Matt Taylor

Received 22 March 2017

General comment regarding eligibility of privacy option: excluding people in trade/organisations from utilising the privacy option will only negatively affect legitimate businesses, especially small businesses. There is nothing stopping dishonest people from providing fake details to their registrar. But honest people may have good reasons for wanting to keep their (especially home) address private e.g. a protection order. As I have submitted previously this group of people would be required to pay for a PO Box to retain their privacy. Legitimate businesses “in trade" will always publish contact details on their website and if they don’t that is a major warning sign for consumers.

Perhaps a middle ground could be just prohibiting companies that are listed on the Companies Office register (or a similar overseas register that includes addresses) from using the privacy option. The Companies Office website records a company’s registered office address as well as addresses of their directors and shareholders, so these people already have their addresses published in an internet accessible database.

Real name requirement: Presumably the requirement is for a real name to be entered, and that that will be displayed regardless of electing a privacy option. For some individuals this may breach their privacy. Is there a specific reason why it’s considered this should not be withheld along with addresses?

Privacy/transparency reports: I suggest adding in the requirement to regularly publish a transparency/privacy report with a breakdown on number of requests, agencies, whether they were granted/declined etc (like Google/Facebook/Trade Me’s reports). 

Alternative: An alternative to this system would be to allow all details of any registrant to be withheld and simply require registrars to forward emails (this could be automated) and mail to the registrant. I do not suspect this would result in a significant amount of work for registrars. Full privacy protection works in other jurisdictions (although sometimes for an additional fee - which in my opinion should be avoided as privacy should not have a financial cost attached).

Brief suggestions of further changes are below:

Clarify 7.7 that not all contact details will be disclosed if the registrant has elected the privacy option.

Expand 8.4 re: appeal rights and notice requirements.

23.4: Privacy Act principles are not a high enough threshold (see recent commentary on Hager and Westpac). Should be amended to require legal compulsion, or disclosure to an official body e.g. directly to a Court, Disputes Tribunal or the Domain Name Commission Dispute Resolution Service after receipt of a statutory declaration regarding the necessity of the disclosure of the information. See for how the Ministry of Justice applies this policy.

23.7: Disagree with this, if it is so urgent requester should be able to legally compel disclosure. I don’t envisage that domain name registrant information would ever be that relevant to a life or death situation (e.g. someone who is suicidal). Organisations holding location data or IP addresses would be more likely to be able to provide useful information to the appropriate authorities in these circumstances.

23.9: Requirement should be a statutory declaration.

23.12: Should be able to take into any relevant information regarding trustworthiness, honesty, integrity, character etc.

23.13.2: Should the requester’s address be disclosed to the registrant? It seems unbalanced to not require someone requesting personal information of someone else to be able to be anonymous.

23.17: Disclosure to the Court etc. directly should always occur, not to lawyers (and disclosure to lawyers would be unworkable when someone is self-represented anyway). See the Ministry of Justice’s process for how they apply this policy:

23.19: Unless DNCL is legally compelled not to disclose the request, why not disclose it? People can’t challenge a request they are not aware of.

23.21: “Not all of the Withheld Data may be provided at the discretion of DNCL” is vague - what does this refer to?

23.22: Misuse should always be reported to the Privacy Commissioner, and probably the Police.

23.24: Why not consult if disclosure by DNCL is not legally prohibited?

23.25 and subsequent relevant clauses: Which entities is this intended to apply to? Any automation of access would be highly concerning and I would disagree with the inclusion of this. If this clause is kept in, MOUs should need to be publicly notified and a reasonable opportunity for public submissions offered.

23.27 Why is Withheld Data necessary for anyone to maintain the integrity for the internet?