GDPR and domain name resellers, 20 million reasons to read this.

Companies will face very harsh punishments for infringements under the GDPR. Art. 83 Paragraph 5 of the GDPR offers the supervising authorities the possibility of imposing fines of up to 20 million Euro or, for corporations, up to 4% of the worldwide turnover of the preceding financial year.

 

Tick tock, tick tock, goes the clock
The EU GDPR will go into effect May 25th, 2018. It looks like there is still a lot of time, but actually, there is not much time left to prep your organization for the GDPR!

Most of your company’s operations will be affected by the GDPR, from your human resources to your marketing department. Policies and processes need to be reviewed, altered and communicated. Privacy by design will be key.

From a wholesale registrar perspective, the impact of the GDPR in combination with domain names is relatively low.
However, the impact for you as a reseller is a massive one.
In respect to registering domain names, your company, as the data collector, sends a lot of Personally Identifiable Information (PII) all over the globe. Be it a ccTLD registration or a gTLD registration.
The GDPR will affect all of our resellers who deal with European citizens as customers even if you, as a reseller are not located in the EU.

We at Realtime Register will, however, assist you in the upcoming struggle.

Privacy protect
As you may have read in one of our previous blog posts, we will offer our privacy protect services for free for our resellers.
This will make sure that you can comply with the EU GDPR and ICANN regulations without too much hassle. We strongly suggest to evaluate your customers and see who will require this service. The easiest and safest way is to use Privacy protect by default for your customers.
For Dutch resellers, who have so-called ZZPers as customers, by law they are exempt from the demanded privacy. However, the GDPR did not take into account how these self-employed business owners should be treated, as the lines between being a professional and a natural person often cross each other.
If you make mistakes here and you forget to enable privacy protect and your customers PII is unprotected, you will be risking the high fines as mentioned earlier. Forgetting about (overlooking) a customer or customers could result in a data breach.

Currently, we are working with a leading juristically advice agency to set up a deal for several services including the new agreements and privacy statement you will need; more details will follow soon.

Some aspects of exporting PII data outside the EU and ccTLD registries (and several others) are still not clear. We will inform you about this as soon as there is more clarity on this subject.

The bottom line, when it comes concerning the GDPR to the GDPR, think twice about how you deal with PII. Be prepared the GDPR will be affecting your business in more ways than you expect.

Other geographical areas
China already introduced severe privacy laws, and companies need to comply early 2018. Overall there are over 100 countries with data protection laws, and 46 countries are currently drafting data protection laws similar to the GDPR.

It is a shame that ICANN and a lot of Registries do not support the privacy by design principle, at the moment, this would have made our lives a lot easier. Perhaps ICANN and Registries should consider the following.

On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights.

Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

So let us be sensible about privacy.

 

 

 

 

Realtime Register Release and New Features

This page is dedicated to the relevant changes, added features and fixes of the Realtime Register front and back end. Please visit regularly to stay up to speed. The API Changes are documented in more detail on the API Docs Change Log pages and additional documentation. Please note, login is required.

26/09/2017
Improvement: Privacy Protect v2 allows transfer out without exposing registrants date. In preparation for GDPR.
Bugfix: Denic, some unsupported Unicode characters in address contacts will now give the proper error message.
Improvement: NicIT, NS check now inline with registry policy.
Improvement: NicIT, Client hold option removed.
Bugfix: Fixed check on additional properties.

EU GDPR, is consent the Silver Bullet for Domain Name Registrations?

Update:28-11-2017

According to the Dutch DPA, consent is not the silver bullet. 

https://autoriteitpersoonsgegevens.nl/en/news/dutch-dpa-unlimited-publication-whois-data-violates-privacy-law

This will make ccTLD registrations outside of the EU for natural persons very problematic and perhaps such registrations should be avoided, though this is not legal advice in any shape or form. 

Consent is often cited as the Silver Bullet to transfer data outside of the EU.The requirements, however, can be rather complex given the fact how registries/ICANN process and control the data.

The rules according to Art.6.1(b).

Data subjects are provided with a clear explanation of the processing to which they are consenting; The consent mechanism is genuinely of a voluntary and “opt-in” nature;
Data subjects are permitted to withdraw their consent easily;
The organization does not rely on silence or inactivity to collect consent (e.g., pre‑ticked boxes do not constitute valid consent);

  • Be specific and granular. Vague or blanket consent is not enough
  • Name any third parties who will rely on the consent
  • Make it easy for people to withdraw consent and tell them how
  • Consent must specifically cover the controller’s name, the purposes of the processing and the types of processing activity

Purpose
Consent will be needed for different processing operations wherever appropriate – so you need to give granular options to consent separately to separate purposes unless this would be unduly disruptive or confusing. As a minimum, consent must specifically cover all purposes.

Consent shouldn’t be.
Recital 32 also makes clear that electronic consent requests must not be unnecessarily disruptive to users. You will need to give some thought to how best to tailor your consent requests and methods to ensure clear and comprehensive information without confusing people or disrupting the user experience – for example, by developing user-friendly layered information and just-in-time consents.

Principles of data protection
In data protection, there is the fundamental principle which is unchanged even in the age of Big Data.

The data subject has to be in control of her/his data, which means for consent that you need consent for every each of the data processing activities (even for minor changes in the processing)

Scope

Considering that Registrars and Domain Name Resellers do business with more than 1000’s of TLDs located in more than 200 countries the complexity of getting consent “right” seems to be very difficult and complex and not recommended for domain name registrations.

The Right to be forgotten.
Individuals have a right to have personal data erased and to prevent processing in specific circumstances:

  • Where the personal data is no longer necessarily about the purpose for which it was originally collected/processed
  • When the individual withdraws consent
  • When the individual objects to the processing and there is no overriding legitimate interest for continuing the processing
  • The personal data was unlawfully processed (ie otherwise in breach of the GDPR)
  • The personal data has to be erased in order to comply with a legal obligation

The above adds another layer of complexity. Some Registries will delete the data of the data subject; some don’t. Currently, it is unknown which policies the registries have in place. In short, consent adds a whole layer of organizational challenges. It is assumed that the withdrawal of consent does not automatically imply that the service can be terminated as consent was not ““freely given”, a requirement of the GDPR.

Given the fact how the public WHOIS system works it is unknown how the right to be forgotten should work in practice within the DNS.

More information about consent can be read here.

 

FAQ Privacy Protect support

1. What does privacy protect do?
2. Why should you offer privacy protect to your customers?
3. What are the benefits of privacy protecting?
4. How can I set all domains of a registrant contact to privacy protect?
5. Do I need to have consent of the registrant for privacy protect?
6. Do ALL TLDs allow privacy protecting?
7. How can someone get in touch with the registrant of a privacy protected domain?
8. Why should I set my customers domains on client transfer prohibited TRUE?
9. How about exposing registrant information through the other contacts?

1. What does privacy protect do?

Realtime Register privacy protect removes the exposed registrant information and replaces it by a default data set and email address related to the domain name.

Example whois output non-privacy protected domain

Registrant Name: John Johnson
Registrant Organization:
Registrant Street: 404 street name
Registrant City: Amsterdam
Registrant State/Province:
Registrant Postal Code: 1000 AA
Registrant Country: NL
Registrant Phone: +31.106660666
Registrant Phone Ext:
Registrant Fax:
Registrant Fax Ext:
Registrant Email: john@whatever.whatever

Example whois output privacy protected domain

Registrant Name: Privacy Protect
Registrant Organization: My Domain Provider
Registrant Street: Ceintuurbaan 32A
Registrant City: Zwolle
Registrant State/Province: 
Registrant Postal Code: 8024 AA
Registrant Country: NL
Registrant Phone: +31.382305013
Registrant Phone Ext:
Registrant Fax: 
Registrant Fax Ext:
Registrant Email: domainname.extension@mydomainprovider.com


Where “domainname.extension” is replaced by the domain name of the whois output. If the  phone number is called a recorded message is played to contact the registrant through email.

To Top Of Page

2. Why should you offer privacy protect to your customers?

By exposing the registrant information, you might be in breach with the GDPR. Especially if you don’t have explicit consent to have the registrant information published in a public whois. And in addition, it’s a human right. As article 12 of the United Nations Universal Declaration of Human Rights states:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Every-one has the right to the protection of the law against such interference or attacks.

To Top Of Page

3. What are the benefits of privacy protecting?

  • It protects your customer’s privacy even more effectively
  • It prevents spam by email, phone calls or text messages to your customers
  • It is compliant with over 100 data protection laws worldwide.


To Top Of Page

4. How can I set all domains of a registrant contact to privacy protect?

For starters, make sure you have your customers consent for setting domains to privacy protect. You can do this by either explicit consent or through your terms of service. If you use the Realtime Register Domain Manager, we have a Privacy Protect step-by-step plan available for you. If you use the Realtime Register API, you can use the API commands set to privacy protect. However, even then you want to have a look at the Privacy Protect step-by-step plan.

To Top Of Page

5. Do I need to have consent of the registrant for privacy protect?

Yes, you need to have some form of consent, please have a look at item 4 of this FAQ.  The privacy protect feature also sets the domain to transfer prohibited. This also requirers the consent of the registrant.

To Top Of Page

6. Do ALL TLDs allow privacy protecting?

Nope, I am sorry, however, privacy protect is allowed for practically all generic TLDs. Most ccTLDs don’t allow it. However, the ccTLDs that don’t allow privacy protect in general show very few information, so effectively it’s privacy protected.
For example; the Dutch .nl extension does not display the registrant name if there is no organization name added to the registrant information. As do other ccTLD registries like DNS BE, Eurid and Afnic.


To Top Of Page

7. How can someone get in touch with the registrant of a privacy protected domain?

Basically, in two ways by using a captcha-protected form at my domainprovider.com and sending an email to the domainname.extension@mydomainprovider.com email address.

  1. If the form at mydomainprovider.com is used, the email with optional attachment is directly send to the registrant’s email address in the registrant contact handle. Of course, the sender does not get to see the real address.
  2. If the mail is send directly to the email address in the whois, the behaviour depends on the status of the client transfer prohibited setting.
    1. If client transfer prohibited is TRUE, the sender gets an email to go to the mydomainprovider.com form. Effectively blocking spam bots from reaching the registrant.
    2. If the setting client transfer prohibited is FALSE, the registrant gets a standard email with a link to view the message. Attachments from the sender are discarded. This route ensures limited protection from spam though allows for transfer out FOA’s to reach the registrant.


To Top Of Page

8. Why should I set my customers domains on client transfer prohibited TRUE?

  1. It helps to prevent domain theft and unwanted transfers.
    • Even if someone of your staff has been socially engineered to provide an authorization code to an unauthorized person, it adds an additional threshold for transferring the domain away.
  2. It reduces spam reaching the registrant even better.
    • If the domain is privacy protected automated spam is unable to get in your customers mailbox.


To Top Of Page

9. How about exposing registrant information through the other contacts?

That is a tricky one, if you use different contacts with the registrant’s information you will end up exposing unwillingly contact information of the registrant. In general, there are two approaches:

  1. Change all admin, billing and tech contacts to a contact that has your brand information. As a nice side effect, your brand gets more exposure in the whois information.
  2. Change all contacts to the contact handle of the registrant. This way, these whois contacts will also display the privacy protect information.

It’s up to you, make your pick!

Updated privacy protect service

On September 26 we will release a revamped version of our privacy protection service. It contains significant changes and will comply with upcoming EU GDPR and ICANN policies.

Why you need the new privacy protect service

At Realtime Register we value the privacy of your customers the registrants, by using the new Realtime Register privacy protect services you’ll bring your customers privacy to the highest level possible. Regarding domain names, it will enable you to be GDPR ready, saving you a lot of time in this area.

The new privacy protect service:

  • is free! That is, for reselling customers with standard pricing
  • protects your customer’s privacy even more effectively
  • allows for transfers without dropping privacy protect
  • prevents spam for your customers
  • is compliant with over 100 data protection laws worldwide.

Main differences

Current Privacy Protect

New Privacy Protect

Contacts
Automatically privacy protect for both the registrant and admin, billing and tech contacts. Only the registrant has Privacy Protect data, the other contacts have the information of the contacts used by you.
Email
Branded form at mydomainprovider.com Branded email informing a registrant, plus link to email
Post transfer out behavior
Privacy protect needs to be lifted before transfer out After a privacy protected domain has been transferred out the privacy protect stays intact, though the information should be changed asap.

What you need to do

what you need to do after the release on September 26, is:

  1. Set your customer’s domain status to transfer prohibited* this will prevent that email will be forwarded to the registrant. You need to make sure you have the registrants consent to do so.
  2. If you want to keep privacy protect for the admin, billing and tech contacts, you need to set these contacts to the same contacts as the registrants.
  3. Customize the new email template** for your brand(s).

*If you want to transfer a domain out, removing this status will forward emails to the registrant making it possible to receive the outgoing FOA email. The spam blocking effect will be disabled.
**The new email template is for reminding the registrant to have the privacy protect information changed after the domain has been transferred away from Realtime Register. This email will only be sent if the privacy protect information has not been updated to the data set of the new privacy protect provider and still contains our information.

Make sure to pass this information on to the people in your organization responsible for policies concerning registrant information and legal issues.