About Theo Geurts

CIPP/E Contractual Compliance and Privacy Officer at Realtime Register B.V.

Brexit & Domain Names, recipe for Chaos?

The short answer is no, depending on the scenario.

While there are many Brexit experts, their views and opinions are not helping when it comes to making business decisions. When it comes to predictions, it might be even better to check the British bookmakers and get a sense of the betting odds if there will be a Brexit or not.

 

However, we can make a few assumptions when it comes to domain names and the Brexit, let us assume the worst scenario; hard Brexit, as in no deal.

The issue
In case of a, no deal Brexit currently slated for March 30th would deem the UK as a third country from a GDPR legal perspective. And it will not come as a surprise for most that the GDPR has a whole set of rules when it comes to data export outside of the EEA, which you can read here.

Transition  Period
There is the option that the Commission will issue some kind of emergency legislation which allows for a smaller transition period as it will be only a few months. Which is not a lot but might mitigate some of the issues.

Solution
You usually have a set of options to transfer data outside of the EU.
Adequacy decisions, data subject consent, public interest, etc.
With domain names, the options become limited due to various reasons.
The most logical solution is the use of standard contract clauses, sometimes called model clauses.
Nominet and applicable gTLD registries would include these standard contract clauses in their contracts which you as a reseller a solid legal basis when it comes to domain name registrations and transferring data to the UK.

Affected TLDs due to the Brexit

.cymru Nominet
.wales Nominet
.blog Knock Knock WHOIS There LLC
.abogado MMX
.bayern Bayern Connect GMBH/MMX
.beer MMX
.boston Boston TLD Management LLC /MMX
.bradesco Banco Bradesco S.A./MMX
.budapest MMX
.casa MMX
.cooking MMX
.dds MMX
.fashion MMX
.fishing MMX
.fit MMX
.garden MMX
.gop Republican State Leadership Committee Inc./MMX
.horse MMX
.law MMX
.london Dot London Domains Ltd./MMX
.luxe MMX
.miami MMX
.rodeo MMX
.surf MMX
.vip MMX
.vodka MMX
.wedding MMX
.work MMX
.yoga MMX
.broadway Celebrate Broadway Inc.

And last but not least, .UK and .CO.UK.

In the above scenario where domain name resellers or registrars in the EU register domain names in the UK for their customers who are in scope of the GDPR (art 2&3), there seems to be plenty of time and not much to worry about.

The not so clear scenario
It becomes very complicated when you create scenarios with domain name resellers in the UK also dealing with customers from the EU, registering domain names in China or Russia or the USA using a domain name registrar located in Europe.
It goes beyond the scope of this article to flesh out every scenario to the core or the bone.

A pragmatic approach to deal with this scenario or other scenarios could be mapping each data flow and check what legal basis you have used pre-Brexit.

Did you use EU adequacy decisions as a legal basis, can you still use them?
Was the legal basis consent? Do you need to update such approval?
If Privacy Shield is the legal basis to transfer data to the USA what are the options?
Even with a transition period, there is much ground to be covered. If there will be no transition period options will be very limited.

The when Satan will ice skate to work scenario
If the ICANN EPDP workgroup who are currently struggling with the EU GDPR would recommend that thick whois registries are a thing from the past and no longer there is a need to send personal data to the registry, then there is of course in the case of gTLDs no issue at all, let alone you require a legal basis.
The EPDP team final report is slated for February 1. The ICANN board would have to accept such recommendations and undo a decision they made in 2012 when they decided all registries should operate a thick whois.
Given the divide within the EPDP team, I doubt we will see much solid recommendations, let alone a speedy process of implementation.

For more information and tools on data protection in combination with the Brexit please visit the ICO website.

Brexit, and the impact on .EU domain names, sound the alarm?

Update 04-01-2019

The British government issued further guidance regarding the Brexit and Eurid.

Click here to view the guidance and scenarios.

Update 05-11-2018

It seems very likely the two scenarios posted below are the most likely outcome as we quickly move towards the deadline of 29th of March 2019.

(1) If the UK exits the EU and becomes a temporary member of the European Economic Area (EEA) there will be no issue until the duration of such membership.

(2) If however, it turns out to be a “hard Brexit” or “no deal Brexit” than registrars are no longer in a position to service UK registrants for .EU domain names. Please read the below article if the situation is applicable to you as a reseller.

I do not think it is time to sound the alarm yet, but some caution and some thinking ahead of the Brexit might be advised when it comes to .EU domain names and Brittish registrants.

Who will be affected?

Organizations that are established in the United Kingdom but not in the EU and natural persons who reside in the United Kingdom.

Impact

The above-listed persons or organizations will no longer be eligible to register .eu domain names or, if they are .eu registrants, to renew .eu domain names registered before the withdrawal date. Accredited .eu Registrars will not be entitled to process any request for the registration of or for renewing registrations of .eu domain names by those undertakings, organizations, and persons.

Relevant dates

Measures are effective as from 1 January 2021 or, in case that there was no withdrawal agreement in force prior to 30 March 2019, as from 30 March 2019. Negotiations are ongoing with the United Kingdom and the EU to come up a withdrawal agreement.

What to do?

At the moment there is little information to go about. The latest status update can be located here, we urge our customers to check this website often for more information.

If the EC really wants to push through remains to be seen, given the current status between the UK and the EU it looks pretty grim. It is advisable to contact high profile customers (if you have them) who have a .EU domain name and match the criteria mentioned earlier on.

A possible solution for Brittish registrants is to update the domain names via their European (non-UK) address (if available). We highly advise against the use of proxy solutions as they are in violation of Eurid’s terms and conditions. One can expect that after the Brexit, Eurid might monitor affected domain names and enforce their terms and conditions.

Using incorrect registrant information is always ill-advised and a violation of Registrar and Registry terms and conditions.

Registration changes for .ES and new contractual obligations for our resellers.

And it is not going to get easier for sure.

At the moment we run a validation process, this process also makes sure that there is a registration contract between Realtime Register, Esnic and the registrant, as required by the registry. An easy process for you as a reseller.

However, with the GDPR and some local laws in Spain which go beyond the original purpose of domain name registrations, the contractual requirements for the registrant and reseller increased in such a manner that we are no longer in a position to create such contracts for our resellers in a one size fits all solution.

As a result, we pass this obligation to our resellers once more for .ES domain names to ensure maximum flexibility for your registration processes towards your customers.

However, the changes made by Esnic require that you obtain explicit consent from your customer/registrant for several obligations. Below is a sample provided by Esnic.

template-resellers

The template is for reference purposes only. In addition to this registrants will need to enter into a registration contract with Esnic, which is located here.

We urge our resellers to create registration agreements as suggested by Esnic. Not having a registration contract regarding .ES is not an option as Esnic processes personal data in a different manner compared to other EU registries and beyond the primary purpose of domain name registrations.

Update since 11-10-2018 we are no longer validating .ES registrant contact handles.

Privacy by default account setting.

Today we introduce a new account setting called:”Default Privacy Protect setting”, which you can access by clicking here.

Setting disabled.

When selected, domain name registrations and transfers will not use our privacy service automatically. This is how it used to work for years.

Setting enabled when free (and available)

When enabled all domain name registrations and transfers will automatically use our privacy service. Regardless if you use WHMCS, our API or the domain name manager.

A list of available TLDs that can be used for this service is located here.

We keep recommending this service as it is unknown if gTLD registries will continue to publish the data in the WHOIS or not. Several large gTLDs will no longer publish the WHOIS, similar to how we will operate our WHOIS server. But some of them most likely will keep publishing registrant data.

Enabled (when available)

Same as above but also will use privacy services that are not free of charge. Please check the price list in your account if that is the case.

Registration

When you register a domain name you can override your account settings if required. Select the desired action from the drop-down menu.

Current Customers.

At the moment the default setting is not active, as mentioned earlier. Due to the new ICANN contractual regulations that have been rushed out of the door on 17-05-2018 this week, we are reviewing the option to turn this on for all customers. I apologize in advance for any inconvenience this may cause.

Post GDPR gTLD Transfers

Update: 25-05-2018

The procedure below is now live as per the ICANN temporary spec. I observe that not every Registrar was aware of the below situation. If you cannot transfer out your domain name(s) advise the gaining registrar to stop parsing WHOIS data and trying to send FOA emails to the registrant or admin contact, this will no longer work.

 

The new procedure has been communicated last week by ICANN to all registrars. To view this communication click here,

 

 

As mentioned in a previous blog the WHOIS will change drastically over the next few weeks.

At the moment when you start a transfer through the API or domain manager, our system sends an FOA to the registrant or the admin contact based on our contractual ICANN requirements. Once the FOA has been approved by one of the above contacts the transfer is requested at the registry,

 

Transfer solution post-GDPR

We will no longer send the incoming FOA, the auth code is sufficient to request the transfer on a registry level.

The losing registrar will still be required to send the outgoing FOA, the registrant can agree or decline the request. If there is no response from the registrant the transfer will be processed automatically after 5-7 days unless the losing registrar not acknowledges the transfer and cancel the transfer on their side.

Domain names that are set to transfer prohibited will not be transferred, if your customer wishes to transfer in or out, the transfer lock needs to be removed prior to the transfer. We recommend setting your domain names to transfer prohibited and regularly change the auth-codes for the domain names under your management for security reasons.

The above-described transfer process should not be to complex for most resellers, as it works somewhat similar how the larger ccTLD registries operate.

Recommended domain name security reading

A Registrant’s Guide to Protecting Domain Name Registration Accounts a report from the ICANN Security and Stability Advisory Committee (SSAC)

SSAC Advisory on Registrant Protection: Best Practices for Preserving Security and Stability in the Credential Management Lifecycle

Domain theft?

Though at first glance it seems the above changes might lead to more domain theft. This is counter mitigated due to the fact that the WHOIS info will no longer contain registrant data and email addresses. This info is usually an attack vector for hackers who steal domain names, with this attack factor no longer in play we expect to see fewer cases of domain theft.

Key transfer changes post GDPR summary.

  • Transfers will continue to require a valid authorization code; just like EU ccTLDs
  • The gaining registrar will no longer be required to send a Form of Authorisation (FOA) to the registrant, again most likely there is no WHOIS info to create one.
  • The losing registrar will continue to send an FOA (aka outgoing FOA) that allows the registrant or admin contact to ACK (acknowledge) or NACK (not acknowledge) the transfer;
  • If there is no action/response, the transfer will auto-ACK by the registry after five days from initiation of transfer;
  • Registration information will not be transferred as part of the IRTP-C, registrants will independently re-enter transfer information with the gaining registrar. This will include entering into a registration agreement with the new registrar as it is now.