As part of the European Digital Strategy, the European Commission announced in June a Digital Services Act package to strengthen the Single Market for digital services and foster innovation and competitiveness of the European online environment. The revised package will “impact network operators, cloud and hosting providers, top-level domain registries and registrars”, among others.
Following the agreement between EURid and both institutions appointed to rule on Alternative Dispute Resolution (ADR) proceedings for the .eu top-level domain (the WIPO Arbitration and Mediation Center and the Czech Arbitration Court), the .eu registry announced last week the fee for a basic .eu ADR procedure will remain discounted until 30 June 2020.
This means that the ADR fee per dispute complaint is as low as â¬100.
If you wish to dispute a .eu, .ÐµÑ or .εÏ
domain name registration, and believe that you have a prior right (within the EU or EEA) to that domain name (e.g. you hold a trademark, trade name, company name, family name, and so on) and that the current holder has registered or is using the domain name for speculative or abusive purposes, you may challenge its registration by initiating an Alternative Dispute Resolution (ADR) procedure.
A new set of rules for .eu came into being on 18 April which will be applicable from 13 October 2022, except for the article 20 that introduces eligibility to EU citizens residing in third countries, which should start applying as of six months after entering into force, that is, in October 2019. In the coming weeks EURid will inform all its stakeholders about the exact date when the new eligibility criteria apply.
The new rules have come about following a political agreement between the European Parliament and the Council on 5 December 2018 and are designed to support better quality and more innovative services on .eu.
From 13 October 2022 there will be a legal flexibility for the .eu domain to adapt to rapid market changes and allow modernisation of its governance structure. A new body, bringing together stakeholders from different backgrounds, will advise the Commission on the management of the top-level domain.
Article 20, which comes into being on 19 October 2019, will extend the right to register a .eu domain name to citizens of the European Union and the European Economic Area (EU/EEA) residing outside the EU. This was previously limited to citizens living in countries within the EU and EEA. It will also offer some comfort to some citizens of the EU/EEA who have registered .eu domain names and reside in the UK if Brexit, assuming it happens, is drawn out long enough.
The new Regulation aims to adapt the current rules to the fast-changing domain name industry in order to strengthen the link with the growing Digital Single Market which focusses on European values like multilingualism, privacy protection, and security.
In addition, EURid announced at the end of March the Service Concession Contract between themselves and the European Commission has been extended until 12 October 2022 to be in line with the new .eu Regulation enforcement.
The new Regulation on the implementation and functioning of the .eu TLD name is available here.
ICANN was informed Thursday that the Regional Court in Bonn, Germany, has decided to revisit its ruling in the injunction proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group.
On 13 June 2018, ICANN appealed the Regional Court’s initial decision to reject ICANN‘s application for an injunction, in which ICANN sought a court order requiring EPAG to reinstate collection of administrative and technical contact data for new domain name registrations.
Upon receipt of an appeal, the Regional Court has the option to re-evaluate its decision that is being appealed, or affirm its decision and immediately forward the matter to the Higher Regional Court for consideration of the appeal.
In this instance, the Regional Court has decided to revisit its initial decision and has asked EPAG to comment on ICANN‘s appellate papers within two weeks.
ICANN is pursuing this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system. To that end, ICANN continues to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the European Union’s General Data Protection Regulation (GDPR).
On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties that demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.
ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018, it would no longer collect administrative and technical contact information when it sells new domain name registrations. EPAG believes collection of that particular data would violate the GDPR. ICANN‘s contract with EPAG requires that information to be collected.
EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.
On 30 May 2018, the Regional Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement, or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
On 13 June 2018, ICANN appealed the Regional Court’s ruling to the Higher Regional Court of Cologne, Germany, and again asked for an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.
ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.
In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.
ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address â a name or a number â into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-3-2018-06-21-en
ICANN today (13 June) appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The appeal was filed to the Higher Regional Court of Cologne, Germany.
ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAGâs Registrar Accreditation Agreement with ICANN.
The Regional Court in Bonn rejected ICANNâs initial application for an injunction, in which ICANN sought to require EPAG to collect administrative contact and technical contact data for new domain name registrations.
If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Unionâs General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANNâs appeal to the European Court of Justice.
ICANN is appealing the 30 May 2018 decision by the Regional Court in Bonn as part of ICANNâs public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.
âWe are continuing to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,â said John Jeffrey, ICANNâs General Counsel and Secretary. âWe hope that the Court will issue the injunction or the matter will be considered by the European Court of Justice.â
On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.
ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018 when it sells new domain name registrations, it would no longer collect administrative and technical contact information. EPAG believes collection of that particular data would violate the GDPR. ICANNâs contract with EPAG requires that information to be collected.
EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.
On 30 May 2018, the Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.
In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.
ICANNâs mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address â a name or a number â into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-06-13-en
In a meeting with its UK domain registrar community on June 4th, EURID (the operator of .EU domains) outlined the European Commission’s directive on how Britain’s withdrawal from the EU will affect UK Registrants of .EU domain names. It has ordered EURID to delete all domain names registered to UK owners as soon as March 30th, 2019 if a withdrawal agreement has not been reached with Britain by that date.
With roughly 380,000 .EU domain names registered by UK entities and EURID stating that the domains could be revoked without notice, both UK and European consumers could be faced with mass disruption to their online services. Several high profile British businesses, including Financial Institutions, service providers and online retailers, use a .EU address for either their main website, email or as a linking address used to facilitate their online services. Those businesses will need time to plan their transition away from the .EU domain in order to ensure continuity for their customers.
The decision was met with general confusion amongst the UK registrars in attendance. In previous similar cases such as the dissolution of the .SU domain after the collapse of the Soviet Union, domain owners were given until the natural expiry of their websites to make alternative arrangements.
Whether the EU commission intends to follow through with its directive or whether it is now using the .EU domain as a bargaining chip in Brexit negotiations remains to be seen, but there is plenty of cause for concern amongst UK based .EU website owners.
Internet.bs recommends that our UK customers register their .EU domains via their European (non-UK) address or choose a comparable domain such as .eu.com. We will also work with our sister company â Instra.com â to explore options for providing a proxy service or the ability to register local businesses within the new EU.
This article was originally published at:
https://internetbs.net/blog/2018/06/05/uk-owners-of-eu-domain-will-lose-their-websites/
It was adopted on 14 April 2016 and after a 2-year transition period it becomes enforceable on 25 May 2018. Yet despite this timeframe, ICANN only approved a Temporary Specification for gTLD Registration Data to comply with the European Union’s General Data Protection Regulation on 17 May, with a draft published on 11 May. But it only gives registries and registrars 7 days to finalise and implement changes to their systems, or 14 days if they started when the draft was published. That is if they waited for ICANN’s snail-like process to take place.
The GDPR has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.
ICANN’s approval of a Temporary Specification [pdf] is the result of 12 months of consultation with the community and “is an important step towards bringing ICANN and its contracted parties into compliance with GDPR,” said ICANN’s Chair Cherine Chalaby. “While there are elements remaining to be finalised, the adoption of this Temporary Specification sets us on the right path to maintaining WHOIS in the public interest, while complying with GDPR before its 25 May enforcement deadline.”
One can’t help but feel it’s an extraordinary failure by ICANN and the community given the time they’ve had to develop a solution. The Temporary Specification will be revisited by the ICANN Board in 90 days, if required, to reaffirm its adoption. And whether the Temporary Specification meets European Commission’s requirements remains to be seen. In early April the EC’s Article 29 Data Protection Working Party wrote to ICANN [pdf] noting they weren’t satisfied with what ICANN had then proposed.
So what will happen on 25 May? Registry Operators and Registrars will still be required to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.
The changes are not unlike those being implemented by several European country code top level domain (ccTLD) registries. And while quite a few Registries and Registrars will have been waiting (or rather sweating) on ICANN’s announcement this week, some decided they couldn’t wait and have been developing solutions on what they believed ICANN’s response would have been.
Within Europe, some ccTLDs, such as the Austrian registry nic.at have implemented a “thin” model for individuals registering domain names, but legal entities or businesses will continue to have “thick” WHOIS data published. Others such as DENIC, the German ccTLD registry, will only record the contact details of the domain name registrant, two additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data, which is similar to the ICANN model.
Registrars are frustrated. One, the German EPAG, which is part of the Tucows group, spoke of their frustrations to Domain Pulse at the Domain Pulse conference (unrelated) in Munich in February.
“We wish that ICANN had started work on this a year ago,” said Ashley La Bolle, Managing Director of EPAG Domainservices GmbH. “Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”
“The domain industry has been really late to the game on GDPR implementation,” La Bolle went on to say. She noted how frustrating it was that the entire industry was slow to develop solutions and that solutions were only beginning to be finalised back then. The changes require significant resources to be thrown at implementing changes. In an industry that operates on razor-thin margins, it’s not an ideal situation.
“The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.”
It has also been claimed that the changes will be a boon for cybercriminals. While Krebs on Security admit that while “cybercriminals don’t use their real information in WHOIS registrations … ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” And while some cybercriminals do take advantage of privacy protection services, “based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services.”
Krebs also notes that while “it is true that the European privacy regulations as they relate to WHOIS records do not apply to businesses registering domain names … the domain registrar industry — … operates on razor-thin profit margins and which has long sought to be free from any WHOIS requirements or accountability whatsoever. Krebs believes they “won’t exactly be tripping over themselves to add more complexity to their WHOIS efforts just to make a distinction between businesses and individuals.”
“As a result, registrars simply won’t make that distinction because there is no mandate that they must. They’ll just adopt the same WHOIS data collection and display polices across the board, regardless of whether the WHOIS details for a given domain suggest that the registrant is a business or an individual.”
The GDPR is coming and a number of ccTLD registries are giving registrars heart palpitations. Itâs a month till the European Unionâs General Data Protection Regulation comes into play and the Icelandic, Norwegian, Slovakian and United Kingdom ccTLD operators are only just announcing how theyâll deal with it.
For Icelandâs .is they will stop publishing names, addresses and telephone numbers of personal contacts by default from the ISNIC WHOIS database. For individuals who wish to continue to publish their information, they must log in, go to “My Settings” and select “Name and Address Published”.
ISNIC will however, at least for the time being, continue to publish email addresses, country and techincal information of all NIC-handles associated with .is domains. Those customers (individuals) who have recorded a personally identifiable email address, and do not want it published, will need to change their .is WHOIS email address to something impersonal. However the Icelandic country code top level domain isnât happy with the new regulation. They note the GDPR âwill neither lead to better privacy nor a safer network environment.â
For the sake of the internet community, e.g. Individual users, Service Providers, Hosting Companies, and many other stake holders, ISNIC will continue to publish email addresses and the country name of all contact types until further notice.
For NORID, the registry for Norwayâs .no, they have made a few changes to their policies that come into effect on 5 May. NORID state they will âonly collect data that we need, and that the domain holder shall be informed about which data is being processed by Norid. Starting on 5 May, we will collect less data about the holder than what we currently do.â Following consultation with the with the Norwegian Data Protection Authority, NORID will launch a new version of WHOIS on 22 May.
And Nominet, the .uk registry, has announced their changes. Following a consultation period that outlined their proposed changes that were published for comment between 1 March and 4 April, Nominet have announced that:
âWe have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation,â said Nominet COO Ellie Bradley. âWhile, as a result, we will be publishing less data on the WHOIS â we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.â
The proposals also outlined an approach to replacing the existing privacy services framework with recognition of a Proxy Service offered by registrars. In response to the feedback, Nominet has decoupled this proposal from the bulk of the GDPR-related changes and will consult further on this topic in June 2018.
CoCCA will be updating its backend registry software to enable its registry partners to be GDPR-compliant in time for the European Unionâs General Data Protection Regulation (GDPR) that comes into effect on 25 May.
The principle of data minimisation, where only personal data that is adequate, relevant and necessary is collected, retained and disclosed has been adopted by the ccTLD managers using CoCCA shared infrastructure of the following ccTLDs: .af, .cx, .gs, .gy, .ht, .hn, .ki, .kn, .sb, .tl, .kn, .ms, .nf.
For the above ccTLDs, as of 15 May the only data collected from domain name registrants will be:
only registrant contact details are required, administrative, technical and billing contacts are optional.
existing administrative, technical and billing contacts may be deleted by registrars.
registrars will be able to associate two email addresses directly with a domain (for abuse reports and technical queries), these emails will be publicly disclosed.
Regarding data disclosure:
Access to redacted data will be available for:
An updated version of the CoCCA software containing multiple GDPR configuration options will be released on 20 April with CoCCA able to assist registry operators to upgrade and configure their registry software to align with their GDPR compliance efforts.
CoCCA advise that it should not be assumed that all registry operators using CoCCA Tools will patch and configure the software for GDPR compliance. There are many registry operators who use dated and unsupported versions of CoCCA Tools.
ICANN today announced that it has received a letter from the Article 29 Working Party (WP29) [PDF, 400 KB] that provides guidance on the European Union’s General Data Protection Regulation (GDPR) and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN organizationâs response to the letter from the Article 29 Working Party will be published shortly here.
âWe appreciate the guidance provided by the Article 29 Working Party on this important issue and have accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions,â said Göran Marby, ICANN president and CEO. âHowever, we are disappointed that the letter does not mention our request for a moratorium on enforcement of the law until we implement a model. Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.â
A moratorium on enforcement action by DPAs would potentially allow for the introduction of an agreed-upon accreditation model and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model. It will also allow for reconciliation between the advice ICANN has received from its Governmental Advisory Committee (GAC) and the Article 29 Working Party. Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.
A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services. Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.
âIn parallel, we will carefully consider this advice, along with all of the input we have received from the multistakeholder community, before making changes to the current iteration of the proposed interim model,â Marby continued. âAs a part of this, we will explore all options as we continue dialogues with DPAs and the interested parties that comprise the multistakeholder community.â
Itâs important to balance the right to privacy with the need for information. While ICANN recognizes the importance of the GDPR and its goal of protecting personal data, parts of the ICANN community have noted the negative impact of a fragmented WHOIS. For example, it will hinder the ability of law enforcement to get important information and the anti-spam community to help ensure the Internet protects end-users. It will also:
These are just a few examples from a long list of potentially adverse scenarios.
Marby also requested that the DPAs include ICANN in any proceedings relating to WHOIS, and asks that it be included in all discussions and actions of the privacy regulators with the other WHOIS data controllers. He also said that ICANN org is continuing its efforts to prepare for implementation of a new model. Additional information on ICANNâs data protection/privacy activities, including legal analyses, proposed compliance models, and community feedback is published here.
We encourage the community to provide feedback and continue our dialogues on future activities. You may share your views with us via email at gdpr@icann.org.
ICANNâs mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address â a name or a number â into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-04-12-en