Registrars and NCUC discussing WHOIS and privacy laws (T. Roessler's notes)

[Adam Peake]

Many thanks to Thomas for the notes.

Adam


<http://log.does-not-exist.org/archives/2004/03/02/1405_registrars_and_ncuc_discussing_whois_and_privacy_laws.html#more>

No Such Weblog
Thomas Roessler's notes on ICANN, the GNSO, the ALAC, and less virtual topics.

March 02, 2004
Registrars and NCUC discussing WHOIS and privacy laws.

The non-commercial constituency is visiting the registrars; the
meeting is joined by George Papapavlou from the European Commission.
Papapavlou tries to explain main legal conocepts that determine
European approach to WHOIS. One of the task forces of GNSO has asked
GAC some questions. Papapavlou will try to give replies in this
meeting. Main starting point for European thinking on WHOIS: "What is
the purpose of WHOIS?" Answer this question, then you can answer
second question: "What data are we talking about?" In European legal
framework, processing of personal data is possible for specific
purpose. Once purpose has been defined, you know what data is
relevant. Purpose of WHOIS is not really clear. Initial idea: Need
contact data on specific domain names in case something gets wrong --
reach technical contact point. If this is purpose of WHOIS, that's
good starting point.

After intro remark, can answer to TF2 questions. First question:
Consent? Consent is not the only condition. Sufficient condition, but
other possibilities. Processing due to contract. Processing necessary
for complying with legal obligation of data controller, that's
possible. Processing in vital interest of data subject -- think of
unconscious victim of car accident. Processing in public interest.
Legitimate interest of data controller or third party, except when
overridden by data subject. If data subject objects, data protection
authority, possibility to go to court.

But specific conditions about processing. Fairly and lawfully.
Collect for specific purposes. Don't process for purposes that are
incompatible to original purpose.

Must data subject consent to disclosure? Not a necessary condition,
if disclosure was part of processing purpose of which data subject
has been informed. Data subject must be informed about recipients or
categories of recipients at time of collection.

Can data subject withdraw consent? In principle he can, but not an
absolute right. Room for judging legitimate interests. If it can be
shown -- to appropriate authority, or to court -- that data is
necessary for legitimate purpose that overrides data subject
interests, data can be processed against consent. No complaints to
authorities known. Marketing does not override!

Right to anonymity? There is right not to be included in directories.
Arguably, WHOIS is directory. Again, have to weigh legitimate
interests. Judgment to what extent data subjects can ask to remain
anonymous in WHOIS has not been made. In principle, right to
anonymity.

When there are various options to achieve a purpose, priority must be
given to least privacy-intrusive option. If legitimate interest wants
information about somebody, don't obtain entire database, but go to
relevant entity and ask for information. Rather than having access to
entire database, give access to specific data provided they explain
what they need access for. Access is form of processing. Access needs
justifiable reason.

Regulation on transmittal to other countries that is applicable in
connection with domain name registration? No specific regulation
speaking about domain name registration. But there is directive which
covers domain name registration, 95/46/EC. Has articles dealing with
transfers. Adequate data protection level in recipient country.
Member states have national law. But supervisory authorities have
been estabilishing opinions on data protection levels in countries.
General principle: Adequate data protection. But, exceptions. If
there is consent, transfer is possible. But has to be informed
consent. Data subject must know what happens. If there is contract
involved, processing necessary to fulfill contract, processing
allowed. Public interest involved? Public information registers --may
be relevant!-- can be transferred.

Final question: Does applicability of law depend on location etc.? In
Europe, law of data controller's country applies. Registrar in
European member state, registry in European member state --
applicable. Registrar or registry outside Union, processing happens
inside Union, law of that member state applies.

Concluding remarks: Accuracy. Should data be more accurate? Yes.
Framework includes accuracy principle. Not going into details. Bulk
Access? No. Disproportionate and privacy-infringing step unless there
is convincing specific case for bulk access -- and then there needs
to be due process. If there is good evidence that a certain TLD is
used by several criminals, LE could get court warrant and receive
bulk data that way. Bulk access excessive not just for marketing, but
also for other purposes. Searching possibilities according to certain
criteria? Not just details about one domain, but find out how many
domain names individual owns, etc.? No. Privacy-infringing,
disproportionate, general presumption of guilt, excessive. Exception:
Appropriate permission by due process.

Point made by data-protection authorities: WHOIS is not tool for self-policing.

Questions? Ross Rader, on accuracy: 1. Not clear whether or not there
is presumption of verification? Pass on what data subject provides?
2. Canada has own policy. Differences and contrasts? George, second
question first. When last dealt with this, no dramatic differences.
But several years ago. Canada has adequate protection level . First
question, when law speaks of accuracy, it means that data subject has
right to correct their data. Not automatically obligation to data
controller to take proactive role in verifying data. Data subject has
right of access to data, correction of inaccurate data. ...
Papapavlou in reply to Broitman: Evaluation of implementation of
directive; some member states late. Evaluation process should lead to
decision on amendments. Not aware of any amendments being on the
table. Criticism of some points, but haven't seen proposals for
amending. Specific directive on telecommunications includes right not
to be included in directory. ... Discussion of directories and
telecommunications privacy directive: Right not to be included in
directory flows from general principles, is just spelled out in
telecommunications directive. Accuracy: Purpose has to be clear.

Elana: Balance may be blocking access to public, making information
available on right kind of request? Yes.

...

NCUC's take on WHOIS purpose? Milton: Technical coordination; put due
process guarantees in place. Too much stuff in there.

--