If B, C, or D, please elaborate.

Section 2.2 is incorrect as drafted. This policy’s scope is not limited to only the purposes listed in Data Protection Agreements “DPA” that are under discussion. Even when negotiated and agreed upon, those agreements are subject to change as conditions change. The scope of this policy clearly includes data collection, processing, publication, and, importantly, disclosure to third parties as required by this policy and/or governing law. The absence of required DPAs has put numerous ICANN initiatives on hold. Data Accuracy Scoping is a good example of where the absence of a DPA has stalled critical portions of the work. INTA notes the urgency for ICANN to complete negotiations with the Contracted Parties for appropriate DPAs. The negotiations should be prioritized and expedited to facilitate data processing and data access to the benefit of the community.

If B, C, or D, please elaborate.

Sections 10.5 and 10.6 of the Draft Policy propose deadlines for Registrars and Registry Operators for acknowledging receipt of Requests for Lawful Disclosure. INTA believes that these turnaround times are unduly and unnecessarily long. The responses will undoubtedly be generated by an automated system, rather than by an individual looking through the contents of a file cabinet. Specifically, the draft proposes that a Request for Lawful Disclosure shall be acknowledged without undue delay, which may be as much as two business days from receipt. Both businesses and government agencies routine generate acknowledgement of a submission virtually instantaneously. It is difficult to imagine any reason why it could or should take two business days to generate an automated response. Of greater concern, the draft proposes that a Registrar or Registry Operator may take as long as thirty calendar days to respond to a Request for Lawful Disclosure. If the criteria for providing access to non-public Registration Data are reasonable and clearly defined, thirty calendar days for a response is unnecessary and wholly too long. Section 10.2.3 proposes that a Reasonable Request for Lawful Disclosure must provide information about its legal rights and the basis for its request. The draft, however, does not provide any indication as to the circumstances under which a request will be evaluated other than to say that it must be considered on its merits. The only guidance as to whether a request should be granted appears in Section 10.7.2, which states that if the request for data is refused, the Registry Operator or Registrar must provide an analysis and explanation of how the fundamental rights and freedoms of the data subject were weighed against the legitimate interest of the request. It should be made clear that Registrars and Registry Operators are not to decide whether the requesting party will be entitled to relief on the merits of its claim, just whether they have set forth a reasonable basis for a potential claim where the requested information should be provided so the claim may move forward. Moreover, without further guidance as to whether a request should be granted, each Registrar and Registry Operator would be free to apply its own subjective criteria in determining whether a request for data is reasonable and how to balance the rights and interests of the data subject and the requestor, which will undoubtedly lead to inconsistent results, which should not be allowed. INTA agrees that protecting the right to privacy is of great importance. Even so, it must be recognized that there are occasions where other interests, such as the harm incurred by end users may outweigh the right to privacy.