/ 1

Dec 01

/ nic.at News - 01.12.2017 10:17
The EU General Data Protection Regulation (GDPR) and its impact on the domain industry

Like all other companies, registries and registrars must ensure they comply with the GDPR from 25 May 2018. We discussed the specific implications for the domain industry with Lawyer Thomas Rickert, EPAG CEO Ashley La Bolle and out CTO Robert Schischka.

»The Whois will die«

nic.at has a direct contract with the domain holder and, as such, is authorised to see their data in order to fulfil the contract. However, this does not automatically mean that data can be shown in a publicly accessible database. »In its current form, Whois will die,« believes nic.at technical Managing Director Robert Schischka. But this poses challenges to us as a registry, since domain owners have a contractual responsibility to keep their data up to date. Until now they have been able to consult Whois. But how will they see which data is kept on record in future? Lawyers and law enforcement agencies are constantly accessing Whois data to identify domain holders. This means new processes and information requests in individual cases, which will cost time and money. On the flip side, there will also be cases where domain holders wish to appear in public. »In the case of names such as .bank and .versicherung the domain holder has to fulfil various criteria to show that they really are from the industry in question.« Schischka sees an opt-in Whois system as a potential solution: anyone who wants to appear publicly in the Whois database should be given the opportunity to do so. However, the highest possible level of data protection should be set by default.

»ICANN registrars have to choose between cholera and the plague«

Registrars responsible for administering generic top level domains (gTLDs) face something of a dilemma: they are compelled to publish information in their ICANN contracts which directly contravenes the EU’s General Data Protection Regulation (GDPR). »So you could say that they have to choose between cholera and the plague when it comes to choosing which regulations to breach,« explained Thomas Rickert. But there is an answer on the horizon: registrars will honour the GDPR, and ICANN will refrain from asserting its contractual rights until such time as new regulations are created under the multistakeholder model. But the whole ecosystem has to be rethought, with the goal of finding a uniform solution worldwide. Germany’s eco (Association of the Internet Industry) has developed a data model that not only takes up the Whois issue but also looks at all aspects of data processing related to gTLDs, and provides suggestions for which data should be collected, transferred, processed and lawfully shared with third parties. This model, presented in Brussels on 11 December 2017, is now in an official consultation phase before it is ultimately introduced by ICANN. For more information visit www.international.eco.de - Topics – Names & Numbers. In his capacity as a lawyer, Rickert also provides extensive tips on how to implement the GDPR at www.gdpr.ninja.

»There’s more to data protection than just adding the icing to the cake«

From a registrar point of view, implementing the GDPR is complex and extensive, as La Bolle confirmed: »There’s more to data protection than adding the icing to the cake – you might end up needing a new recipe and having to bake the cake again from scratch!« She is referring to new processes that need to be implemented and documented, such as providing customers with information, identifying applicants and the right of the data owner to withdraw consent, all the way to making necessary changes to products. That aside, surveying existing data processing activities at a company is itself highly complex and demanding: »You really have to go into every department and ask: What data do you have? On what grounds? For how long? What can be deleted and when? Who do you pass it on to and why? Who can see what data? How can you justify it all?«, La Bolle explained. She also has to bear in mind that her parent company is domiciled in Canada, meaning that data is sent there and to the USA. La Bolle also works with lots of resellers, which adds another layer of complexity. The original idea of »We’ll document everything, turn off the Whois database and that will be that!« has long since been blindsided by reality. La Bolle expressly recommends working with a lawyer.