Update on publication of personal data in the WHOIS / RDS

There has been a considerable debate whatever ICANN will enforce the contractual agreement between registrars and registries to display personal data in the WHOIS.

Publication of personal data in the WHOIS is usually in conflict with many data protection laws around the world.
The EU GDPR and the substantial fines seem to sway the discussion into a direction, for ICANN to come up with solutions and as such published several models for analysis to limit the publication of personal data in the WHOIS.

The models created by the ICANN Organisation can be viewed through the link below.

interim-models-gdpr-compliance-12jan18-en

All the models published by the ICANN community are posted here.

The end of WHOIS?
The models proposed by the ICANN organization either have limited personal info published in the WHOIS and the two other models no longer publish personal data in the WHOIS.

The ECO model also has in common that there is no personal data published in the WHOIS.

So ultimately I think we are heading to a solution where registries and registrars no longer will publish person data in the WHOIS.
All models continue their support for data transfer to registries. In my opinion, this does not meet the EU GDPR data minimization principle, which I will explain in a future blog post.

Most beautiful model?
All models are not perfect, and I guess it comes down to the following requirements:

  • Flexibility
  • Implementation time frame.

In my opinion, the ECO model fits those requirements.
In addition to this, the ECO model has the largest industry support, which is key critical for mass adoption.

The end of privacy protection services?
Should you still use the Realtime Register privacy protect service even when there will be no personal data published in the WHOIS in May 2018?
The short answer is, yes.

All proposed models might tackle the WHOIS issue; it does not address the issue of possible data breaches, increased legal requirements for you as a reseller, and other areas of GDPR noncompliance. Our privacy service does that, though perhaps we should rename our privacy service to Data Protection Compliance Services (DPCS).

GDPR update, legal definitions and possible action items.

Below, a quick update and some information which is crucial to you as a reseller regarding the GDPR.

Privacy notice
We are working on this, and I expect we will publish this at the end of February.

Processing agreement
We expect to send this to our resellers at the end of February, given the vast amount of different jurisdictions and number of registries this may be delayed by a few weeks.

Legal definitions

  • ICANN, joint data controller
  • gTLD registries, joint data controller
  • ccTLD registries, data controller
  • Realtime Register (registrar), data processor
  • Reseller, at a bare minimum, data collector, but can be in some cases a data controller!

If you are unfamiliar with the above definitions, I suggest you put in some research as the GDPR and domain names are very complex and our role as data processor is limited. A data protection impact assessment is a good idea to better understand which legal requirements apply to you under the EU GDPR.

More information regarding a DPIA can be found here.

When does the GDPR affect you as a reseller?
The GDPR would apply only to personal data included in the registration data of a natural person where:

  • The reseller/registrar and/or registry are established in the European Economic Area (EEA) and process personal data included in registration data;
  • The registrar/reseller and/or registry are established outside the EEA and provide services involving the processing of personal data from registrants located in the EEA; or
  • The registrar/reseller and/or registry are located outside the EEA and process non-EEA personal data included in registrations, where registry and/or registrar engage a processor located within the EEA to process such personal data.

Publishing of personal data in the WHOIS, I will provide more info regarding this in another blog post due to its complex nature.

Data processor
I consider Realtime Register a data processor, we process the data on behalf of you as a reseller.

Data collector
As a reseller, you collect the data from your customer(s).
From a contractual point of view, it is required you have the correct legal basis from your customer(s) to send us the data, data which we, as a registrar will transfer to the registry to register the domain name for your customer(s).

Depending on the TLD and the jurisdiction of the registry operator your legal basis will vary.
In some cases, a notice is required (easy).
In other cases, you will require consent for every piece of processing from your customer (very hard).

More information on how to obtain consent from your customer for domain name registrations can be read here.

Recommended reading regarding consent to use as a legal basis, please visit this link.

Why Registrars require an EU based Escrow provider

Domain names, registrant data and data protection, they all have a long history in the ICANN universe. Let’s do some time traveling and let me take you back in time, starting a decade ago…

March 2007
ICANN de-accredits RegistryFly, this disaster demonstrates clearly that Registrars should escrow registrant data to an escrow provider in case a registrar goes “down.”

To counter the RegistryFly disaster, ICANN introduced escrow requirements, ICANN picks up the bill, but of course, indirectly the registrars are paying for it, how much is unknown though, as we do not know how much ICANN is paying Iron Mountain USA.

October 2015
The escrow of data to the USA went on for years without problems, until October 2015, when the CJEU invalidated Safe Harbor. Most companies, registrars included relied on Safe Harbor to transfer data to the USA. But all of the sudden this was no longer an option.

This raised awareness among registrars. Our contractual ICANN obligation to escrow data was no longer an option as it was deemed illegal by the CJEU.

ICANN had appointed more escrow providers during the years including the EU. The problem, these escrow providers are not funded directly by ICANN. The prices are high, up to 2500 Euros a month.

This means that registrars using another provider would pay twice, first the provider of their choice and second Iron mountain through the ICANN fees. Effectively this means you’re sponsoring the competition, which is insane.

Further developments………

November 2015
The invalidation of Safe Harbor demonstrated another issue; legal agreements could be here today and gone tomorrow.
Realtime Register entered into a contract with Iron Mountain using a so-called SCC aka Model Contract. This solution provided us an option to continue our escrow obligations.

July 12, 2016
The European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

Realtime Register continued to use the SCC as it provided more safeguards for registrants compared to Privacy Shield, which was deemed invalid by legal experts the moment it was released.

August 2017
Denic the German ccTLD Registry for .DE informs ICANN registrars their far developed plans to become an ICANN designated escrow agent. ICANN acknowledged that EU Escrow providers would get the same treatment funding wise like Iron Mountain USA. Next year this treatment will be available to other escrow providers like for example China, China has very strict privacy laws.

Most recent developments……………

October 3, 2017
The Irish High Court rules on Facebook surveillance case:
Irish DPC has “well-founded concerns” over US surveillance of Facebook.
EU-US data transfer complaint referred to European Court of Justice for the second time.
The court found that the DPC has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid.

11 October 2017
Realtime Register submits a letter of intent supporting Denic and urges ICANN to make haste.letter of intent

Looking ahead…………

Future
Most likely the CJEU will rule that SCC’s can no longer be used in the future. Privacy Shield will most likely be invalidated (again), causing massive operational and legal problems for registrars. ICANN should push forward with the Denic proposal as soon as possible.

GDPR and domain name resellers, 20 million reasons to read this.

Companies will face very harsh punishments for infringements under the GDPR. Art. 83 Paragraph 5 of the GDPR offers the supervising authorities the possibility of imposing fines of up to 20 million Euro or, for corporations, up to 4% of the worldwide turnover of the preceding financial year.

 

Tick tock, tick tock, goes the clock
The EU GDPR will go into effect May 25th, 2018. It looks like there is still a lot of time, but actually, there is not much time left to prep your organization for the GDPR!

Most of your company’s operations will be affected by the GDPR, from your human resources to your marketing department. Policies and processes need to be reviewed, altered and communicated. Privacy by design will be key.

From a wholesale registrar perspective, the impact of the GDPR in combination with domain names is relatively low.
However, the impact for you as a reseller is a massive one.
In respect to registering domain names, your company, as the data collector, sends a lot of Personally Identifiable Information (PII) all over the globe. Be it a ccTLD registration or a gTLD registration.
The GDPR will affect all of our resellers who deal with European citizens as customers even if you, as a reseller are not located in the EU.

We at Realtime Register will, however, assist you in the upcoming struggle.

Privacy protect
As you may have read in one of our previous blog posts, we will offer our privacy protect services for free for our resellers.
This will make sure that you can comply with the EU GDPR and ICANN regulations without too much hassle. We strongly suggest to evaluate your customers and see who will require this service. The easiest and safest way is to use Privacy protect by default for your customers.
For Dutch resellers, who have so-called ZZPers as customers, by law they are exempt from the demanded privacy. However, the GDPR did not take into account how these self-employed business owners should be treated, as the lines between being a professional and a natural person often cross each other.
If you make mistakes here and you forget to enable privacy protect and your customers PII is unprotected, you will be risking the high fines as mentioned earlier. Forgetting about (overlooking) a customer or customers could result in a data breach.

Currently, we are working with a leading juristically advice agency to set up a deal for several services including the new agreements and privacy statement you will need; more details will follow soon.

Some aspects of exporting PII data outside the EU and ccTLD registries (and several others) are still not clear. We will inform you about this as soon as there is more clarity on this subject.

The bottom line, when it comes concerning the GDPR to the GDPR, think twice about how you deal with PII. Be prepared the GDPR will be affecting your business in more ways than you expect.

Other geographical areas
China already introduced severe privacy laws, and companies need to comply early 2018. Overall there are over 100 countries with data protection laws, and 46 countries are currently drafting data protection laws similar to the GDPR.

It is a shame that ICANN and a lot of Registries do not support the privacy by design principle, at the moment, this would have made our lives a lot easier. Perhaps ICANN and Registries should consider the following.

On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights.

Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

So let us be sensible about privacy.

 

 

 

 

Realtime Register Release and New Features

This page is dedicated to the relevant changes, added features and fixes of the Realtime Register front and back end. Please visit regularly to stay up to speed. The API Changes are documented in more detail on the API Docs Change Log pages and additional documentation. Please note, login is required.

26/09/2017
Improvement: Privacy Protect v2 allows transfer out without exposing registrants date. In preparation for GDPR.
Bugfix: Denic, some unsupported Unicode characters in address contacts will now give the proper error message.
Improvement: NicIT, NS check now inline with registry policy.
Improvement: NicIT, Client hold option removed.
Bugfix: Fixed check on additional properties.