So what is the GDPR?
It comes into effect on 25 May 2018 and non-compliance will mean heavy fines. It is designed to harmonise Europe’s data protection laws and gives greater protection to data and the privacy of EU citizen’s data.
It applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries, which includes the registration of domain names involving registrars, resellers and registries. Which means that even businesses from outside of the EU who process data on the citizens of the European Union need to comply. This includes domain name registries and registrars.
Violation of the GDPR requirements will have severe consequences
The penalties for non-compliance are steep. Organisations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered. Consent for the collection of the data is necessary, and the withdrawal of consent must be made available.
Personal data under the GDPR is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Which also includes WHOIS data required when registering a domain name.
The current WHOIS does not fulfill the GDPR requirements
Currently there are inconsistencies regarding ICANN requirements for data collection, or WHOIS, when registering domain names. To that end, ICANN have stated they would consider deferring action against any gTLD registry or registrar for noncompliance with contractual obligations related to the handling of registration data. But what the changes will be is uncertain. Those in charge of privacy within the European Union have told ICANN that WHOIS must change and it doesn’t currently meet the standards required.
The EU is not particularly happy with ICANN’s slow movement on the issue to date and says they have concerns with the current situation. In a letter to ICANN, the EU’s ARTICLE 29 Data Protection Working Party says “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.” The letter states a “layered access” may meet the GDPR while also providing law enforcement with the access they require. The EU has been calling for such a layered access since 2003.
Regarding the publication of WHOIS data collected when registering a domain name, the WP letter says there are concerns regarding the way consent is given when collecting WHOIS data and how that consent is given.
ICANN is working on a solution for the public WHOIS
ICANN is currently working with its community on a way to comply and has been trialling a WHOIS replacement. However a permanent means of dealing with the issue hasn’t been found. Yet. What is certain is that WHOIS must change. To that end ICANN’s President and CEO Göran Marby wrote in a post on the ICANN Blog this month of the complexities. He reiterated that ICANN will “defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.” So any registry or ICANN-accredited registrar that seeks to comply with the GDPR, and who in turn breaches ICANN’s requirements, will not face any punishment.
On 12 January ICANN published 3 models that, Marby explains, “differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS.”
3 models to deal with domain registration data and EU's upcoming GDPR
In Marby’s post, he summarises the models at a high level as follows:
Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.
Feedback on the 3 models is due by 29 January.