Speaking as one of the victims of European and natl authorities. Consequences of privacy law for .nl registry policy. About SIDN — statistics. Background: EU privacy directive, implemented in NL by personal data protection act. Legal analysis of other legislations: Telecommunication data directive and implementation in NL not applicable. NL tax legislation not relevant. Criminal act not relevant.
Extensive consultation in 2001. Alternative dispute resolution — direct effects on use of WHOIS. Open up .nl? Only Dutch companies could register directly under .nl until this year. Opened up as result of consultation. WHOIS — asked specific questions. What kind of detail needs to be provided? What’s proper protection? Rate-limiting? Opt-out?
Two worlds with respect to WHOIS: Function v. protocol. Have to distinguish. Can’t implement sophisitcated privacy things in transactionless RFC 954 WHOIS protocol. WHOIS not necessary for running the DNS. There are registries without. Have to specify other purpose or interest. Purpose of WHOIS use? “is” v. “whois” — see much use of WHOIS to see whether domain name is available for registration.
Back to meaning of data protection act for WHOIS. Definition of “processing” of data is very broad. Includes collection, provisioning, deletion, and more. To implement data protection act, don’t just focus on WHOIS, but on whole process. Double necessity criteria for processing of data. 1. Purpose must be legitimate. 2. Data has to be adequate. Data has to be within limits of purpose. …
Informing registrant about processing. Make sure that security, auditing, tracking is in line with data protection act.
WHOIS not necessary for registry to fulfill functions. If you want to have WHOIS, there need to be other interests for which you provide data. NL: Four specific purposes for providing WHOIS. 1. Solve technical problems. 2. Check registration. 3. IP rights. 4. Combat harmful and illegal content.
Results: Specific clauses in contracts. Specific regulation on .nl regulation. Operational: General limitation on WHOIS queries (15 per IP per day). Exemption for registrars (5,000 per day and IP-range).
Details: Properly inform registrant about collection and publication. Opt-out possibility. Come up with good reason to use opt-out. 900 requests so far, 6 granted.
Regulation on processing: Translate roles in registration into roles in privacy regulations. … Found a way to implement directive. Balanced with interests of local Internet community. Specific for Dutch circumstances. Others may define other purposes. Assessment of individual opt-out complicated.
Auerbach: Inconsistencies — purpose vs. “automatic legitimacy”? State purpose? Boswinkel: Limited — 15 queries per day.