icann rules vs privacy
DESCRIPTION
Presentation given to UCD Law School students, February 12, 2014. Gives an overview of ICANN and its function / role within the internet governance context. Moves into the conflicts between ICANN's contracts + policies with local laws, specifically privacyTRANSCRIPT
ICANN Rules vs. Privacy With Michele Neylon
ICANN Rules (Contract) vs. Privacy
Michele Neylon
Who am I?
Michele Neylon -‐ Founder / CEO Blacknight -‐ h>p://mneylon.tel -‐ @mneylon -‐ h>p://michele.me/blog -‐ IIA Net Visionary 2013 -‐ Chair RrsG, Chair Registrar
Advisory Board Eurid, member EWG
What Will I Cover?
• What is ICANN? • Registrars • EU law
• Registries • ICANN “law”
I am NOT a lawyer!
Who Runs The Internet?
Who Runs the Internet?
• Graphic: h>p://michele.cat/f4 • Lots of acronyms!: – ICANN, IETF, IGF, ISOC, W3C, RIRs, LIRs, IAB, ISO
Mixture of technical / operaZonal + policy LOTS OF LAWYERS
Head Hurts?
Why do I Care?
• ICANN – gTLDs (com, net, org etc) • ICANN -‐> new TLDs -‐> 1000+ new extensions • IANA -‐> ccTLDs • RIRs -‐> RIPE – LIR – ISP -‐> YOU
ICANN?
• US (California) CorporaZon • Formed 1998 • Internet CorporaZon for Assigned Names & Numbers
• Co-‐ordinaZon – stability / security / compeZZon
ICANN
• All registrars selling gTLDs have contract with ICANN
• Any registry operator has to have one too • If you want to register / buy a gTLD domain you have to deal with a “contracted party” directly or indirectly.
The EU Landscape is complex (Sort of)
• ccTLds • gTLDs • Regional TLD -‐ .eu • Geo TLDs -‐ .london, .paris • LinguisZc / Cultural -‐ .cat, .eus etc
Privacy?
• EU has privacy laws – US? Not so much (though they don’t like being reminded)
• European Data ProtecZon DirecZve 95/46/EC • DirecZve -‐> transposed naZonal law -‐> Data ProtecZon (Amendment) Act 2003
• Art. 29 Data ProtecZon Working Party -‐> DPAs of all 28 members of EU
Privacy + ICANN?
• Whois policy? • Data policies in general • 2013 contract -‐> specific data retenZon requirements (LEA wanted more)
EU Registries vs ICANN (Historical)
• .tel – delayed due to whois policy • .cat – 3 years+ to get a whois policy change + comply with Spanish law
Post Snowden World
Gelng away with murder?
• EU ciZzens more conscious of data privacy + digital issues than before
• Logically the risk of liZgaZon has increased • Irish DPC being sued for not being tough enough on Facebook!
• Registrars and registries at risk? • Is ICANN? Doubnul – they’re sZll safe in the US!
EU Law vs ICANN?
2013 RAA
• Illegal contract for EU based registrars • ONLY 1 EU based registrar “granted” waiver • PotenZally problemaZc for non-‐EU registrar with EU registrants – Data retenZon – Data elements to be collected – Periods of retenZon
ArZcle 29 Working Party
• 6th June le>er to ICANN (h>p://michele.cat/ch )
• “..to avoid unnecessary duplicaZon of work by 27 naZonal data protecZon authoriZes in Europe.. the WP wishes to provide a single statement for all relevant registrars targeZng individual domain name holders in Europe”
ArZcle 29 Working Party
• 2013 RAA obligaZons NOT based on legal requirement in EU
• Risk of data breach -‐> exposure of personal data
• Opposes Private corporaZon (ICANN) introducing data retenZon -‐> naZonal govt should do it (if needed)
ArZcle 29 vs ICANN
• ICANN’s responses haven’t been helpful • Art 29 wrote again see: • h>p://michele.cat/eh • Google France have learnt the hard way – slapped with 150k fine
What about Whois?
• Art 29 WP doesn’t like “open” whois • Most ccTLDs in EU “gate” data BUT ICANN forces registrars AND registries to publish EVERYTHING by default
• What will “Geo” gTLDs do?
ICANN’s response?
• Waiver process for retenZon / collecZon elements of 2013 RAA (see h>p://michele.cat/cg )
• No change on Whois “waiver” process (yet) • ArZcle 29 le>er rejected
Impact on Registrars / Registries
• Delays (they cost too) • Cost (lawyers don’t work for free!) • ONLY registrars on 2013 RAA can offer new TLDs – so we (Blacknight) can’t
• If a registrar doesn’t have a waiver then how will their DPC react?
• Is it worth the risk?
Waiver = how long?
• Advantage for registrars in countries with other registrars
• 45 days? 90 days? Based on current experience -‐> never?
• Timeline published by ICANN has a 30 day publicaZon period
Our Experience (so far)
• Delay • Submi>ed request on September 17th • Received basic acknowledgement same day • Received a reply on October 25th with queries • SZll going back and forth
The Future?
• GAC involvement? • ArZcle 29 WP again? • EU Commission? • ICANN?
QuesZons?
Thank You …
Credits
• Logos image via h>p://www.flickr.com/photos/27845211@N02/2616906744/sizes/l/
Who am I?
Michele Neylon -‐ Founder / CEO Blacknight -‐ h>p://mneylon.tel -‐ @mneylon -‐ h>p://michele.me/blog -‐ IIA Net Visionary 2013 -‐ Chair RrsG, Chair Registrar
Advisory Board Eurid, member EWG