Tag Archives: General Data Protection Regulation

ICANN Appeals German Court Decision on GDPR / WHOIS

ICANN today (13 June) appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The appeal was filed to the Higher Regional Court of Cologne, Germany.

ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

The Regional Court in Bonn rejected ICANN’s initial application for an injunction, in which ICANN sought to require EPAG to collect administrative contact and technical contact data for new domain name registrations.

If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Union’s General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANN’s appeal to the European Court of Justice.

ICANN is appealing the 30 May 2018 decision by the Regional Court in Bonn as part of ICANN’s public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

“We are continuing to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,” said John Jeffrey, ICANN’s General Counsel and Secretary. “We hope that the Court will issue the injunction or the matter will be considered by the European Court of Justice.”

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018 when it sells new domain name registrations, it would no longer collect administrative and technical contact information. EPAG believes collection of that particular data would violate the GDPR. ICANN’s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-06-13-en

DENIC Restricts Publicly Available Registrant Data Following GDPR Introduction

DENIC have introduced significant changes to the publicly available data available through Whois requests for .de domain names that will see registrant data drastically restricted and only available to law enforcement bodies as a result of the European Union’s General Data Protection Regulation (GDPR) that came into effect on 25 May.

The changes in data publicly available for the German country code top level domain (ccTLD) will see that next to the contact details of the domain name registrant, such as name, email and postal address, DENIC will only record two additional email addresses for contact purposes as well as the technical data of the domain name.

The two email addresses recorded in addition to the registrant data will be non-personalised. They will be under the registrar’s responsibility and will serve as points of contact for general and technical requests as well as for enquiries or notifications about a possible unlawful or improper use of the domain. Also, DENIC will continue to record such technical data, including name server or DNS key information, that is needed to establish the functionality of the domain.

In addition to the domain status data (“registered”/”unregistered”), as of 25 May, only the domain name’s technical data and the two email addresses for the specified contact purposes (General Request and Abuse) will be available via the Domain Query. Those data relating to the technical contact and zone administrator (Tech-C, Zone-C) as well as to the administrative contact (Admin-C) previously output here will no longer be recorded and consequently not displayed anymore.

DENIC will still provide registrant data where legally required to public authorities acting within the framework of their public powers (including law enforcement, hazard prevention or seizing orders). DENIC will also disclose registrant data, on the basis of case-by-case assessments and upon submission of evidence of a legitimate interest, to such parties who own a right to a name or trademark that may be violated by the domain, or to such claimants who have obtained an enforceable title against the domain registrant and seek judicial seizure of the registrant’s claims defined in the domain contract, under civil law. In all other cases, DENIC will provide no information on the registrant.

For evaluating the legitimate interest of enquiries and for the subsequent provision of the relevant data, DENIC will use both automated and non-automated processes.

DENIC’s amended policies as laid down in the DENIC Domain Terms and Conditions and DENIC Domain Guidelines are published on the DENIC website.

ICANN Finally Approves Temporary Specification To Comply With EU’s GDPR, With 7 Days To Spare

It was adopted on 14 April 2016 and after a 2-year transition period it becomes enforceable on 25 May 2018. Yet despite this timeframe, ICANN only approved a Temporary Specification for gTLD Registration Data to comply with the European Union’s General Data Protection Regulation on 17 May, with a draft published on 11 May. But it only gives registries and registrars 7 days to finalise and implement changes to their systems, or 14 days if they started when the draft was published. That is if they waited for ICANN’s snail-like process to take place.

The GDPR has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or up to 4% of the annual worldwide turnover, whichever is greater.

ICANN’s approval of a Temporary Specification [pdf] is the result of 12 months of consultation with the community and “is an important step towards bringing ICANN and its contracted parties into compliance with GDPR,” said ICANN’s Chair Cherine Chalaby. “While there are elements remaining to be finalised, the adoption of this Temporary Specification sets us on the right path to maintaining WHOIS in the public interest, while complying with GDPR before its 25 May enforcement deadline.”

One can’t help but feel it’s an extraordinary failure by ICANN and the community given the time they’ve had to develop a solution. The Temporary Specification will be revisited by the ICANN Board in 90 days, if required, to reaffirm its adoption. And whether the Temporary Specification meets European Commission’s requirements remains to be seen. In early April the EC’s Article 29 Data Protection Working Party wrote to ICANN [pdf] noting they weren’t satisfied with what ICANN had then proposed.

So what will happen on 25 May? Registry Operators and Registrars will still be required to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.

The changes are not unlike those being implemented by several European country code top level domain (ccTLD) registries. And while quite a few Registries and Registrars will have been waiting (or rather sweating) on ICANN’s announcement this week, some decided they couldn’t wait and have been developing solutions on what they believed ICANN’s response would have been.

Within Europe, some ccTLDs, such as the Austrian registry nic.at have implemented a “thin” model for individuals registering domain names, but legal entities or businesses will continue to have “thick” WHOIS data published. Others such as DENIC, the German ccTLD registry, will only record the contact details of the domain name registrant, two additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data, which is similar to the ICANN model.

Registrars are frustrated. One, the German EPAG, which is part of the Tucows group, spoke of their frustrations to Domain Pulse at the Domain Pulse conference (unrelated) in Munich in February.

“We wish that ICANN had started work on this a year ago,” said Ashley La Bolle, Managing Director of EPAG Domainservices GmbH. “Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”

“The domain industry has been really late to the game on GDPR implementation,” La Bolle went on to say. She noted how frustrating it was that the entire industry was slow to develop solutions and that solutions were only beginning to be finalised back then. The changes require significant resources to be thrown at implementing changes. In an industry that operates on razor-thin margins, it’s not an ideal situation.

“The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.”

It has also been claimed that the changes will be a boon for cybercriminals. While Krebs on Security admit that while “cybercriminals don’t use their real information in WHOIS registrations … ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” And while some cybercriminals do take advantage of privacy protection services, “based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services.”

Krebs also notes that while “it is true that the European privacy regulations as they relate to WHOIS records do not apply to businesses registering domain names … the domain registrar industry — … operates on razor-thin profit margins and which has long sought to be free from any WHOIS requirements or accountability whatsoever. Krebs believes they “won’t exactly be tripping over themselves to add more complexity to their WHOIS efforts just to make a distinction between businesses and individuals.”

“As a result, registrars simply won’t make that distinction because there is no mandate that they must. They’ll just adopt the same WHOIS data collection and display polices across the board, regardless of whether the WHOIS details for a given domain suggest that the registrant is a business or an individual.”

.IS, .NO and .UK Announce How They’ll Comply With the EU’s GDPR

The GDPR is coming and a number of ccTLD registries are giving registrars heart palpitations. It’s a month till the European Union’s General Data Protection Regulation comes into play and the Icelandic, Norwegian, Slovakian and United Kingdom ccTLD operators are only just announcing how they’ll deal with it.

For Iceland’s .is they will stop publishing names, addresses and telephone numbers of personal contacts by default from the ISNIC WHOIS database. For individuals who wish to continue to publish their information, they must log in, go to “My Settings” and select “Name and Address Published”.

ISNIC will however, at least for the time being, continue to publish email addresses, country and techincal information of all NIC-handles associated with .is domains. Those customers (individuals) who have recorded a personally identifiable email address, and do not want it published, will need to change their .is WHOIS email address to something impersonal. However the Icelandic country code top level domain isn’t happy with the new regulation. They note the GDPR “will neither lead to better privacy nor a safer network environment.”

For the sake of the internet community, e.g. Individual users, Service Providers, Hosting Companies, and many other stake holders, ISNIC will continue to publish email addresses and the country name of all contact types until further notice.

For NORID, the registry for Norway’s .no, they have made a few changes to their policies that come into effect on 5 May. NORID state they will “only collect data that we need, and that the domain holder shall be informed about which data is being processed by Norid. Starting on 5 May, we will collect less data about the holder than what we currently do.” Following consultation with the with the Norwegian Data Protection Authority, NORID will launch a new version of WHOIS on 22 May.

And Nominet, the .uk registry, has announced their changes. Following a consultation period that outlined their proposed changes that were published for comment between 1 March and 4 April, Nominet have announced that:

  • Registrant data will be redacted from the WHOIS from 22 May 2018, unless explicit consent has been given.
  • Law enforcement agencies will nonetheless be able to access all registry data via an enhanced Searchable WHOIS service available free of charge.
  • Other interested parties requiring unpublished information will be able to request access to this data via our data disclosure policy, operating to a 1 working day turnaround.
  • The registration policy for all .UK domains will be standardised – replacing the separate arrangements currently in operation for second and third-level domains.
  • The .UK Registrar Agreement will be updated, renamed the .UK Registry-Registrar Agreement, and will include a new data processing annex.
  • The existing Privacy Services framework will cease to apply.

“We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation,” said Nominet COO Ellie Bradley. “While, as a result, we will be publishing less data on the WHOIS – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.”

The proposals also outlined an approach to replacing the existing privacy services framework with recognition of a Proxy Service offered by registrars. In response to the feedback, Nominet has decoupled this proposal from the bulk of the GDPR-related changes and will consult further on this topic in June 2018.

CoCCA Software Update Allows Registry Partners to be GDPR-Compliant

CoCCA will be updating its backend registry software to enable its registry partners to be GDPR-compliant in time for the European Union’s General Data Protection Regulation (GDPR) that comes into effect on 25 May.

The principle of data minimisation, where only personal data that is adequate, relevant and necessary is collected, retained and disclosed has been adopted by the ccTLD managers using CoCCA shared infrastructure of the following ccTLDs: .af, .cx, .gs, .gy, .ht, .hn, .ki, .kn, .sb, .tl, .kn, .ms, .nf.

For the above ccTLDs, as of 15 May the only data collected from domain name registrants will be:
only registrant contact details are required, administrative, technical and billing contacts are optional.
existing administrative, technical and billing contacts may be deleted by registrars.
registrars will be able to associate two email addresses directly with a domain (for abuse reports and technical queries), these emails will be publicly disclosed.

Regarding data disclosure:

  • if a data subject is an EU resident or a non-EU resident who uses an EU registrar (or one of their resellers) personal data (name, email, phone and physical address) will be redacted from publicly available interfaces. For the avoidance of confusion, personal data will be redacted based both on the declared address of the contact and the location of the registrar.
  • if a data subject resides outside the EU and uses the services of a registrar outside the EU the personal data disclosure will not be impacted by GDPR.
  • if personal data has been redacted and the data subject would like to disclose it, the data subject will be provided with tools by CoCCA to disclose the redacted data.
  • if personal data has not been redacted and the data subject believes it should be (for example, a citizen of an EU country residing overseas), the data subject will be provided with tools by CoCCA to redact their personal data.

Access to redacted data will be available for:

  • law enforcement and the Secure Domain Foundation will be able to access redacted data via RDAP and port 43 WHOIS.
  • intellectual property owners or other entities who have a legitimate interest in redacted data will be able to order historical abstracts online for a nominal fee (provided they sign an attestation).

An updated version of the CoCCA software containing multiple GDPR configuration options will be released on 20 April with CoCCA able to assist registry operators to upgrade and configure their registry software to align with their GDPR compliance efforts.

CoCCA advise that it should not be assumed that all registry operators using CoCCA Tools will patch and configure the software for GDPR compliance. There are many registry operators who use dated and unsupported versions of CoCCA Tools.

ICANN Receives Data Protection/Privacy Guidance from Article 29 Working Party

ICANN today announced that it has received a letter from the Article 29 Working Party (WP29) [PDF, 400 KB] that provides guidance on the European Union’s General Data Protection Regulation (GDPR) and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN organization’s response to the letter from the Article 29 Working Party will be published shortly here.

“We appreciate the guidance provided by the Article 29 Working Party on this important issue and have accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions,” said Göran Marby, ICANN president and CEO. “However, we are disappointed that the letter does not mention our request for a moratorium on enforcement of the law until we implement a model. Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”

A moratorium on enforcement action by DPAs would potentially allow for the introduction of an agreed-upon accreditation model and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model. It will also allow for reconciliation between the advice ICANN has received from its Governmental Advisory Committee (GAC) and the Article 29 Working Party. Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.

A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services. Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.

“In parallel, we will carefully consider this advice, along with all of the input we have received from the multistakeholder community, before making changes to the current iteration of the proposed interim model,” Marby continued. “As a part of this, we will explore all options as we continue dialogues with DPAs and the interested parties that comprise the multistakeholder community.”

It’s important to balance the right to privacy with the need for information. While ICANN recognizes the importance of the GDPR and its goal of protecting personal data, parts of the ICANN community have noted the negative impact of a fragmented WHOIS. For example, it will hinder the ability of law enforcement to get important information and the anti-spam community to help ensure the Internet protects end-users. It will also:

  • Protect the identity of criminals who may register hundreds of domain names specifically for use in cyberattacks;
  • Hamper the ability of consumer protection agencies who track the traffic patterns of illicit businesses;
  • Stymie trademark holders from protecting intellectual property; and
  • Make it significantly harder to identify fake news and impact the ability to take action against bad actors.

These are just a few examples from a long list of potentially adverse scenarios.

Marby also requested that the DPAs include ICANN in any proceedings relating to WHOIS, and asks that it be included in all discussions and actions of the privacy regulators with the other WHOIS data controllers. He also said that ICANN org is continuing its efforts to prepare for implementation of a new model. Additional information on ICANN’s data protection/privacy activities, including legal analyses, proposed compliance models, and community feedback is published here.

We encourage the community to provide feedback and continue our dialogues on future activities. You may share your views with us via email at gdpr@icann.org.

About ICANN

ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-04-12-en

DNS Belgium Announces .BE WHOIS Changes As GDPR Implementation Draws Near

The latest registry to announce how they plan to deal with the European Union’s General Data Protection Regulation is DNS Belgium who have announced that for individuals, all registrant data will be hidden from 25 May, but for business, nothing will change unless a contact is an individual when the relevant data will also be hidden.

The changes will reflect any searches done for WHOIS data for domain names under Belgium’s country code top level domain (ccTLD) and follows a survey in recent months on the use of the WHOIS tool on the DNS Belgium website.

As part of the survey, DNS Belgium asked how often WHOIS is used to search for the data of private registrants and for what reason. Of those who used the WHOIS search for .be domain names, the main reason was for business searches.

During the month or so when the survey ran, there were 44,845 WHOIS searches. Nearly three quarters of them were searches for the data of companies and organisations. A little more than 25% of the searches concerned data of private persons.

The survey showed that the four most important reasons why people consult WHOIS does not differ for organisations and private persons:

  • Curiosity
  • Check whether the person is really the registrant of the searched domain name
  • Contact the registrant with a request to take over his domain name
  • Check the e-mail address to which the transfer code is sent.

The survey also found a large number of ‘private searches’ are conducted by registrants who want to look up their own data to determine whether they are still the owner of the domain name or to check the e-mail address for the transfer code. In such cases, DNS Belgium will continue to send the WHOIS certificate to the registrant’s email address after 25 May.

When someone looks up someone else’s data to contact the registrant, DNS Belgium will pass on the request to the registrant in question by means of a WHOIS form. The registrant’s data will therefore not be shown and no direct contact will be established with him. That can take place only via DNS Belgium. Then it is up to the registrant if they wish to respond.

ICANN Requests DPA Guidance on Proposed Interim Model for GDPR Compliance

ICANN has requested European data protection authorities (DPAs) provide specific guidance on the organization’s Proposed Interim Compliance Model [PDF, 922 KB] as it relates to the European Union’s General Data Protection Regulation (GDPR).

In letters to each of the 28 European member states’ DPAs and the European Data Protection Supervisor, ICANN asks the authorities to “help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.”

Absent this specific guidance, the integrity of the global WHOIS system and the organization’s ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.

ICANN is concerned that continued ambiguity on the application of the GDPR to the global WHOIS may result in many domain name registries and registrars choosing not to publish or collect WHOIS out of fear that they will be subject to significant fines following actions brought against them by the European DPAs. ICANN has set out that its 2,500 domain name registries and registrars need clear guidance and a moratorium so that they will not have enforcement actions brought against them while they implement changes to comply with the GDPR.

At the same time, governments world-wide, law enforcement authorities, and those fighting abuse on the Internet are deeply concerned that blocked access to the global WHOIS may significantly harm the public interest, by blocking access to critical information which allow them to enforce other laws and protect consumers, critical infrastructure and intellectual property rights.

More information on ICANN‘s data protection/privacy activities is available here.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-03-28-en

Latvia’s ccTLD Plans “Data Minimisation” to Comply With GDPR

There’s a bit of a belated rush by European country code top level domain (ccTLD) operators to comply with the looming deadline to implement the .E.U.’s new privacy rules, the General Data Protection Regulation (GDPR). The latest is Latvia’s ccTLD, .lv who, in their announcement, said they plan “to implement data minimisation” to comply. And they are seeking comment on their plans by 12 April.

The data minimisation planned by NIC.LV to comply with the GDPR means that when registrants fill out the .lv domain name registration form, only one postal address will be required (instead of two) and no fax number will be required.

At present, if the domain name registrant is an individual, their first name, surname, personal identity number and postal address is not publicly shown. In the future, to ensure GDPR compliance, the holders’ telephone number and email will also not be published. In order to provide some communication channel with the domain names’ holder, NIC.LV will develop an electronic contact form.

The NIC WHOIS policy [pdf] has been prepared to determine the obligations of the NIC.LV and the WHOIS user, including the allowable use of WHOIS.

To ensure GDPR compliance and adaption to local regulations, NIC.LV proposes to change the terminology definitions and procedures. As this policy is being used for direct registrations, as well as registrations through registrars, NIC.LV proposes to make a separate document called the price list and payment policy of NIC.LV [pdf], which would apply only to direct registrations.

Information for domain name registrants on the processing of their personal data – access, data portability, rectification, deletion, etc. will be included in the updated NIC.LV Privacy policy [pdf].

In accordance with GDPR Article 28, the agreement between the Registry and the Registrar will be supplemented by Annex 3 “Personal data processing” [pdf], which will define the roles and responsibilities of the Personal Data Controller (NIC.LV) and the Processor (Registrar).

NIC plans to develop new documents:

NIC plans to make amendments to the following:

The NIC.LV feedback period is open until 12 April with comments to be sent to legal@nic.lv. All amendments to contracts and policies have also been sent to the Ministry of Transport for evaluation.

nic.at To Hide Individual’s WHOIS Data, But Optional For Business, to Comply With GDPR

From mid-May individuals who have registered .at domain names will have their registrant details hidden by default, although they can have the data published if they wish, while businesses will continue to have their contact details published in WHOIS as is the case now. The change is a result of the looming introduction of the E.U.'s new privacy law.

The coming of the E.U. General Data Protection Regulation (GDPR) is causing a bit of havoc among the domain name business. It comes into effect on 25 May. Gradually European ccTLD registries are rolling out how they’re going to comply. The GDPR is intended to give individuals in the European Union more control over their data held by business, with one data protection law for to strengthen and unify data protection for all individuals within the 28 member states of the E.U. It also addresses the export of personal data outside the E.U.

In recent weeks Nominet and DENIC have announced their plans. Nominet have opened a consultation to 4 April on their proposal that will mean they will no longer display any registrant’s name or address while DENIC will only record the contact details of the domain registrant, 2 additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data.

“The GDPR”, nic.at’s CEO Richard Wein told Domain Pulse following the Domain Pulse conference in Munich in February, “is the biggest change in policy and procedures in the domain name community in many years. While EPP was a big change, it happened over time and there were no rigid deadlines, but change was smooth and happened quickly.”

Currently the nic.at WHOIS database, the public register of all registered .at domains, currently contains details on the holders of and contact persons for .at domains, regardless of whether they are companies or private individuals. Under the EU General Data Protection Regulation (GDPR), nic.at will only publish legal business data from mid-May 2018. Individuals can still have their data published if they wish.

For decades, it has been standard practice in domain administration to display domain holders’ data in a public database called WHOIS. The domain holder is informed of this when registering the domain. nic.at’s terms and conditions (T&C) form the legal basis for publication. This practice will change when the GDPR comes into effect.

“The GDPR defines special protection requirements for natural persons, so we will not publish their data any longer, although we still need to receive their details during the domain registration process,” explained head of nic.at’s legal department Barbara Schlossbauer. “The regulation is comes into force in mid-May 2018 and this will also lead to amendments in nic.at’s T&C and the registration guidelines for .at domains.”

In the future, the data shown for domains registered by individuals will only include the domain name, the registrar responsible and necessary technical information. If a company or organisation owns the domain, the holder’s name and address will still be published, although contact data like email address, telephone and fax number can be hidden upon request. The registrar submits information on whether a domain is held by a natural or legal person when registering the domain. If a private individual requests that their data be displayed, the registrar can also arrange this. “There will certainly be a lot of cases where people will definitely want to show that a real, trustworthy person is responsible for a particular website,” explains Schlossbauer.

Until now, domain holders’ data have been publicly accessible at nic.at. From mid-May, this will no longer be possible. “In future, natural persons’ domain data will only be accessible to people who identify themselves and have a legitimate legal reason for finding out who the domain holder is,” Schlossbauer points out. This includes law enforcement agencies, lawyers or people who contact nic.at following domain disputes and can prove that their rights have been infringed.

The adaptations in the WHOIS policy will not affect the public domain availability check, explains Schlossbauer: “When it comes to obtaining accurate information on whether a .at, .co.at or .or.at domain is still available, nic.at will remain the first point of contact for reliable availability checks.”

But the changes being adopted by each country code top level domain registry across Europe are a missed opportunity according to Wein.

“The opportunity for the ccTLD registries across Europe to work together and propose one solution was a missed opportunity,” said Wein.

“Every ccTLD appears to be doing something different, even if very slightly, and it’s a pity that the industry couldn’t develop one standard. It will mean registrars will have to implement 10, 20, maybe even 28, different solutions depending on how many ccTLDs for EU countries they sell. The situation is a nightmare.”

“Then there comes the problem with no WHOIS available to law enforcement, government bodies and brand protection. How can they get the registrant information? Registries are not allowed to give out information such as to the police without a good reason. Potential buyers of a domain name will have no way of contacting the registrant unless their details are provided on the website. While under the law of many countries, including Austria, the website owner is required to provide information about who owns the website, it is difficult to verify if this is correct, and will be next to impossible when the GDPR comes into effect.”

“When there’s a request for WHOIS information from law enforcement, for example,” Wein continues, “it will require someone at nic.at to manually check that the required authorisations such as a court order are in place and then to provide the information. Currently enquiries are machine-to-machine, but from 25 May it will be human-to-human and only available in business hours. It will mean a change of procedures and in many cases be much slower.”