Tag Archives: European Commission

ICANN Receives Data Protection/Privacy Guidance from Article 29 Working Party

ICANN today announced that it has received a letter from the Article 29 Working Party (WP29) [PDF, 400 KB] that provides guidance on the European Union’s General Data Protection Regulation (GDPR) and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN organization’s response to the letter from the Article 29 Working Party will be published shortly here.

“We appreciate the guidance provided by the Article 29 Working Party on this important issue and have accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions,” said Göran Marby, ICANN president and CEO. “However, we are disappointed that the letter does not mention our request for a moratorium on enforcement of the law until we implement a model. Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”

A moratorium on enforcement action by DPAs would potentially allow for the introduction of an agreed-upon accreditation model and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model. It will also allow for reconciliation between the advice ICANN has received from its Governmental Advisory Committee (GAC) and the Article 29 Working Party. Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.

A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services. Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.

“In parallel, we will carefully consider this advice, along with all of the input we have received from the multistakeholder community, before making changes to the current iteration of the proposed interim model,” Marby continued. “As a part of this, we will explore all options as we continue dialogues with DPAs and the interested parties that comprise the multistakeholder community.”

It’s important to balance the right to privacy with the need for information. While ICANN recognizes the importance of the GDPR and its goal of protecting personal data, parts of the ICANN community have noted the negative impact of a fragmented WHOIS. For example, it will hinder the ability of law enforcement to get important information and the anti-spam community to help ensure the Internet protects end-users. It will also:

  • Protect the identity of criminals who may register hundreds of domain names specifically for use in cyberattacks;
  • Hamper the ability of consumer protection agencies who track the traffic patterns of illicit businesses;
  • Stymie trademark holders from protecting intellectual property; and
  • Make it significantly harder to identify fake news and impact the ability to take action against bad actors.

These are just a few examples from a long list of potentially adverse scenarios.

Marby also requested that the DPAs include ICANN in any proceedings relating to WHOIS, and asks that it be included in all discussions and actions of the privacy regulators with the other WHOIS data controllers. He also said that ICANN org is continuing its efforts to prepare for implementation of a new model. Additional information on ICANN’s data protection/privacy activities, including legal analyses, proposed compliance models, and community feedback is published here.

We encourage the community to provide feedback and continue our dialogues on future activities. You may share your views with us via email at gdpr@icann.org.


ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:

DNS Belgium Announces .BE WHOIS Changes As GDPR Implementation Draws Near

The latest registry to announce how they plan to deal with the European Union’s General Data Protection Regulation is DNS Belgium who have announced that for individuals, all registrant data will be hidden from 25 May, but for business, nothing will change unless a contact is an individual when the relevant data will also be hidden.

The changes will reflect any searches done for WHOIS data for domain names under Belgium’s country code top level domain (ccTLD) and follows a survey in recent months on the use of the WHOIS tool on the DNS Belgium website.

As part of the survey, DNS Belgium asked how often WHOIS is used to search for the data of private registrants and for what reason. Of those who used the WHOIS search for .be domain names, the main reason was for business searches.

During the month or so when the survey ran, there were 44,845 WHOIS searches. Nearly three quarters of them were searches for the data of companies and organisations. A little more than 25% of the searches concerned data of private persons.

The survey showed that the four most important reasons why people consult WHOIS does not differ for organisations and private persons:

  • Curiosity
  • Check whether the person is really the registrant of the searched domain name
  • Contact the registrant with a request to take over his domain name
  • Check the e-mail address to which the transfer code is sent.

The survey also found a large number of ‘private searches’ are conducted by registrants who want to look up their own data to determine whether they are still the owner of the domain name or to check the e-mail address for the transfer code. In such cases, DNS Belgium will continue to send the WHOIS certificate to the registrant’s email address after 25 May.

When someone looks up someone else’s data to contact the registrant, DNS Belgium will pass on the request to the registrant in question by means of a WHOIS form. The registrant’s data will therefore not be shown and no direct contact will be established with him. That can take place only via DNS Belgium. Then it is up to the registrant if they wish to respond.

Brexit Sees Over 300,000 U.K.-Registered .EU Domain Names At Risk

It all depends. It depends on what transitional arrangements are put in place. It depends on what the ongoing agreements are. And it depends on even if Brexit happens, although it most likely will. But as of the end of 2017, 317,286 .eu domain name registrations with the U.K. listed as the country of registrant are at risk if Brexit goes ahead according to a notice from the European Union last week.

According to the notice, on the date that Britain withdraws from the European Union, any domain name registrants, businesses and individuals, that are based in the United Kingdom and do not have any offices in a remaining E.U. country, “will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date.” But it’s subject to any transitional arrangement that may be contained in a possible withdrawal agreement, which is an ongoing negotiation between the United Kingdom and European Commission.

There is also the risk that domain names may be revoked by the registry, EURid, with no questions asked. The notice from the E.C. states that “as of the withdrawal date and as a result of the withdrawal of the United Kingdom, a holder of a domain name does no longer fulfil the general eligibility criteria pursuant to Article 4(2)(b) of Regulation (EC) 733/2002, the Registry for .eu will be entitled to revoke such domain name on its own initiative and without submitting the dispute to any extrajudicial settlement of conflicts in accordance with point (b) of Article 20, first subparagraph, of Commission Regulation (EC) No 874/2004.”

Currently the withdrawal date is 30 March 2019, just under 12 months away. The notice states that “subject to any transitional arrangement that may be contained in a possible withdrawal agreement, the EU regulatory framework for the .eu Top Level Domain will no longer apply to the United Kingdom as from the withdrawal date.”

The advice, while disappointing for U.K.-based registrants, will give affected registrants time for finding a new domain name and building a brand around the new domain. However due to the vagaries of what the final agreement will be, assuming it goes ahead, it’s even possible nothing might change. Which won’t be of much help to registrants if they go through changing their domain name, branding and other paraphernalia and then find out they didn’t need to change.

According to a post by Michele Neylon on his InternetNews.me blog, “EURid wouldn’t be supportive of the position being adopted by the Commission based on my recollection of discussions in the Advisory Board – they’d be more supportive of the “grandfathering” concept favoured by most ccTLDs.”

The advice from the E.C. is available from:

Nominet Add To The Registrar Nightmare As They Finally Announce Proposed .UK Whois Changes For GDPR Compliance

On 1 March Nominet finally announced how they’re proposing to deal with the upcoming General Data Protection Regulation, with a consultation to run until 4 April and then Nominet will have to finalise their plans with the regulation to come into place on 25 May. The situation is a nightmare for registrars who have to plan and implement changes for all top level domains impacted by the GDPR.

As EPAG’s Managing Director Ashley La Bolle told Domain Pulse (the blog) following the Domain Pulse conference in Munich in late February:
“The domain industry has been really late to the game on GDPR implementation. It’s already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we’re not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance.”

In case you don’t know what is the GDPR, it’s data protection regulation intended harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services. The new regulation applies to businesses within the EU, or any business in the world that collects data on European citizens, such as when someone is registering a domain name. With any data that is collected, it is imperative that those collecting the data have clear and freely given consent from the individual. Huge fines apply for any organisation contravening the GDPR of up to €20 million or 4% of the company’s global annual turnover of the previous financial year.

For the changes Nominet is proposing for .uk, as with most ccTLD registries, they have allowed the domain name registrant information, also known as Whois, to be publicly available for their domain names. However in the new proposal all registrant information will be hidden. But Nominet’s concerns don’t just deal with .uk. They also manage .wales and .cymru, and Nominet, like all other generic top level domain registries have to wait until ICANN finalise how they will resolve the issue.

We have opened a comment period from today until 4 April on our .UK proposals to comply with GDPR legislation.

In summary, Nominet proposals are as follows:

  • From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.
  • For registrants who wish for their data to be published in the WHOIS, we will provide appropriate mechanisms to allow them to give their explicit consent.
  • We will continue to work in the same way as now with UK law enforcement agencies seeking further information on specific domain names via our existing data release policy and via an enhanced version of our Searchable WHOIS service, available free of charge.  Those users will have automatic access to the names and addresses we hold.
  • Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.
  • The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance.  Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.
  • The proposed new .UK Registry-Registrar Agreement (RRA) includes a new Data Processing Annex.  This sets out terms for how we would work with our registrars when processing registrants’ personal data during the registering, renewing, transferring or managing of .UK domain names to ensure GDPR compliance.
  • The Privacy Services Framework will be replaced with recognition of a Proxy Service, within a new .UK RRA to allow registrars to offer proxy services to registrants who do not wish to have their details passed to Nominet.
  • Additionally, we propose changing the rules for the data we collect for domain names that end in second-level .uk domain registrations, such as example.uk. We will no longer require a UK ‘address for service’ bringing this into line with third-level .UK domains such as example.co.uk, example.org.uk and so on.

Further details including links to all redline copies of the relevant documentation are available here. You can find just the redline versions here. 

A webinar for Nominet members to hear more about our proposals will take place on Wednesday, 7 March from 2.00-3.00pm GMT.

These changes cover the .UK namespace. Pending outcome of ICANN discussions, and feedback from this comment period, Nominet will set out our proposed approach for GDPR compliance for .cymru and .wales domains.

GDPR: EPAG’s MD Explains The Nightmare on Registrar Street

At the recent Domain Pulse conference in Munich, on 22 and 23 February, the upcoming General Data Protection Regulation (GDPR) was a focus of discussions both during conference presentations and panel discussions and during breaks. Its implementation is becoming a nightmare for many industries, with registries, both gTLD and ccTLD facing their own problems, and registrars.

That ICANN is a year too late in working out a solution for gTLDs and ccTLDs has made registrar’s life a nightmare as each one has introduced their own unique solution, Ashley La Bolle, EPAG’s Managing Director told Domain Pulse, following the panel discussion (see the interview below).

With ICANN simply not ready for the GDPR;’s start date on 25 May having not even finalised how they will respond, and registries throughout the European Union seemingly all having a unique method of dealing with the regulation, it’s what Richard Wein, nic.at’s CEO told Domain Pulse, is a missed opportunity for registries to worked together on one solution. For ICANN and generic top level domain registries (new and legacy) there is sure to be some heated discussions, and criticisms of ICANN for being so slow to adapt, at the ICANN meeting in Puerto Rico this month.

At the Domain Pulse conference (which is unrelated to the Domain Pulse blog), the panel discussion that focussed on GDPR involved representatives from registrars, registries and eco, the German internet association. Titled “The Challenge of Compliance: NIS Directive, GDPR, ePrivacy Regulation – the EU's Digital Roadmap and the Domain Industry”, it featured Volker Greimann from Key-Systems, Boban Kršić from DENIC, Ashley La Bolle from EPAG Domainservices, Ingo Wolff from tacticx and was moderated by Thomas Rickert, lawyer and representing eco. The panel discussion saw criticisms of ICANN with some wondering what will ICANN do if the community, and in particular registrars, disagree with what ICANN proposes.

During the discussion La Bolle said many registries haven’t given the information they require to registrars, neither their reasons and the legal basis, for data they require. “It’s not a lot of information we need. And we can no longer wait for ICANN or independent registries, we have got to implement changes that comply with GDPR.”

Following the panel discussion, Domain Pulse spoke in more detail La Bolle, Managing Director of EPAG Domainservices GmbH, who spoke of her frustrations of the way most registries have responded to the GDPR with unrealistic timelines for registrars to implement the required changes.

Domain Pulse: What are your opinions on the GDPR implementation?
Ashley La Bolle: The domain industry has been really late to the game on GDPR implementation. It's already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we're not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance. We do, however, see opportunities for registries to change requirements to be compliant without requiring registrars to make technical changes on very short notice. Some registries, for example, are planning to simply delete any non-essential data that registrars send in a domain order during a specified transition period. Only after that transition period will they begin returning an error message when non-essential data is sent with an order.

DP: How has it impacted on EPAG’s resources and staff?
ALB: EPAG is working closely with OpenSRS and Enom to develop a GDPR implementation plan for the entire company. But even when we are able to pool resources on planning, there is quite a bit of work that has to happen in addition to that. The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.

DP: What will be EPAG’s way of dealing with it?
ALB: The Tucows approach includes data minimisation, contract changes, Whois changes, and a consent management flow. Regarding data minimisation, we will only process a limited set of registrant data and in most cases will no longer process data for the administrative, technical, or billing contacts. At the same time, we are adjusting contracts with registrants, resellers, and registries. Another important part of our approach is the introduction of a gated Whois service, meaning personal data will no longer be published in the public Whois. Authorised third parties with a demonstrated legitimate interest to access the data, will still be granted access following an authentication process. These parties may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. Finally, we are building a consent management flow in order to allow registrants to give consent for any data use that is not required by contract.

DP: What problems have you experienced in implementing the requirements?
ALB: The main obstacle we have encountered is the lack of preparedness in the domain industry that I mentioned before.

DP: One issue Richard Wein, nic.at’s CEO, has raised is it was a great opportunity for ccTLD registries to collaborate on one solution – I assume this would have made your life a lot easier and required less input of staff and other resources?
ALB: We would prefer a common solution across ccTLD registries. When each registry comes up with an individual approach, it is a nightmare for registrars to implement each individual approach and explain it to their customers. This is an industry that thrives on standards and common practice and the GDPR does not change this.

DP: Are you on track to comply with the requirements for ccTLDs and gTLDs, and given there is no real solution for gTLDs yet, how are you dealing with this?
The result of the domain industry being so late to react to the GDPR is that we have had to design our own approach – one that we feel is both legally compliant and customer friendly. At the same time, we have supported efforts by ECO to propose a common model as described in their Domain Industry Playbook.

DP: Do you have any thoughts on how ICANN has dealt with GCPR?
ALB: We wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.

This article was originally published at:

European Commission Opens Consultation on Review of .EU Rules

EURid logoThe European Commission is opening a consultation on the .eu rules to see if the existing regulations on .eu are still fit for purpose, or if they need to be changed or updated.

The .eu top-level domain represents the “online digital brand” of the European Union. It was originally created in 2002 and 2004, the registration started on 7 April 2006. At the end of March 2017, the .eu top-level domain was the 7th largest country code top level domain in the world with over 3.7 million registrations. The .eu ccTLD provides a unique European domain for organisations and individuals resident in EU Member States as well as Iceland, Liechtenstein and Norway.

Since the entry into force of the .eu regulations, many things have changed in the market of domain names, which is now much more dynamic and competitive, but also within the European Union itself. Therefore the existing rules on .eu need to be evaluated to assess whether they are still fit-for-purpose.

The public consultation is open from 12 May until 8 August 2017. Business representatives, those working in the public sector, academia and all those with an interest are invited to provide input and help determine the future of .eu domain name.

There is a questionnaire for the public consultation and more information at:

Only responses received through the online questionnaire will be considered for analysis.

Following Brexit, Future Of Hundreds Of Thousands Of British-Registered Domains In Doubt

The future of hundreds of thousands of domain names are in doubt following the UK’s “Brexit” referendum where Britons decided to leave the European Union. The TLD to be most impacted is .eu which has 294,000 registrations to individuals and companies in the UK out of a total of 3.82 million registrations, according to the latest EURid quarterly report. Along with .eu, .it and .fr among others require registrants to be based in the European Union or from the European Economic Area.The future of these domain names has been addressed in a discussion paper published by the German internet association, eco, called “Brexit – Challenges for the Domain Industry?“.So assuming the Brexit happens in a few years, what happens to the affected domain names? And also to the registrars in other European countries who have customers based in the UK?The eco discussion paper notes there has already been a change in behaviour with registrars observing a drop-off in registration numbers.”With our paper and the opening of a discussion forum, we would like to contribute to making the impact of Brexit clear and understandable for companies and customers, as well as – on the basis of expert knowledge – contributing towards the rapid creation of legal certainty for all those involved,” said lawyer Thomas Rickert, Leader of the eco Names & Numbers Forum.Looking to the future the paper presents five options for how the problem is likely to be addressed. They also take into consideration that a bilateral agreement between the EU and the UK could potentially be made that includes domain registrations and prevents an interim depletion in registrations. The options are a suspension of registrations ordered by the European Commission, a grandfathering for existing registrations, all registrations could be revoked, the use of proxy registration services and finally, that the UK stays in the European Economic Area. Stay tuned!To download the eco paper, Brexit – Challenges for the Domain Industry?, in full, go to:

ICANN: IDN ccTLD Request from European Commission Successfully Passes String Evaluation

ICANN logoICANN is pleased to announce the successful evaluation of the proposed IDN ccTLD string in Cyrillic script for the European Commission.

Details of the successful evaluation are provided here: www.icann.org/en/resources/idn/fast-track/string-evaluation-completion

The Internationalized Domain Name (IDN) ccTLD Fast Track Process was approved by the ICANN Board at its annual meeting in Seoul, South Korea on 30 October 2009. First requests were received starting 16 November 2009. The process enables countries and territories to submit requests to ICANN for IDN ccTLDs, representing their respective country or territory names in scripts other than Latin. IDN ccTLD requesters must fulfill a number of requirements:

  • The script used to represent the IDN ccTLDs must be non-Latin;
  • The languages used to express the IDN ccTLDs must be official in the corresponding country or territory; and
  • A specific set of technical requirements must be met.

The request and evaluation processes entail three steps:

  • Preparation (by the requester in the country / territory): Community consensus is built for which IDN ccTLD to apply for, how it is run, and which organization will be running it, along with preparing and gathering all the required supporting documentation. Requests are submitted through an online system together with additional material supporting the process at forms.icann.org/idn/apply.php
  • String Evaluation: Requests are evaluated in accordance with the technical and linguistic requirements for the IDN ccTLD string(s) criteria described above.
  • String Delegation: Requests successfully meeting string evaluation criteria are eligible to apply for delegation following the same ICANN IANA process as is used for ASCII based ccTLDs. Requesters submit string delegation requests to IANA root zone management: root-mgmt@iana.org.

With this announcement, requests from a total of 38 countries/territories have successfully passed through the String Evaluation stage. Of these, 31 countries/territories (represented by 41 IDN ccTLDs) are delegated in the DNS root zone, with the remainder either readying to apply, or actively applying for delegation of the string. Up-to-date information about the IDN Fast Track Program will continue to be provided on the Fast Track Process web page at https://www.icann.org/resources/pages/fast-track-2012-02-25-en.

ICANN will continue to accept new string evaluation requests for non-Latin country-code top-level domains for countries and territories that meet the Fast Track Process requirements. Please email idncctldrequest@icann.org for any inquiries for participation.

This ICANN announcement was sourced from:

ICANN Grants Two More European Registrars Data Retention Waivers

ICANN logoICANN has granted another two European registrars data retention waivers following concerns over how the Registrar Accreditation Agreement conflicts with European data retention laws.

One waiver was granted to Blacknight Internet Solutions who submitted to ICANN a Registrar Data Retention Waiver Request on the basis of Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Ireland.

The second waiver was granted to Nameweb BVBA on the basis of the Registrar’s contention that compliance with the data collection and/or retention requirements of the Data Retention Specification in the 2013 RAA violates applicable law in Belgium.

The waivers shall remain in effect for the duration of the term of the 2013 RAA signed by the registrars.

The issue has come about as some registrars, particularly in Europe, have expressed concerns that local data protection and other privacy laws make it difficult for them to comply with these new requirements. ICANN has noted these concerns and that laws vary from country to country and that some of the new data retention requirements in the 2013 RAA may conflict with certain European data protection and privacy regulations. In a posting on the ICANN blog, ICANN’s Cyrus Namazi said, “to be clear, governing laws take precedence over the terms of the RAA.”

The issue from a European perspective was made clear in a letter from the European Commission’s Article 29 Working Party in June 2013 who said “the Working Party wishes to provide a single statement for all relevant registrars targeting individual domain name holders in Europe.” Obviously this hasn’t happened and ICANN is issuing waivers on a registrar-by-registrar basis on the specific laws that are being violated in the country the registrar is located.

The Working Party also reiterated “its strong objection to the introduction of data retention by means of a contract issued by a private corporation in order to facilitate (public) law enforcement. If there is a pressing social need for specific collections of personal data to be available for law enforcement, and the proposed data retention is proportionate to the legitimate aim pursued, it is up to national governments to introduce legislation that meets the demands of article 8 of the European Convention on Human Rights and article 17 of the International Covenant on Civil and Political rights.”

“The fact that these personal data can be useful for law enforcement does not legitimise the retention of these personal data after termination of the contract. Because there is no legal ground for the data processing, the propose d data retention requirement violates data protection law in Europe.”

Iceland, Liechtenstein and Norway Set For .EU 8 January

EURid logoResidents, companies and organisations based in Iceland, Liechtenstein and Norway will be eligible to register .eu domain names from 8 January 2014 at 10:00 CET.

“We welcome this positive development which has been in the air for some time,” commented the .eu registry’s General Manager Marc Van Wesemael. “The more countries and businesses that benefit from .eu’s unique identity, the stronger its brand becomes.”

“Iceland, Liechtenstein and Norway have had close economic ties with the European Union since the Community’s early years. Granting them access to the .eu top-level domain is a natural step forward in that relationship.”

“Our annual research shows that .eu is seen as a reliable and valuable online label. We are confident that the companies and residents of these countries will soon appreciate the advantages of the .eu TLD, including the strong security procedures for its management and databases.”

The decision by the European Commission to extend the “.eu zone” follows up on the provision contained in the original .eu regulation (EC 733/2002), which foresaw the extension of .eu to the European Economic Area.