Tag Archives: General Data Protection Regulation

Latvia’s ccTLD Plans “Data Minimisation” to Comply With GDPR

There’s a bit of a belated rush by European country code top level domain (ccTLD) operators to comply with the looming deadline to implement the .E.U.’s new privacy rules, the General Data Protection Regulation (GDPR). The latest is Latvia’s ccTLD, .lv who, in their announcement, said they plan “to implement data minimisation” to comply. And they are seeking comment on their plans by 12 April.

The data minimisation planned by NIC.LV to comply with the GDPR means that when registrants fill out the .lv domain name registration form, only one postal address will be required (instead of two) and no fax number will be required.

At present, if the domain name registrant is an individual, their first name, surname, personal identity number and postal address is not publicly shown. In the future, to ensure GDPR compliance, the holders’ telephone number and email will also not be published. In order to provide some communication channel with the domain names’ holder, NIC.LV will develop an electronic contact form.

The NIC WHOIS policy [pdf] has been prepared to determine the obligations of the NIC.LV and the WHOIS user, including the allowable use of WHOIS.

To ensure GDPR compliance and adaption to local regulations, NIC.LV proposes to change the terminology definitions and procedures. As this policy is being used for direct registrations, as well as registrations through registrars, NIC.LV proposes to make a separate document called the price list and payment policy of NIC.LV [pdf], which would apply only to direct registrations.

Information for domain name registrants on the processing of their personal data – access, data portability, rectification, deletion, etc. will be included in the updated NIC.LV Privacy policy [pdf].

In accordance with GDPR Article 28, the agreement between the Registry and the Registrar will be supplemented by Annex 3 “Personal data processing” [pdf], which will define the roles and responsibilities of the Personal Data Controller (NIC.LV) and the Processor (Registrar).

NIC plans to develop new documents:

NIC plans to make amendments to the following:

The NIC.LV feedback period is open until 12 April with comments to be sent to legal@nic.lv. All amendments to contracts and policies have also been sent to the Ministry of Transport for evaluation.

nic.at To Hide Individual’s WHOIS Data, But Optional For Business, to Comply With GDPR

From mid-May individuals who have registered .at domain names will have their registrant details hidden by default, although they can have the data published if they wish, while businesses will continue to have their contact details published in WHOIS as is the case now. The change is a result of the looming introduction of the E.U.'s new privacy law.

The coming of the E.U. General Data Protection Regulation (GDPR) is causing a bit of havoc among the domain name business. It comes into effect on 25 May. Gradually European ccTLD registries are rolling out how they’re going to comply. The GDPR is intended to give individuals in the European Union more control over their data held by business, with one data protection law for to strengthen and unify data protection for all individuals within the 28 member states of the E.U. It also addresses the export of personal data outside the E.U.

In recent weeks Nominet and DENIC have announced their plans. Nominet have opened a consultation to 4 April on their proposal that will mean they will no longer display any registrant’s name or address while DENIC will only record the contact details of the domain registrant, 2 additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data.

“The GDPR”, nic.at’s CEO Richard Wein told Domain Pulse following the Domain Pulse conference in Munich in February, “is the biggest change in policy and procedures in the domain name community in many years. While EPP was a big change, it happened over time and there were no rigid deadlines, but change was smooth and happened quickly.”

Currently the nic.at WHOIS database, the public register of all registered .at domains, currently contains details on the holders of and contact persons for .at domains, regardless of whether they are companies or private individuals. Under the EU General Data Protection Regulation (GDPR), nic.at will only publish legal business data from mid-May 2018. Individuals can still have their data published if they wish.

For decades, it has been standard practice in domain administration to display domain holders’ data in a public database called WHOIS. The domain holder is informed of this when registering the domain. nic.at’s terms and conditions (T&C) form the legal basis for publication. This practice will change when the GDPR comes into effect.

“The GDPR defines special protection requirements for natural persons, so we will not publish their data any longer, although we still need to receive their details during the domain registration process,” explained head of nic.at’s legal department Barbara Schlossbauer. “The regulation is comes into force in mid-May 2018 and this will also lead to amendments in nic.at’s T&C and the registration guidelines for .at domains.”

In the future, the data shown for domains registered by individuals will only include the domain name, the registrar responsible and necessary technical information. If a company or organisation owns the domain, the holder’s name and address will still be published, although contact data like email address, telephone and fax number can be hidden upon request. The registrar submits information on whether a domain is held by a natural or legal person when registering the domain. If a private individual requests that their data be displayed, the registrar can also arrange this. “There will certainly be a lot of cases where people will definitely want to show that a real, trustworthy person is responsible for a particular website,” explains Schlossbauer.

Until now, domain holders’ data have been publicly accessible at nic.at. From mid-May, this will no longer be possible. “In future, natural persons’ domain data will only be accessible to people who identify themselves and have a legitimate legal reason for finding out who the domain holder is,” Schlossbauer points out. This includes law enforcement agencies, lawyers or people who contact nic.at following domain disputes and can prove that their rights have been infringed.

The adaptations in the WHOIS policy will not affect the public domain availability check, explains Schlossbauer: “When it comes to obtaining accurate information on whether a .at, .co.at or .or.at domain is still available, nic.at will remain the first point of contact for reliable availability checks.”

But the changes being adopted by each country code top level domain registry across Europe are a missed opportunity according to Wein.

“The opportunity for the ccTLD registries across Europe to work together and propose one solution was a missed opportunity,” said Wein.

“Every ccTLD appears to be doing something different, even if very slightly, and it’s a pity that the industry couldn’t develop one standard. It will mean registrars will have to implement 10, 20, maybe even 28, different solutions depending on how many ccTLDs for EU countries they sell. The situation is a nightmare.”

“Then there comes the problem with no WHOIS available to law enforcement, government bodies and brand protection. How can they get the registrant information? Registries are not allowed to give out information such as to the police without a good reason. Potential buyers of a domain name will have no way of contacting the registrant unless their details are provided on the website. While under the law of many countries, including Austria, the website owner is required to provide information about who owns the website, it is difficult to verify if this is correct, and will be next to impossible when the GDPR comes into effect.”

“When there’s a request for WHOIS information from law enforcement, for example,” Wein continues, “it will require someone at nic.at to manually check that the required authorisations such as a court order are in place and then to provide the information. Currently enquiries are machine-to-machine, but from 25 May it will be human-to-human and only available in business hours. It will mean a change of procedures and in many cases be much slower.”

Nominet Add To The Registrar Nightmare As They Finally Announce Proposed .UK Whois Changes For GDPR Compliance

On 1 March Nominet finally announced how they’re proposing to deal with the upcoming General Data Protection Regulation, with a consultation to run until 4 April and then Nominet will have to finalise their plans with the regulation to come into place on 25 May. The situation is a nightmare for registrars who have to plan and implement changes for all top level domains impacted by the GDPR.

As EPAG’s Managing Director Ashley La Bolle told Domain Pulse (the blog) following the Domain Pulse conference in Munich in late February:
“The domain industry has been really late to the game on GDPR implementation. It’s already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we’re not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance.”

In case you don’t know what is the GDPR, it’s data protection regulation intended harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services. The new regulation applies to businesses within the EU, or any business in the world that collects data on European citizens, such as when someone is registering a domain name. With any data that is collected, it is imperative that those collecting the data have clear and freely given consent from the individual. Huge fines apply for any organisation contravening the GDPR of up to €20 million or 4% of the company’s global annual turnover of the previous financial year.

For the changes Nominet is proposing for .uk, as with most ccTLD registries, they have allowed the domain name registrant information, also known as Whois, to be publicly available for their domain names. However in the new proposal all registrant information will be hidden. But Nominet’s concerns don’t just deal with .uk. They also manage .wales and .cymru, and Nominet, like all other generic top level domain registries have to wait until ICANN finalise how they will resolve the issue.

We have opened a comment period from today until 4 April on our .UK proposals to comply with GDPR legislation.

In summary, Nominet proposals are as follows:

  • From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.
  • For registrants who wish for their data to be published in the WHOIS, we will provide appropriate mechanisms to allow them to give their explicit consent.
  • We will continue to work in the same way as now with UK law enforcement agencies seeking further information on specific domain names via our existing data release policy and via an enhanced version of our Searchable WHOIS service, available free of charge.  Those users will have automatic access to the names and addresses we hold.
  • Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.
  • The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance.  Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.
  • The proposed new .UK Registry-Registrar Agreement (RRA) includes a new Data Processing Annex.  This sets out terms for how we would work with our registrars when processing registrants’ personal data during the registering, renewing, transferring or managing of .UK domain names to ensure GDPR compliance.
  • The Privacy Services Framework will be replaced with recognition of a Proxy Service, within a new .UK RRA to allow registrars to offer proxy services to registrants who do not wish to have their details passed to Nominet.
  • Additionally, we propose changing the rules for the data we collect for domain names that end in second-level .uk domain registrations, such as example.uk. We will no longer require a UK ‘address for service’ bringing this into line with third-level .UK domains such as example.co.uk, example.org.uk and so on.

Further details including links to all redline copies of the relevant documentation are available here. You can find just the redline versions here. 

A webinar for Nominet members to hear more about our proposals will take place on Wednesday, 7 March from 2.00-3.00pm GMT.

These changes cover the .UK namespace. Pending outcome of ICANN discussions, and feedback from this comment period, Nominet will set out our proposed approach for GDPR compliance for .cymru and .wales domains.

GDPR: EPAG’s MD Explains The Nightmare on Registrar Street

At the recent Domain Pulse conference in Munich, on 22 and 23 February, the upcoming General Data Protection Regulation (GDPR) was a focus of discussions both during conference presentations and panel discussions and during breaks. Its implementation is becoming a nightmare for many industries, with registries, both gTLD and ccTLD facing their own problems, and registrars.

That ICANN is a year too late in working out a solution for gTLDs and ccTLDs has made registrar’s life a nightmare as each one has introduced their own unique solution, Ashley La Bolle, EPAG’s Managing Director told Domain Pulse, following the panel discussion (see the interview below).

With ICANN simply not ready for the GDPR;’s start date on 25 May having not even finalised how they will respond, and registries throughout the European Union seemingly all having a unique method of dealing with the regulation, it’s what Richard Wein, nic.at’s CEO told Domain Pulse, is a missed opportunity for registries to worked together on one solution. For ICANN and generic top level domain registries (new and legacy) there is sure to be some heated discussions, and criticisms of ICANN for being so slow to adapt, at the ICANN meeting in Puerto Rico this month.

At the Domain Pulse conference (which is unrelated to the Domain Pulse blog), the panel discussion that focussed on GDPR involved representatives from registrars, registries and eco, the German internet association. Titled “The Challenge of Compliance: NIS Directive, GDPR, ePrivacy Regulation – the EU's Digital Roadmap and the Domain Industry”, it featured Volker Greimann from Key-Systems, Boban Kršić from DENIC, Ashley La Bolle from EPAG Domainservices, Ingo Wolff from tacticx and was moderated by Thomas Rickert, lawyer and representing eco. The panel discussion saw criticisms of ICANN with some wondering what will ICANN do if the community, and in particular registrars, disagree with what ICANN proposes.

During the discussion La Bolle said many registries haven’t given the information they require to registrars, neither their reasons and the legal basis, for data they require. “It’s not a lot of information we need. And we can no longer wait for ICANN or independent registries, we have got to implement changes that comply with GDPR.”

Following the panel discussion, Domain Pulse spoke in more detail La Bolle, Managing Director of EPAG Domainservices GmbH, who spoke of her frustrations of the way most registries have responded to the GDPR with unrealistic timelines for registrars to implement the required changes.

Domain Pulse: What are your opinions on the GDPR implementation?
Ashley La Bolle: The domain industry has been really late to the game on GDPR implementation. It's already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we're not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance. We do, however, see opportunities for registries to change requirements to be compliant without requiring registrars to make technical changes on very short notice. Some registries, for example, are planning to simply delete any non-essential data that registrars send in a domain order during a specified transition period. Only after that transition period will they begin returning an error message when non-essential data is sent with an order.

DP: How has it impacted on EPAG’s resources and staff?
ALB: EPAG is working closely with OpenSRS and Enom to develop a GDPR implementation plan for the entire company. But even when we are able to pool resources on planning, there is quite a bit of work that has to happen in addition to that. The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.

DP: What will be EPAG’s way of dealing with it?
ALB: The Tucows approach includes data minimisation, contract changes, Whois changes, and a consent management flow. Regarding data minimisation, we will only process a limited set of registrant data and in most cases will no longer process data for the administrative, technical, or billing contacts. At the same time, we are adjusting contracts with registrants, resellers, and registries. Another important part of our approach is the introduction of a gated Whois service, meaning personal data will no longer be published in the public Whois. Authorised third parties with a demonstrated legitimate interest to access the data, will still be granted access following an authentication process. These parties may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. Finally, we are building a consent management flow in order to allow registrants to give consent for any data use that is not required by contract.

DP: What problems have you experienced in implementing the requirements?
ALB: The main obstacle we have encountered is the lack of preparedness in the domain industry that I mentioned before.

DP: One issue Richard Wein, nic.at’s CEO, has raised is it was a great opportunity for ccTLD registries to collaborate on one solution – I assume this would have made your life a lot easier and required less input of staff and other resources?
ALB: We would prefer a common solution across ccTLD registries. When each registry comes up with an individual approach, it is a nightmare for registrars to implement each individual approach and explain it to their customers. This is an industry that thrives on standards and common practice and the GDPR does not change this.

DP: Are you on track to comply with the requirements for ccTLDs and gTLDs, and given there is no real solution for gTLDs yet, how are you dealing with this?
The result of the domain industry being so late to react to the GDPR is that we have had to design our own approach – one that we feel is both legally compliant and customer friendly. At the same time, we have supported efforts by ECO to propose a common model as described in their Domain Industry Playbook.

DP: Do you have any thoughts on how ICANN has dealt with GCPR?
ALB: We wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.

This article was originally published at:

ICANN: Data Protection/Privacy Update Webinar Scheduled for 2 February

ICANN today [25 Jan] announced that it will hold a webinar on 2 February from 1530 to 1630 UTC to provide an update on data protection/privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

The webinar will focus on ICANN‘s three proposed interim models for collecting registration data and implementing registration directory services published [PDF, 623 KB] earlier this month.

In order to facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants will have the opportunity to ask questions at the end of the session. During the course of the webinar, participants may submit questions using the chat function in Adobe Connect. We will make every effort to answer the questions during the webinar. A recording of the webinar will be made available for future reference.

The community is encouraged to provide input on the proposed models [PDF, 623 KB] by 29 January 2018. Please send your feedback to gdpr@icann.org.

More information on ICANN‘s data protection/privacy activities is available here.

Webinar Details & How to Attend

Date: 2 February 2018

Time: 1530 – 1630 UTC

Join via Adobe Connect (please send dial-in requests to gdpr-questions@icann.org)

View Dial-in Information

Participant Codes:

English – Participant Code: 9001
Français – Participant Code: 9002
Español – Participant Code: 9003
中文 – Participant Code: 9004
Pусский – Participant Code: 9005
العربية – Participant Code: 9006
Português – Participant Code: 9007


ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:

ICANN Proposes Solutions To Deal With WHOIS and GDPR Conflicts

EU_GDPR_bannerEnforcement of the European Union’s General Data Protection Regulation (GDPR) is coming on 25 May and as of yet, ICANN still hasn’t worked out a way to deal with the conflicts between the collection of domain name registration data (WHOIS) and the requirements of GDPR.

Acknowledging it’s likely they won’t have a solution by the enforcement date, ICANN’s President and CEO Göran Marby wrote on the organisation’s blog last week that they’re “working to develop interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements. To be clear, these proposed models are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

In November ICANN “published a Statement from Contractual Compliance, which indicated ICANN org would defer taking compliance action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.”

So what is the GDPR? It’s the E.U.’s way of harmonising data protection laws across the 28-member states and gives greater protection to data and the privacy of EU citizen’s data.

It applies to any organisation that processes data about individuals relating to the sale of goods or services to citizens in EU countries, which includes the registration of domain names involving registrars, resellers and registries. Which means that even businesses from outside of the EU who process data on the citizens of the European Union need to comply. This includes domain name registries and registrars.

The penalties for non-compliance are steep. Organisations can be fined up to 4% of annual global turnover for breaching the GDPR or €20 million, the maximum fine. And if their data is infringed, the GDPR makes it easier for individuals to bring private claims against data controllers when their data privacy has been infringed and to sue for compensation when non-material damage has been suffered. Consent for the collection of the data is necessary, and the withdrawal of consent must be made available.

Personal data under the GDPR is defined as any information related to a natural person or ‘Data Subject’, that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address. Which also includes WHOIS data required when registering a domain name.

The E.U. has expressed their concerns about how ICANN is progressing. In a letter to ICANN, the EU’s ARTICLE 29 Data Protection Working Party says “the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.” The letter states a “layered access” may meet the GDPR while also providing law enforcement with the access they require. The EU has been calling for such a layered access since 2003.

Regarding the publication of WHOIS data collected when registering a domain name, the WP letter says there are concerns regarding the way consent is given when collecting WHOIS data and how that consent is given.

In last week’s blog post, Marby outlines what ICANN has been doing, and the 3 options for moving forward. ICANN obtained legal advice that advised in November WHOIS as it currently exists must change. In December Marby advised ICANN was working on some “interim models for collecting registration data and implementing registration directory services that may be compliant with both the law and ICANN's contractual agreements.” The models “are meant to facilitate discussion and a final model decided on to be an interim solution. They do not replace any existing ICANN policy development work or policies.”

And then last week ICANN published for community input three proposed discussion models for collecting registration data and implementing registration directory services that reflect discussions “from across the community and with data protection authorities, legal analyses and the proposed models we have received to date.”

Marby summarised the three models [pdf] in his post at a high-level, which are reproduced below. “The models differ based on what contact information is displayed in the public-facing WHOIS, their applicability, the duration of data retention and what data is not displayed in a public-facing WHOIS:

  • Model 1 would allow for the display of Thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to these non-public data points, third parties would be required to self-certify their legitimate interests for accessing the data. This model applies if the registrant is a natural person, and the registrant, registry, registrar and/or the data processor is in the European Economic Area.
  • Model 2 would allow for the display of Thin registration data, as well as the technical and administrative contacts' email addresses. To access the non-public information registries and registrars would be required to provide access only for a defined set of third-party requestors certified under a formal accreditation/certification program. There are two variations on how this model would apply. Model 2A applies to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is in the European Economic Area. Model 2B would apply to registrants who are both natural and legal persons, where the registrant, registry, registrar and/or the data processor is regardless of location, that is on a global basis.
  • Model 3 would allow for the display of Thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction. This model would apply to all registrations on a global basis.

Feedback must be received by 29 January 2018 with comments to be sent to gdpr@icann.org.

The models are available to read in more detail at https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf.