[Fwd: [council] From the EU Article 29 Data Protection Wo...

KathrynKL at AOL.COM KathrynKL at AOL.COM
Sat Jun 24 21:07:04 CEST 2006 

Robin: Thanks so much for posting these letters.  I cut and pasted the text 
from Peter Schaar below.  He is the Chair of the Article 29 Working Party with 
all Data Protection Commissioners of the EU.

It is very exciting to see this letter.  Here in Marrakech, there is an 
active discussion taking place -- and I am very glad to see the Data Protection 
leaders joining it!

Regards, 
Kathy
p.s. for full footnotes, see the original letter (attached).
********************************
Article 29 Working Party 

Dear Sirs,
I am writing to you regarding the ongoing discussions on the application of 
the
data protection principles to the WHOIS directories as well as the latest 
development in the field of WHOIS.

The Working Party on the Protection of Individuals with regard to the 
Processing
of Personal Data (Article 29 WP) is aware of the fact that WHOIS discussions 
will take place in the framework of the upcoming ICANN/GAC meetings to be held 
in Marrakech on 24 – 30 June 2006.

The Article 29 WP is witnessing the growing importance of the WHOIS
discussions as more and more individuals are registering their own domain 
names and in this connection there have been complaints about improper use of the 
WHOIS data in several countries.

The Article 29 WP follows closely the work carried out by several ICANN
constituencies in the area of WHOIS directories and intends to contribute to 
the ongoing discussions by stressing a number of fundamental questions arising 
from the application of the data protection principles to the WHOIS 
directories.

>From a data protection point of view, it is essential to determine, in very 
clear
terms, what is the purpose of the WHOIS and which purpose(s) can be 
considered
legitimate and compatible with the original purpose. This is an extremely 
delicate matter as the purpose of the WHOIS directories can not be extended to 
other purposes just because they are considered useful by some potential users 
of the directories.

Article 6 c) of the Data protection directive1 imposes clear limitations 
concerning
the collection and processing of personal data meaning the data should be 
relevant and not excessive for the specific purpose. In that light it is 
essential to limit the amount of personal data to be collected and processed. This 
should be kept particularly in mind when discussing the wishes of some parties to 
increase the uniformity of the diverse WHOIS directories.

The registration of domain names by individuals raises different legal 
questions
than the registration by companies or other legal persons.

In the latter case, the publication of certain information about a company or
organisation is often a requirement by law in the framework of the commercial 
or
professional activities they perform. As a consequence of the right to 
object, it should be noted however, that also in the cases of companies or 
organisations registering domain names, individuals can not be forced to have their 
name published as a contact point.

In the first case, however, where an individual registers a domain name, the
situation is different and, while it is clear that the identity and contact 
information should be known to his/her service provider, there is no legal 
ground for justifying the
mandatory publication of personal data referring to this person. Such an 
application of the personal data of individuals, for instance their address and 
telephone number, would conflict with their right to determine whether their 
personal data are included in a public directory and if so which one.

In the light of the proportionality principle, it is necessary to look for 
less
intrusive methods that would still serve the purpose of the WHOIS directories 
without
having all data directly available on-line to everybody. The fact, that 
personal data are
publicly available does not mean that the requirements of the data protection 
directive do not apply to that data. On the contrary, it is perfectly clear 
from the wording of the data protection legislation that it applies to personal 
data made publicly available: even after personal data have been made public, 
they are still personal and as a consequence the data subjects can not be 
deprived of the protection they are entitled to as regards the processing of 
their data.

The Article 29 WP also wishes to emphasize its support for the proposals
concerning both accuracy of the data and limitation of bulk access, for 
example, direct marketing issues. Bulk use of WHOIS data for direct marketing is by 
no means in line with the purpose for which the directories were set up and 
are being maintained. The Article 29 WP encourages ICANN, its constituencies 
and the WHOIS community to look at privacy enhancing ways to run the WHOIS 
directories in such a way that serves its original purposes whilst protecting the 
rights of individuals. It should in any case be possible for individuals to 
register domain names without their personal details appearing on a publicly 
available register.

The original purposes of the WHOIS directories can however equally be served
by using a layered approach, as details of the person are known to the ISP 
that can, in case of problems related to the site, contact the individual or 
transmit the information to an enforcement authority entitled by law to access 
this information. This would allow the public to continue to access technical 
information as per the original purpose of WHOIS.

At the same time access to more sensitive information would be restricted to 
law
enforcement agencies with adequate authority2. This would allow ICANN to 
adhere to
data protection law as well as maintain the spirit of cooperation that has 
allowed the
Internet to flourish.

I would like finally to draw your attention to the Article 29 WP Opinion 
2/2003
on the application of the data protection principles to the WHOIS 
directories, where data protection principles have been spelled out3. Furthermore, a 
document "Common Position on Privacy and Data Protection aspects of the 
Registration of Domain Names on the Internet" prepared by the International Working 
Group on Data Protection in Telecommunications4 also covers privacy and data 
protection issues related to the WHOIS directories.

I wish you successful deliberations at the forthcoming meeting in Marrakech 
and
look very much forward to your early reply.

Yours sincerely,
Peter Schaar
Chairman (Article 29 Working Party)
Cc: Governmental Advisory Committee (GAC) Secretariat
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ncuc.org/pipermail/ncuc-discuss/attachments/20060624/10400a66/attachment.html>

More information about the Ncuc-discuss mailing list