS CONFLICTS WITH PRIVACY LAW
Based on extensive research and negotiation among Task Force 2, together with the merged Task Force and ICANN staff, the following procedure for handling the policy recommendation set out in Section I above is set out as a Recommended Step-by-Step Procedure for Resolution of WHOIS Conflicts with Privacy Law. We encourage ICANN staff to use this Recommended Procedure as a starting point for developing the procedure called for in the Consensus Policy Recommendation above.
Step One: Notification of Initiation of Action
Once receiving notification of an investigation, litigation, regulatory proceeding or other government or civil action that might affect its compliance with the provisions of the RAA or other contractual agreement with ICANN dealing with the collection, display or distribution of personally identifiable data via Whois ("Whois Proceeding"), a Registrar/ Registry must within thirty (30) days provide ICANN's General Counsel (or other staff member as designated by ICANN) with the following information:
Meeting the notification requirement permits Registrars/Registries to participate in investigations and respond to court orders, regulations, or enforcement authorities in a manner and course deemed best by their counsel.
Depending on the specific circumstances of the Whois Proceeding, the Registrar/Registry may request that ICANN keep all correspondence between the parties confidential pending the outcome of the Whois Proceeding. It is recommended that ICANN respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.
Step Two: Consultation
Unless impractical under the circumstances, we recommend that the ICANN General Counsel, upon receipt and review of the notification and, where appropriate, dialogue with the registrar/registry, consider beginning a process of consultation with the local/national enforcement authorities or other claimant together with the registrar/registry. The goal of the consultation process should be to seek to resolve the problem in a manner that preserves the ability of the registrar/registry to comply with its contractual obligations to the greatest extent possible.
The Registrar should attempt to identify a solution that allows the registrar to meet the requirements of both the local law and ICANN obligations. The General Counsel can assist in advising the registrar on whether the proposed solution meets the ICANN obligations.
If the Whois proceeding ends without requiring any changes and/or the required changes in registrar/registry practice do not, in the opinion of the General Counsel, constitute a deviation from the R.A.A. or other contractual obligation , then the General Counsel and the registrar/registry need to take no further action.
If the registrar/registry is required by local law enforcement authorities or a court to make changes in its practices affecting compliance with Whois-related contractual obligations before any consultation process can occur, the registrar/registry shall promptly notify the General Counsel of the changes made and the law/regulation upon which the action was based. The Registrar/Registry may request that ICANN keep all correspondence between the parties confidential pending the outcome of the Whois Proceeding. It is recommended that ICANN respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.
Step Three: General Counsel analysis and recommendation
If the local/national government requires changes (whether before, during or after the consultation process described above) that, in the opinion of the General Counsel, prevent full compliance with contractual WHOIS obligations, ICANN should consider the following alternative to the normal enforcement procedure. Under this alternative, ICANN would refrain, on a provisional basis, from taking enforcement action against the registrar/registry for non-compliance, while the General Counsel prepares a report and recommendation and submits it to the ICANN Board for a decision. Such a report may contain:
The registrar/registry should be provided a copy of the report and provided a reasonable opportunity to comment on it to the Board. The Registrar/Registry may request that ICANN keep such report confidential prior to any resolution of the Board. It is recommended that ICANN respond favorably to such requests to the extent that they can be accommodated with other legal responsibilities and basic principles of transparency applicable to ICANN operations.
Step Four: Resolution
Keeping in the mind the anticipated impact on the operational stability, reliability, security, or global interoperability of the Internet's unique identifier systems, the Board should consider and take appropriate action on the recommendations contained in the General Counsel's report as soon as practicable. Actions could include, but are not limited to:
Step Five: Public Notice
The Board's resolution of the issue, together with the General Counsel's report, should ordinarily be made public, along with the reasons for it, and be archived on a public website (along with other related materials) for future research. Prior to release of such information to the public, the Registry/Registrar may request that certain information (including, but not limited to, communications between the Registry/Registrar and ICANN, or other privileged/confidential information) be redacted from the public notice. In the event that such redactions make it difficult to convey to the public the nature of the actions being taken by the Registry/Registrar, the General Counsel should work with the Registry/Registrar on an appropriate notice to the public describing the actions being taken and the justification for such actions.
Unless the Board decides otherwise, if the result of its resolution of the issue is that data elements in the registrar's Whois output will be removed or made less accessible, ICANN should issue an appropriate notice to the public of the resolution and of the reasons for ICANN's forbearance from enforcement of full compliance with the contractual provision in question.
Step Six: Ongoing Review
With substantial input from the relevant registries or registrars, together with all constituencies, there should be a review of the pros and cons of how the process worked, and the development of revisions designed to make the process better and more efficient, should the need arise again at some point in the future.
1.2 Summary of Task Force voting on the recommendation
The task force vote on the recommendation and advice for a procedure was held during a task force conference call on 6 September 2005. The recommendation and advice for a procedure were supported unanimously.
2 Constituency statements
2.1 Commercial and Business User Constituency
2.2 Non-Commercial User Constituency
2.3 Intellectual Property Constituency
2.4 Registrar Constituency
2.5 Registry Constituency statement
2.6 Internet Service Providers & Connectivity Providers Constituency