Update on publication of personal data in the WHOIS / RDS

There has been a considerable debate whatever ICANN will enforce the contractual agreement between registrars and registries to display personal data in the WHOIS.

Publication of personal data in the WHOIS is usually in conflict with many data protection laws around the world.

The EU GDPR and its substantial non-compliance fines seem to sway the discussion into a direction where ICANN needs to come up with solutions. And they did: ICANN published several models that propose to limit the publication of personal data in the WHOIS. The next step is that the ICANN community analyzes these models.

The models created by the ICANN Organisation can be viewed through the link below.

interim-models-gdpr-compliance-12jan18-en

All the models published by the ICANN community are posted here.

The end of WHOIS?
The models proposed by the ICANN organization have limited personal info published in the WHOIS the two other models no longer publish personal data in the WHOIS.

The ECO model also has in common that there is no personal data published in the WHOIS.

So ultimately I think we are heading to a solution where registries and registrars no longer will publish person data in the WHOIS.
All models continue their support for data transfer to registries. In my opinion, this does not meet the EU GDPR data minimization principle, which I will explain in a future blog post.

Most beautiful model?
All models are not perfect, and to be used as a solution the following are of key importance.

  • Flexibility
  • Implementation time frame.

In my opinion, the ECO model fits those requirements.
In addition to this, the ECO model has the largest industry support, which is key critical for mass adoption.

The end of privacy protection services?
Should you still use the Realtime Register privacy protect service even when there will be no personal data published in the WHOIS in May 2018?
The short answer is, yes.

All proposed models might tackle the WHOIS issue; it does not address the issue of possible data breaches, increased legal requirements for you as a reseller, and other areas of GDPR noncompliance. Our privacy service does that, though perhaps we should rename our privacy service to Data Protection Compliance Services (DPCS).

Interim solutions.

Keep in mind the solutions proposed are interim solutions, I would urge the ICANN community to band together and start working on real lasting solutions, rather than attacking interim solutions.

Realtime Register is a supporter of the ECO model.

 

GDPR update, legal definitions and possible action items.

Below, a quick update and some information which is crucial to you as a reseller regarding the GDPR.

Privacy notice
We should have the privacy notice ready for you at the end of February.

Processing agreement
We expect to send this to our resellers at the end of February, given the vast amount of different jurisdictions and number of registries this may be delayed by a few weeks.

The processing agreement is required for your contractual agreements between you and our customers.

Legal definitions

  • ICANN, joint data controller
  • gTLD registries, joint data controller
  • ccTLD registries, data controller
  • Realtime Register (registrar), data processor
  • Reseller, data controller

Data processor
I consider Realtime Register a data processor, we process the data on behalf of you as a reseller.

Data collector/reseller
As a reseller, you collect the data from your customer(s).
From a contractual point of view, it is required you have the correct legal basis from your customer(s) to send us the data, data which we, as a registrar will transfer to the registry to register the domain name for your customer(s).

Depending on the TLD and the jurisdiction of the registry operator your legal basis will vary.
In some cases, a notice is required (easy).
In other cases, you will require consent for every piece of processing from your customer (very hard).

More information on how to obtain consent from your customer for domain name registrations can be read here. As getting consent is complex to use as a legal basis, you might want to read the following article by the UK DPA, please visit the following link

The GDPR and its impact on domain names is a very complex topic and our role as data processor is limited. So, if you are unfamiliar with the definitions above, I suggest you put in some research. A Data Protection Impact Assessment (DPIA) is a good idea to get a better understanding of which legal requirements apply to you under the EU GDPR.

More information regarding a DPIA can be found here.

When does the GDPR affect you as a reseller?
The GDPR would apply only to personal data included in the registration data of a natural person where:

  • The reseller/registrar and/or registry are established in the European Economic Area (EEA) and process personal data included in registration data;
  • The registrar/reseller and/or registry are established outside the EEA and provide services involving the processing of personal data from registrants located in the EEA; or
  • The registrar/reseller and/or registry are located outside the EEA and process non-EEA personal data included in registrations, where registry and/or registrar engage a processor located within the EEA to process such personal data.

Due to its complex nature, I will provide more info about the legal ins and out of publishing personal data in the WHOIS in another blog post.