[NCUC-DISCUSS] Comment on GDPR model

[Renata Aquino Ribeiro]

Dear all

Fwd from NCSG list, the comment on GDPR model 3 submitted by Milton Mueller
For your knowledge

Best,

Renata


Subject:

Comments on the Whois compliance models

From:

"Mueller, Milton L" <milton at GATECH.EDU>

Reply-To:

Mueller, Milton L

Date:

Sat, 27 Jan 2018 02:00:29 +0000

I offer the following as a first draft of the NCSG position on the 12
January 2018 call for comments released by ICANN org.



Principles

Our evaluation of the models offered by ICANN are based on three
fundamental principles. No model that fails to conform to all three is
acceptable to the NCSG.



1. The purpose of whois must be strictly tied to ICANN's mission. That
is, the data that is collected and the data that are published must
directly and demonstrably contribute to ICANN's mission as defined in
Article 1 of its new bylaws. We reject any definition of Whois purpose
that is based on the way people happen to make use of data that can be
accessed indiscriminately in a public directory. The fact that certain
people currently use Whois for any purpose does not mean that the
purpose of Whois is to provide thick data about the domain and its
registrant to anyone who wants it for any reason.



2. Whois service, like the DNS itself, should be globally uniform and
not vary by jurisdiction. ICANN was created to provide globalized
governance of the DNS so that it would continue to be globally
compatible and coordinated. Any solution that involves fragmenting the
policies and practices of Whois along jurisdictional lines is not
desirable.



3. No tiered access solution that involves establishing new criteria
for access can feasibly be created in the next 3 months. We would
strongly resist throwing the community into a hopeless rush to come up
with entirely new policies, standards and practices involving tiered
access to data, and we do not want ICANN staff to invent a policy that
is not subject to community review and approval.



Based on these three principles, we believe that Model 3 is the only
viable option available. Model 3 minimizes the data publicly displayed
to that which is required for maintaining the stability, security and
resiliency of the DNS. Model 3 could be applied across the board, and
would be presumptively legal regardless of which jurisdiction the
registrar, registry or registrant are in. And Model 3 relies on
established legal due process for gaining access to additional
information.



There is room for discussion about how much data could be publicly
displayed under Model 3 consistent with ICANN's mission. E.g., it may
be within ICANN's mission to include additional data in the public
record, such as an email address for the technical contact and even
possibly the name of the registrant.



The process of gaining access to additional data in Model 1 is
completely unacceptable. Self-certification by any third party
requestor is, we believe, not compliant with GDPR nor does is such
access justified by the purpose of Whois or ICANN's mission.



Model 2 might possibly be acceptable if an suitable set of criteria
and processes were devised, but it simply is not feasible for such a
certification program to be developed in 3 months. A certification
program thrown together in a rush poses huge risks for loopholes, poor
procedures, and a legal challenge to ICANN, either from DPAs or from
individuals affected.



Dr. Milton L. Mueller

Professor, School of Public Policy

Georgia Institute of Technology