"Let's remember where ICANN's power comes from: contracts. ICANN's ability to make rules and enforce them stems only from the contracts it has signed with registries and registrars. The registry/registrar contracts say that these businesses will comply with future ICANN policies that are supported by a documented consensus among affected parties. These standard policies don't have to come from national law -- indeed, in most cases, national governments will never have thought about the subject of the policy. What government cares about the Redemption Grace Period consensus policy? Or a policy on Deletes? The point about consensus policies (and, indeed, the whole point of the consensus process) is that they are global rules that most affected parties have contractually agreed to go along with -- whether or not such policies have a source in national law. The idea is that, through the hard work of consensus generation and documentation, ICANN will be able to create a few global rules that provide more predictable policies for the domain name space than whatever rules would result from a choice of law analysis applied to every different situation.
The UDRP has been "grandfathered" as a consensus policy that is applied uniformly to all gTLD registries, through their contracts with ICANN. The central point of the UDRP, and the reason it was adopted, is that it creates some global standards for cybersquatting disputes: e.g., "bad faith registration." This standard wasn't a feature of any national law before the UDRP was drafted. We needed a single uniform rule that would be relatively easy and inexpensive to apply. The UDRP rules state, along these lines, that a panelist can decide disputes "on the basis of the statements and documents submitted and in accordance with the Policy, these Rules and any rules and principles of law that it deems applicable." When a UDRP panelist is confronted with questions like whether a registrant has a legal right to a name, or whether instead a registrant has "no rights or legitimate interests" in that name, the panelist can apply appropriate local law. But the overall "bad faith" determination is a globally applicable standard that was not itself part of any particular national law. That was the point.
ICANN's recent announcement that it has to study whether it can make rules "not based on established laws" demonstrates a serious misunderstanding of ICANN's role in the world -- and of the role of consensus policies. The major original goal of ICANN was to create a source of uniform global DNS policies on a narrow range of subjects -- those as to which global uniformity was widely agreed to be necessary to assure continued technical interoperation and stability of the DNS. ICANN should do just that.
Based on the comments submitted so far, it doesn't look as if there is much support for WIPO's proposals -- and so, probably, no consensus in favor of such a policy could be demonstrated. If that's the case, registries under contract with ICANN won't be contractually required to adopt a modified UDRP, no matter what WIPO (or even the ICANN Board) may think is the "best policy." That's the way the system should work.
ICANN seems to think that if it bases all of its policies on national law, it will be safe from criticism. Something like this sentiment may be animating its recent statements about whois policies, to the effect that the privacy issues relating to whois are "a matter of local law." But moving away from ICANN's clear source of contractual power towards the supposed shelter of national laws is actually a move in the direction of a swamp: local laws will always conflict and cannot be harmonized. That's why ICANN was structured to create global consensus policies. Limiting consensus policies to what is "based in local law" is impossible. Limiting ICANN "policies" (broadly defined) to non-consensus-based decrees that merely echo local law ignores the key term of the contracts.
That is not to say that local laws are irrelevant. Registries and registrars are, of course, required to comply with the laws of their home countries. But whether local governments will pass many laws touching the DNS is a question of whether the core policy issues are appropriately tackled by ICANN in the first instance. For example, if ICANN finds a way in the whois discussion to give law enforcement what it needs, while protecting privacy to some degree, then governments may defer to the ICANN regime.
The entire ICANN enterprise would have been pointless if (1) all it is doing is restating local law and (2) it can't make globally uniform contractually binding policies unless there happens to be some globally uniform local law on the subject. Under that view, ICANN would become a law enforcement agency helping local sovereigns extend their jurisdiction -- hardly a role for a California not-for-profit company. ICANN should stay away from the swamp of "established law." But it could do a lot, right now, to clarify the scope of its regulatory policy-making powers and the limitations on those powers.
It is spring, the season of gardening. So it's a good time for ICANN to both explain and reinvigorate its policy-making process and powers. The best way for ICANN to start doing that would be by pruning its own contractual underbrush. The registry contracts have been growing unchecked for some time under the care of those who may have forgotten ICANN's central mission and mandate: providing a forum for developing policies most can agree are needed at a global level (and enforcing those policies through contracts that registries/registrars are willing to sign precisely because they only impose policies on which most can agree).
Tempted to get into specifics, ICANN's prior staff supplemented the key consensus policy provision with numerous additional clauses, attachments and addendums, all of which serve to crystallize particular staff views that were in effect when those particular contracts were written (and that could be imposed on eager applicants for new TLD contracts or registrar accreditation). These contracts stand in the way of a vibrant future for constructive policy-making by the ICANN community (not to mention healthy competition between registries and registrars to provide new services to registrants).
Right now, if a registry adds a single new service, large numbers of contractual appendices have to be changed in small and complicated ways. ICANN's entire contractual structure has become a rococco menace -- artificial, excessively ornamented, and susceptible to collapse. This structure gives whoever sits in the General Counsel's chair far too much power to create new complications for businesses that want to open up new services. If ICANN offered clear, slender contracts, maybe even ccTLDs would agree to them too. The central premise of these new contracts would be the same bargain that underlay the creation of ICANN in the first place: registries and registrars agree to follow future ICANN policies if they are supported by demonstrable consensus.
We want to make clear that (1) contractually-binding, mandatory, broadly-applicable Consensus Policies are not the same thing as (2) the Institutional Decisions that ICANN makes (such as what advice to give the US DOC in connection with the process to open up new gTLDs). In the former case, to document consensus we need to get clear information about who objects, with what stake, for what reason. In the case of institutional decisions (which do not impose mandatory duties or prohibitions on third parties), we also need a clear record -- but the Board does have a right to make decisions that it believes best serves the community even in the absence of consensus. Clearing away the contractual underbrush, and making appropriate distinctions between contractually-binding consensus policies and institutional decisions, may provide an opportunity for ICANN to make very plain when it needs a full-fledged Policy Development Process (PDP) and when it doesn't.
The current confusion over the relationship of ICANN's consensus policies to local law is understandable. The current contracts are so long, and so full of details not based on consensus policies, that some ICANN participants have forgotten about the core clause (still in those contracts) concerning how future contractually binding ICANN policies must be made. Chopping back to that root agreement might do wonders by reminding everyone why they should participate in ICANN meetings -- and what the discussion is all about. It's not about letting staff (or even the Board) make regulatory policies based on their own wisdom. It's certainly not about echoing local law (even assuming anyone could determine what that is and which one should apply). It is about whether and when and why we may need a few global rules for the DNS, and finding the version of those rules on which most affected parties can agree. If we got this constructive vision of policy development right, affected parties would show up, understanding that their objections would need to be dealt with in order to create mandatory policies (as long as those objections aren't from people who are looking to harm the competitive marketplace or impose unjustifiable costs on others). These affected parties would know that they could contribute to policies that improve on local law by creating a uniform baseline of enforceable policies for the DNS. And, on the other hand, ICANN's discussions about institutional policies would be improved if everyone understood that what they were doing was informing the Board -- which would be entitled to make its own best decision without worrying about constituency "vetoes."
If we get back to those basics, we may grow a new and fruitful garden by fall."