From mid-May individuals who have registered .at domain names will have their registrant details hidden by default, although they can have the data published if they wish, while businesses will continue to have their contact details published in WHOIS as is the case now. The change is a result of the looming introduction of the E.U.'s new privacy law.
The coming of the E.U. General Data Protection Regulation (GDPR) is causing a bit of havoc among the domain name business. It comes into effect on 25 May. Gradually European ccTLD registries are rolling out how they’re going to comply. The GDPR is intended to give individuals in the European Union more control over their data held by business, with one data protection law for to strengthen and unify data protection for all individuals within the 28 member states of the E.U. It also addresses the export of personal data outside the E.U.
In recent weeks Nominet and DENIC have announced their plans. Nominet have opened a consultation to 4 April on their proposal that will mean they will no longer display any registrant’s name or address while DENIC will only record the contact details of the domain registrant, 2 additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data.
“The GDPR”, nic.at’s CEO Richard Wein told Domain Pulse following the Domain Pulse conference in Munich in February, “is the biggest change in policy and procedures in the domain name community in many years. While EPP was a big change, it happened over time and there were no rigid deadlines, but change was smooth and happened quickly.”
Currently the nic.at WHOIS database, the public register of all registered .at domains, currently contains details on the holders of and contact persons for .at domains, regardless of whether they are companies or private individuals. Under the EU General Data Protection Regulation (GDPR), nic.at will only publish legal business data from mid-May 2018. Individuals can still have their data published if they wish.
For decades, it has been standard practice in domain administration to display domain holders’ data in a public database called WHOIS. The domain holder is informed of this when registering the domain. nic.at’s terms and conditions (T&C) form the legal basis for publication. This practice will change when the GDPR comes into effect.
“The GDPR defines special protection requirements for natural persons, so we will not publish their data any longer, although we still need to receive their details during the domain registration process,” explained head of nic.at’s legal department Barbara Schlossbauer. “The regulation is comes into force in mid-May 2018 and this will also lead to amendments in nic.at’s T&C and the registration guidelines for .at domains.”
In the future, the data shown for domains registered by individuals will only include the domain name, the registrar responsible and necessary technical information. If a company or organisation owns the domain, the holder’s name and address will still be published, although contact data like email address, telephone and fax number can be hidden upon request. The registrar submits information on whether a domain is held by a natural or legal person when registering the domain. If a private individual requests that their data be displayed, the registrar can also arrange this. “There will certainly be a lot of cases where people will definitely want to show that a real, trustworthy person is responsible for a particular website,” explains Schlossbauer.
Until now, domain holders’ data have been publicly accessible at nic.at. From mid-May, this will no longer be possible. “In future, natural persons’ domain data will only be accessible to people who identify themselves and have a legitimate legal reason for finding out who the domain holder is,” Schlossbauer points out. This includes law enforcement agencies, lawyers or people who contact nic.at following domain disputes and can prove that their rights have been infringed.
The adaptations in the WHOIS policy will not affect the public domain availability check, explains Schlossbauer: “When it comes to obtaining accurate information on whether a .at, .co.at or .or.at domain is still available, nic.at will remain the first point of contact for reliable availability checks.”
But the changes being adopted by each country code top level domain registry across Europe are a missed opportunity according to Wein.
“The opportunity for the ccTLD registries across Europe to work together and propose one solution was a missed opportunity,” said Wein.
“Every ccTLD appears to be doing something different, even if very slightly, and it’s a pity that the industry couldn’t develop one standard. It will mean registrars will have to implement 10, 20, maybe even 28, different solutions depending on how many ccTLDs for EU countries they sell. The situation is a nightmare.”
“Then there comes the problem with no WHOIS available to law enforcement, government bodies and brand protection. How can they get the registrant information? Registries are not allowed to give out information such as to the police without a good reason. Potential buyers of a domain name will have no way of contacting the registrant unless their details are provided on the website. While under the law of many countries, including Austria, the website owner is required to provide information about who owns the website, it is difficult to verify if this is correct, and will be next to impossible when the GDPR comes into effect.”
“When there’s a request for WHOIS information from law enforcement, for example,” Wein continues, “it will require someone at nic.at to manually check that the required authorisations such as a court order are in place and then to provide the information. Currently enquiries are machine-to-machine, but from 25 May it will be human-to-human and only available in business hours. It will mean a change of procedures and in many cases be much slower.”