First I would like to agree with the report’s general position that national laws and regulations
regarding personal data protection should be respected. It would have been an
undue burden on registrars not to comply with their local laws in order to
conform with whois policy, and this would have made a really negative effect on
the protection of unsuspecting local domain name registrants. In a country like
Korea this position of the preliminary report is a particularly important one
because privacy laws and data protection laws are in the middle of being revised
and amended pursuant to the recent development of digital technology and its
various impacts. In such a situation, privacy principles of the country and
local stakeholders’ relevant interests are better to be respected and
coordinated while not prematurely influenced by policies mainly made by external
factors. I support the report’s recommendation that a process should be made for
appropriate changes in case of a conflict of national law and whois policy.
Secondly, I also agree with the recommendation that more conspicuous
notice regarding possible uses of the data and relevant processes should be
given to registrants at the time of registration. But I also would like to
comment that notice is not enough to properly protect registrants from abuses of
data that they may or may not realize, and that more discussion regarding
obtaining consent from registrants should be made and some kind of process
should be devised for this purpose. Especially in the case of sensitive data,
registrants should have a right not to give consent. And this option may become
a realistic tool for protecting registrants only if the registrants fully
understand the process and purpose of the data use, possible consequences, other
options they may have, etc. For this purpose, some kind of education and
outreach programs should be devised.
Thirdly, I am somewhat concerned about the “tiered access” system recommended in section 3.5. Although
registrants should have an option to display any or all of their information to
the public, it is also important to know whether they understand the
implications and consequences of implementing such an option, especially in case
of sensitive data. “Individual choice” may mean one thing in one culture but another thing in
another country. I suggest that we should be very careful about imposing the
western, developed countries’ notion of an “individual’s informed consent” to all the registrants in the world, because the
registrants may or may not have necessary knowledge and understanding in order
for the consent to be meaningful. This is not an easy problem that we can tackle
with in the short run, but differences in cultural backgrounds and knowledge
levels are something that should be discussed in ICANN in the long run.
In
addition, providing access to those meeting the requirements and identifying a
legitimate use and issuing them a portable credential can be dangerous if they
abuse the credential once acquired. Providing access to personal data should be
always made on an individual use-by-use basis, in order not to give them ample
chance to abuse. This is especially important in the case of intellectual
property law firms or any famous players in the field, and they should not be
provided any easier or blanket access to data but should be identified for their
identity and purpose of each use every time they request data. It is also
important to devise a mechanism to provide immediate notification to the
registrant “before” the data are released, so that they registrant could
find self-protecting measures if necessary.
Jisuk Woo
Seoul National University
Jinbonet Korea
우지숙
서울대학교 행정대학원
Assistant Professor
Graduate School of Public Administration
Seoul National University
tel: 02-880-5633
fax: 02-6248-0951
email: jisuk@xxxxxxxxx
|