<HTML><FONT FACE=arial,helvetica><HTML><FONT SIZE=2 PTSIZE=10 FAMILY="SANSSERIF" FACE="Arial" LANG="0">Robin: Thanks so much for posting these letters. I cut and pasted the text from Peter Schaar below. He is the Chair of the Article 29 Working Party with all Data Protection Commissioners of the EU.<BR>
<BR>
It is very exciting to see this letter. Here in Marrakech, there is an active discussion taking place -- and I am very glad to see the Data Protection leaders joining it!<BR>
<BR>
Regards, <BR>
Kathy<BR>
p.s. for full footnotes, see the original letter (attached).<BR>
********************************<BR>
Article 29 Working Party <BR>
<BR>
Dear Sirs,<BR>
I am writing to you regarding the ongoing discussions on the application of the<BR>
data protection principles to the WHOIS directories as well as the latest development in the field of WHOIS.<BR>
<BR>
The Working Party on the Protection of Individuals with regard to the Processing<BR>
of Personal Data (Article 29 WP) is aware of the fact that WHOIS discussions will take place in the framework of the upcoming ICANN/GAC meetings to be held in Marrakech on 24 – 30 June 2006.<BR>
<BR>
The Article 29 WP is witnessing the growing importance of the WHOIS<BR>
discussions as more and more individuals are registering their own domain names and in this connection there have been complaints about improper use of the WHOIS data in several countries.<BR>
<BR>
The Article 29 WP follows closely the work carried out by several ICANN<BR>
constituencies in the area of WHOIS directories and intends to contribute to the ongoing discussions by stressing a number of fundamental questions arising from the application of the data protection principles to the WHOIS directories.<BR>
<BR>
>From a data protection point of view, it is essential to determine, in very clear<BR>
terms, what is the purpose of the WHOIS and which purpose(s) can be considered<BR>
legitimate and compatible with the original purpose. This is an extremely delicate matter as the purpose of the WHOIS directories can not be extended to other purposes just because they are considered useful by some potential users of the directories.<BR>
<BR>
Article 6 c) of the Data protection directive1 imposes clear limitations concerning<BR>
the collection and processing of personal data meaning the data should be relevant and not excessive for the specific purpose. In that light it is essential to limit the amount of personal data to be collected and processed. This should be kept particularly in mind when discussing the wishes of some parties to increase the uniformity of the diverse WHOIS directories.<BR>
<BR>
The registration of domain names by individuals raises different legal questions<BR>
than the registration by companies or other legal persons.<BR>
<BR>
In the latter case, the publication of certain information about a company or<BR>
organisation is often a requirement by law in the framework of the commercial or<BR>
professional activities they perform. As a consequence of the right to object, it should be noted however, that also in the cases of companies or organisations registering domain names, individuals can not be forced to have their name published as a contact point.<BR>
<BR>
In the first case, however, where an individual registers a domain name, the<BR>
situation is different and, while it is clear that the identity and contact information should be known to his/her service provider, there is no legal ground for justifying the<BR>
mandatory publication of personal data referring to this person. Such an application of the personal data of individuals, for instance their address and telephone number, would conflict with their right to determine whether their personal data are included in a public directory and if so which one.<BR>
<BR>
In the light of the proportionality principle, it is necessary to look for less<BR>
intrusive methods that would still serve the purpose of the WHOIS directories without<BR>
having all data directly available on-line to everybody. The fact, that personal data are<BR>
publicly available does not mean that the requirements of the data protection directive do not apply to that data. On the contrary, it is perfectly clear from the wording of the data protection legislation that it applies to personal data made publicly available: even after personal data have been made public, they are still personal and as a consequence the data subjects can not be deprived of the protection they are entitled to as regards the processing of their data.<BR>
<BR>
The Article 29 WP also wishes to emphasize its support for the proposals<BR>
concerning both accuracy of the data and limitation of bulk access, for example, direct marketing issues. Bulk use of WHOIS data for direct marketing is by no means in line with the purpose for which the directories were set up and are being maintained. The Article 29 WP encourages ICANN, its constituencies and the WHOIS community to look at privacy enhancing ways to run the WHOIS directories in such a way that serves its original purposes whilst protecting the rights of individuals. It should in any case be possible for individuals to register domain names without their personal details appearing on a publicly available register.<BR>
<BR>
The original purposes of the WHOIS directories can however equally be served<BR>
by using a layered approach, as details of the person are known to the ISP that can, in case of problems related to the site, contact the individual or transmit the information to an enforcement authority entitled by law to access this information. This would allow the public to continue to access technical information as per the original purpose of WHOIS.<BR>
<BR>
At the same time access to more sensitive information would be restricted to law<BR>
enforcement agencies with adequate authority2. This would allow ICANN to adhere to<BR>
data protection law as well as maintain the spirit of cooperation that has allowed the<BR>
Internet to flourish.<BR>
<BR>
I would like finally to draw your attention to the Article 29 WP Opinion 2/2003<BR>
on the application of the data protection principles to the WHOIS directories, where data protection principles have been spelled out3. Furthermore, a document "Common Position on Privacy and Data Protection aspects of the Registration of Domain Names on the Internet" prepared by the International Working Group on Data Protection in Telecommunications4 also covers privacy and data protection issues related to the WHOIS directories.<BR>
<BR>
I wish you successful deliberations at the forthcoming meeting in Marrakech and<BR>
look very much forward to your early reply.<BR>
<BR>
Yours sincerely,<BR>
Peter Schaar<BR>
Chairman (Article 29 Working Party)<BR>
Cc: Governmental Advisory Committee (GAC) Secretariat</FONT></HTML>