BACKGROUNDER BY NONCOMMERCIAL USERS CONSTITUENCY International Data Protection Laws:
Comments to ICANN from Commissioners and Organizations Regarding WHOIS and the Protection of Privacy
The Noncommercial Users Constituency (NCUC) feels that ICANN and the WHOIS TF must pay close attention to the authoritative formal written comments made by Data Protection Commissioners and their organizations. These opinions are exactly the type of expert input ICANN regularly asks for in its policy-making process. Further, these opinions come from those charged with interpretation, investigation and ultimately enforcement under their national laws. Ultimately, it is worthwhile to heed their advice, instruction and warnings.1
A: Comprehensive Data Protection Laws – An Overview
The European Union, as one of its early legislative acts, created comprehensive data protection legislation for its citizens in the 1995 EU Data Protection Directive, 95/46/EC. The goal of the legislation was to “remove the obstacles to the free movement of data without diminishing the protection of personal data.”2
Under the EU Data Protection Directive, all EU citizens are entitled to protections in the collection and use of their personal data. The first three principles of data protection are:
A. “Data must be processed fairly and lawfully.”
B. “They must be collected for explicit and legitimate purposes and used accordingly.”
C. “Data must be relevant and not excessive in relation to the purpose for which they are processed.”3
Codified in Article 6 of the EU Directive, the law requires that these principles be adopted into the data protection laws of each Member State.4 Further, the Directive gives EU citizens the right to file complaints regarding violations of their data protection rights and receive compensation for certain injuries (Articles 14 and 23). It also mandates that each Member State establish one (or more) Data Protection Authorities to monitor the laws within the country, investigate, intervene, and “engage in legal proceedings” where rights are being violated (Article 28).
The EU Directive applies directly to the 25 members of the EU: Belgium, Germany, France, Italy, Luxembourg, The Netherlands, Denmark, Ireland and the United Kingdom, Greece, Spain and Portugal, Austria, Finland, Sweden, Cyprus, Czech Republic, Estonia, Hungary, Latvia, Lithuania, Malta, Poland, Slovakia, and Slovenia.
Further, very similar laws have been adopted by other countries, including Israel. In addition, Canada adopted its own version of comprehensive data protection laws called the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA).
Approximately half of all ICANN-accredited registrars are based in countries with comprehensive data protection laws, and a growing percentage of domain name registrants come from these countries as well.
B: International and National Laws Protecting Privacy of Natural Persons:
Opinions from Leading Data Protection Authorities to ICANN
Experts on data protection laws for their countries and regions have published a number of opinions on the meaning and effect of these laws.5 In these carefully written opinions, the data protection authorities took the time to instruct ICANN on data protection principles, show that personal data is located in the WHOIS database, and guide ICANN towards changes to bring the WHOIS databases into compliance with international and national data protection laws.
1. The Article 29 Data Protection Working Party
Established by the EU Data Protection Directive, Comprised of Senior Members of Each Member State’s National Data Protection Authority
On February 2003, the Article 29 Data Protection Working Party (WP) wrote a strong opinion to ICANN and the world expressing the deep concerns of its members regarding the collection and publication of personal data in the WHOIS databases. According to Dr. Giovanni Buttarelli, Secretary-General of Italy’s Data Protection Authority and a principal author of the paper, over 25 countries worked on this opinion and it was intended to send a strong message to ICANN.6
The Article 29 WP Opinion is definitive and clear:7
a. Data Protection Commissions are receiving complaints regarding misuse of their personal data in the WHOIS databases:
“more and more individuals (private persons) are registering their own domain names and there have been complaints about improper use of the WHOIS data in several countries. The registration of domain names by individuals raises different legal considerations than that of companies…”
b. Fundamental rights and principles of the EU Data Protection Directive do apply to the WHOIS databases:
“Article 6c of the Directive imposes clear limitations concerning the collection and processing of personal data meaning that data should be relevant and not excessive for the specific purpose. In that light it is essential to limit the amount of personal data to be collected and processed.”
c. Changes must be made to bring the WHOIS databases into compliance with the EU Data Protection Directive:
“where an individual registers a domain name….there is not legal ground justifying the mandatory publication of personal data referring to this person.”
AND
“In the light of the proportionality principle
According to the Article 29 Working Party, it was very clear that the existing collection and publication of millions of pieces of personal data in the WHOIS database WHOIS is not consistent with the EU Data Protection Directive — and that significant changes must be made to bring the WHOIS databases into compliance with the data protection laws and protections of the EU.
The Article 29 WP recently repeated and affirmed this 2003 Opinion. On January 18, 2005, in a detailed statement about intellectual property owners collecting too much personal data as part of digital rights management, the Article 29 WP affirmed its deep concerns about WHOIS.9
2. International Working Group on Data Protection in Telecommunications
National and International Data Protection Organizations, Scientists and Specialists in Privacy and Telecommunications
Like the Article 29 WP, the International Working Group on Data Protection in Telecommunications (International WG) includes Data Protection Commissioners and international authorities on telecommunication and privacy. At the time of its opinions to ICANN in 2000 and 2003, the International WG was chaired by Dr. Hansjurgen Garstka, Commissioner for Data Protection for Berlin. The 2000 opinion (called the “Common Position”) expressed deep concerns about the WHOIS database:
a. It stated that data protection laws clearly apply to the personal data collected and published in the WHOIS database:
“the collection and publication of personal data of domain name holders gives itself rise to data protection and privacy issues.”
b. It instructed ICANN on the basic principles of data protection laws:
“The amount of data collected and made publicly available in the course of the registration of a domain name should be restricted to what is essential to fulfill the purpose specified.”
c. It drew clear conclusions that the existing collection and publication of personal data for registrants in the gTLDs violates international and national data protection laws:
“The current Registrar Accreditation Agreement (RAA) developed by ICANN does not reflect the goal of the protection of personal data of domain name holders in a sufficient way.”
AND
“The right not to have telephone numbers published – as recognized in most of the national telecommunications data protection regimes should not be abolished when registering a domain name.”10
In a follow-up letter to ICANN in 2003, the International WG repeated its position and concerns to then ICANN president Stuart Lynn. The WG urged ICANN to take its instructions and concerns into account “when reshaping ICANN’s WHOIS policy.”11
3. The European Commission, Internal Market Directorate-General
Written Opinion and Speeches
In January 2003, the European Commission’s Internal Market Directorate-General expressed its concerns regarding personal data in the WHOIS database in a written opinion to ICANN. The EC discussed the basic data protection principles and rights under the EU Directive. It also gave ICANN some stark orders to:
“limit the amount of personal data to be collected and processed”
AND
“look for less intrusive methods that would still serve the purpose of the WHOIS database without having all data available to everybody.”12
Subsequent written comments of officials of the European Commission’s Internal Market DG to ICANN’s Government Advisory Committee (GAC) on May 12, 2003, pointed out the stark impact of WHOIS policies on citizens living in countries with comprehensive data protection rights:
“It does not seem reasonable that gTLDs, which by their nature are global, should operate in a manner that results in the loss of legally established rights for a significant part of their client base.”13
In speeches to ICANN groups, EC Internal Market officials repeated these requirements and provided additional insight to their concerns and conclusions. At the Montreal ICANN meeting in 2003, Diana Alfonso Blas shared with ICANN the:
– “Need to respect the existing data protection framework in Europe, contracts can in no case overrule the law”
– “Need to look for privacy-enhancing ways to run the Whois directories in a way that serves the original purpose whilst protecting the rights of individuals”
And the EC’s very realistic conclusion that:
– “not everything that might seem useful or desirable is legally possible!”14
George Papavlou delivered similar points in his discussions of “WHOIS data: The EU legal principles” at the Rome ICANN meeting in 2004.
C: The Canadian Personal Information Protection and Electronic Documents Act and Upcoming Changes to the .CA Whois
The Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) went into effect on January 1, 2001.15 Through a phase-in process, Canada’s privacy laws reached “every organization that collects, uses or discloses personal information in the course of a commercial activity within a province” on January 1, 2004.16
On November 12, 2005, CIRA (the Canadian domain registration authority for .CA) posted for public comment its new policy to protect personal data from mandatory publication in the .CA WHOIS. Updated to comply with PIPEDA, CIRA’s new rules propose that the .CA WHOIS will list only limited technical data for individuals. The new proposal states:
“the information that must be publicly available about dot-ca domain names registered by individuals (not businesses or organizations) will be limited to several pieces of technical information, including server Internet Protocol Names/Numbers, registration date, expiration date, “last changed” date, and the name of the Registrar.”17
If a domain name registrant specifically requests publication of his/her name, address, phone, fax and email – or such data for an Administrative Contact or Authorized Representative – the option is available (on a completely voluntary “opt-in” basis).
It seems safe to say that today there are strong and growing expectations among Canadian domain name registrants for protection of privacy and personal data in the WHOIS databases.18
D. Australia: Domain Name Privacy For All Registrants
Like the European Union and Canada, Australia has adopted comprehensive data protection legislation. The Australian Privacy Act, passed in 1988, initially set out principles governing the handling of personal data by federal government agencies. Amended in 2000, it now includes Ten Privacy Principles which extend the data protection laws to the private sector in Australia.19
The Ten Privacy Principles mandate limits on the collection, use and disclosure of personal data by private businesses, and bar the transfer of personal data to other countries without laws or contracts to provide data protection protections. Interestingly, the Principles include a special protection for anonymous speech:
Anonymity
Wherever it is lawful and practicable, individuals must have the option of not identifying themselves when entering transactions with an organisation.”20
In 2002 and 2003, Australia’s country code registrar, auDA, responded to the extension of data protection laws to the private sector by adopting two new privacy policies. The first, its Privacy Policy (2002-10), limits auDA’s collection, use and disclosure of personal data from its customers.21 The second, its WHOIS Policy (2003-08), significantly changed the display of data from the .AU Whois database.22 In response to a query, the .AU Whois display no longer includes the street address, telephone and fax of the registrant and technical contact.
Only the name and email address of the registrant contact and technical contact are provided.
This Whois policy applies not only to the domain name data of individuals, but also those of companies and organizations. According to comments posted by individuals actively involved in the creation of the new Whois policy, the changes protect not only the privacy of individuals and families, but small and home-based businesses, hobbyists and those who run political, social and community websites.
Conclusion:
The authorities from countries with comprehensive data protection laws have spoken clearly and frequently to ICANN. They also have been patient with the long ICANN WHOIS process. Now it is time for ICANN to listen. ICANN should recognize the warnings — that the WHOIS databases for the gTLDs do not comply with data protection laws — and act to limit the amount of personal data we collect and publish in the WHOIS databases as quickly as possible.
In conclusion, ICANN is not above or outside national data protection laws. In every other area of Internet and telecommunications operations, companies find ways to protect personal data, help track bad actors and run successful and profitable businesses. ICANN can and must do the same.