Tag Archives: General Data Protection Regulation

GDPR: EPAG’s MD Explains The Nightmare on Registrar Street

At the recent Domain Pulse conference in Munich, on 22 and 23 February, the upcoming General Data Protection Regulation (GDPR) was a focus of discussions both during conference presentations and panel discussions and during breaks. Its implementation is becoming a nightmare for many industries, with registries, both gTLD and ccTLD facing their own problems, and registrars.

That ICANN is a year too late in working out a solution for gTLDs and ccTLDs has made registrar’s life a nightmare as each one has introduced their own unique solution, Ashley La Bolle, EPAG’s Managing Director told Domain Pulse, following the panel discussion (see the interview below).

With ICANN simply not ready for the GDPR;’s start date on 25 May having not even finalised how they will respond, and registries throughout the European Union seemingly all having a unique method of dealing with the regulation, it’s what Richard Wein, nic.at’s CEO told Domain Pulse, is a missed opportunity for registries to worked together on one solution. For ICANN and generic top level domain registries (new and legacy) there is sure to be some heated discussions, and criticisms of ICANN for being so slow to adapt, at the ICANN meeting in Puerto Rico this month.

At the Domain Pulse conference (which is unrelated to the Domain Pulse blog), the panel discussion that focussed on GDPR involved representatives from registrars, registries and eco, the German internet association. Titled “The Challenge of Compliance: NIS Directive, GDPR, ePrivacy Regulation – the EU's Digital Roadmap and the Domain Industry”, it featured Volker Greimann from Key-Systems, Boban Kršić from DENIC, Ashley La Bolle from EPAG Domainservices, Ingo Wolff from tacticx and was moderated by Thomas Rickert, lawyer and representing eco. The panel discussion saw criticisms of ICANN with some wondering what will ICANN do if the community, and in particular registrars, disagree with what ICANN proposes.

During the discussion La Bolle said many registries haven’t given the information they require to registrars, neither their reasons and the legal basis, for data they require. “It’s not a lot of information we need. And we can no longer wait for ICANN or independent registries, we have got to implement changes that comply with GDPR.”

Following the panel discussion, Domain Pulse spoke in more detail La Bolle, Managing Director of EPAG Domainservices GmbH, who spoke of her frustrations of the way most registries have responded to the GDPR with unrealistic timelines for registrars to implement the required changes.

Domain Pulse: What are your opinions on the GDPR implementation?
Ashley La Bolle: The domain industry has been really late to the game on GDPR implementation. It's already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we're not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance. We do, however, see opportunities for registries to change requirements to be compliant without requiring registrars to make technical changes on very short notice. Some registries, for example, are planning to simply delete any non-essential data that registrars send in a domain order during a specified transition period. Only after that transition period will they begin returning an error message when non-essential data is sent with an order.

DP: How has it impacted on EPAG’s resources and staff?
ALB: EPAG is working closely with OpenSRS and Enom to develop a GDPR implementation plan for the entire company. But even when we are able to pool resources on planning, there is quite a bit of work that has to happen in addition to that. The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.

DP: What will be EPAG’s way of dealing with it?
ALB: The Tucows approach includes data minimisation, contract changes, Whois changes, and a consent management flow. Regarding data minimisation, we will only process a limited set of registrant data and in most cases will no longer process data for the administrative, technical, or billing contacts. At the same time, we are adjusting contracts with registrants, resellers, and registries. Another important part of our approach is the introduction of a gated Whois service, meaning personal data will no longer be published in the public Whois. Authorised third parties with a demonstrated legitimate interest to access the data, will still be granted access following an authentication process. These parties may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. Finally, we are building a consent management flow in order to allow registrants to give consent for any data use that is not required by contract.

DP: What problems have you experienced in implementing the requirements?
ALB: The main obstacle we have encountered is the lack of preparedness in the domain industry that I mentioned before.

DP: One issue Richard Wein, nic.at’s CEO, has raised is it was a great opportunity for ccTLD registries to collaborate on one solution – I assume this would have made your life a lot easier and required less input of staff and other resources?
ALB: We would prefer a common solution across ccTLD registries. When each registry comes up with an individual approach, it is a nightmare for registrars to implement each individual approach and explain it to their customers. This is an industry that thrives on standards and common practice and the GDPR does not change this.

DP: Are you on track to comply with the requirements for ccTLDs and gTLDs, and given there is no real solution for gTLDs yet, how are you dealing with this?
The result of the domain industry being so late to react to the GDPR is that we have had to design our own approach – one that we feel is both legally compliant and customer friendly. At the same time, we have supported efforts by ECO to propose a common model as described in their Domain Industry Playbook.

DP: Do you have any thoughts on how ICANN has dealt with GCPR?
ALB: We wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.

This article was originally published at:

ICANN: Data Protection/Privacy Update Webinar Scheduled for 2 February

ICANN today [25 Jan] announced that it will hold a webinar on 2 February from 1530 to 1630 UTC to provide an update on data protection/privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

The webinar will focus on ICANN‘s three proposed interim models for collecting registration data and implementing registration directory services published [PDF, 623 KB] earlier this month.

In order to facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants will have the opportunity to ask questions at the end of the session. During the course of the webinar, participants may submit questions using the chat function in Adobe Connect. We will make every effort to answer the questions during the webinar. A recording of the webinar will be made available for future reference.

The community is encouraged to provide input on the proposed models [PDF, 623 KB] by 29 January 2018. Please send your feedback to gdpr@icann.org.

More information on ICANN‘s data protection/privacy activities is available here.

Webinar Details & How to Attend

Date: 2 February 2018

Time: 1530 – 1630 UTC

Join via Adobe Connect (please send dial-in requests to gdpr-questions@icann.org)

View Dial-in Information

Participant Codes:

English – Participant Code: 9001
Français – Participant Code: 9002
Español – Participant Code: 9003
中文 – Participant Code: 9004
Pусский – Participant Code: 9005
العربية – Participant Code: 9006
Português – Participant Code: 9007


ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:

ICANN Proposes Solutions To Deal With WHOIS and GDPR Conflicts

EU_GDPR_bannerEnforcement of the European Union’s General Data Protection Regulation (GDPR) is coming on 25 May and as of yet, ICANN still hasn’t worked out a way to deal with the conflicts between the collection of domain name registration data (WHOIS) and the requirements of GDPR.

Acknowledging it’s likely they won’t have a solution by the enforcement date, ICANN’s President and CEO Göran Marby wrote on the organisation’s blog last week that they’re “working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

In November ICANN “published a Statement from Contractual Compliance, which indicated ICANN org would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

So what is the GDPR? It’s the E.U.’s way of harmonising data protection laws across the 28-member states and gives greater protection to data and the privacy of EU citizen’s data.

It applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries, which includes the registration of domain names involving registrars, resellers and registries. Which means that even businesses from outside of the EU who process data on the citizens of the European Union need to comply. This includes domain name registries and registrars.

The penalties for non-compliance are steep. Organisations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered. Consent for the collection of the data is necessary, and the withdrawal of consent must be made available.

Personal data under the GDPR is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Which also includes WHOIS data required when registering a domain name.

The E.U. has expressed their concerns about how ICANN is progressing. In a letter to ICANN, the EU’s ARTICLE 29 Data Protection Working Party says “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.” The letter states a “layered access” may meet the GDPR while also providing law enforcement with the access they require. The EU has been calling for such a layered access since 2003.

Regarding the publication of WHOIS data collected when registering a domain name, the WP letter says there are concerns regarding the way consent is given when collecting WHOIS data and how that consent is given.

In last week’s blog post, Marby outlines what ICANN has been doing, and the 3 options for moving forward. ICANN obtained legal advice that advised in November WHOIS as it currently exists must change. In December Marby advised ICANN was working on some “interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements.” The models “are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

And then last week ICANN published for community input three proposed discussion models for collecting registration data and implementing registration directory services that reflect discussions “from across the community and with data protection authorities, legal analyses and the proposed models we have received to date.”

Marby summarised the three models [pdf] in his post at a high-level, which are reproduced below. “The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:

  • Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
  • Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
  • Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

Feedback must be received by 29 January 2018 with comments to be sent to gdpr@icann.org.

The models are available to read in more detail at https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf.