Data Protection/GDPR TLD Guidance Matrix

I think this is the first blog where I start with phrases like;

  • We are not done yet
  • Guidance only
  • We are not done yet
  • By no means legal advise
  • Best effort only
  • We are not done yet

While we are not done, we are trying to get this matrix as complete as possible before May 25; we do expect that we will still be updating the matrix way beyond May 25.

Back in 2016, I was under the impression that our industry would work together and come up with solutions to make things easier when it comes to the GDPR.
However, it is April 2018, ICANN is still in chaos, the EU ccTLD registries move at a glacial pace, and the ccTLD registries outside of the EU still have to figure out what the EU GDPR is.

A few months ago we came up with the idea that we should assist our customers when it comes to the GDPR.Over a thousand registries, located all over the world in many different jurisdictions, processing personal data in ways not known to us. At the time, it was like asking the question, how do you put an elephant in a car?

The answer? Put the GDPR and all the data protection laws of the world into the metadata of our API.
https://dm.realtimeregister.com/docs/api/tlds/metadata#privacy

 

At first glance, this looks very complex and confusing, just like the GDPR itself.
When you send an info request on the metadata for the name, “gdprCategory”, it will give you four values depending on the TLD.

  • EU_BASED: Registrations are under EU jurisdiction
  • ADEQUACY: Registrations are in a jurisdiction that provides an adequate level of data protection according to the EU
  • DATA_EXPORT: Registrations are in a jurisdiction without an adequate level of data protection as outlined by the EU. Fundamental rights like the right to be forgotten or erasure do not apply
  • UNKNOWN: Situation unknown

So how does this work?
As I mentioned before we still need to complete this and things are still in motion with a lot of registries, but we can tell you a few things already based on current info and predictions, as such we came up the following suggestions.

  • Caution advised
  • Use privacy protect
  • EU based, whois exposed
  • Safe, data adequacy or EU based

GDPR Advise
Let’s start with the advice called:”Caution advised.”
And be advised these are the most complex TLD’s to register.
We know that these TLDs are outside of the EU and Article 49 is most likely to be relevant for such TLD’s.
In some cases, we do not know what will happen and how the registry in that country will treat the data of your customer.

Our advice, consult a lawyer when your customer wants to register a domain name in a TLD labeled “Caution advised.”
You do not need to worry about this when this is a company registration. Companies (legal entities) are exempt from the GDPR. Make sure you do not use any personal data for such registrations.

Use privacy protect
Rather straightforward advice. We do not know what ICANN will be doing or not. With our privacy protect service you do not have to worry about the following:

  • Consult a lawyer regarding your legal requirements to register a domain name (money saver).
  • The data will not be exported to a “third country.
  • Do you need privacy shield as a legal basis or not?
  • No need to worry about “third parties” having access to your customer’s data outside of the EU.
  • If the right to be forgotten or erasure applies or not?
  • EU GDPR data minimization requirements
  • Can the GDPR data accuracy requirements be exercised or not?
  • The need to ask consent from your customer for every possible data processing (no disruption of registration flows in your shop)

Our advice, use this service whenever you can, it will save you a lot of time and hassle.

EU based, whois exposed.
These registries are EU GDPR compliant. But some of them do expose personal data in the WHOIS. Personally, I do not like this, but there can be a few legal reasons (on a member state level) that such a practice is permitted under the GDPR.
You might want to give your customers a heads-up of such practices as their perception might be different.

Safe, data adequacy or EU based.
My personal favorite.
These TLDs are GDPR compliant and do not expose personal data through the WHOIS. Hassle free; let’s hope the rest will follow soon.

Terms of Service & Privacy notice.
As an extra service, we have included links to the relevant registration contracts and privacy notices. I am aware it is not complete at the moment, but we hope to have most of it ready, before the 25th of May.
Keep in mind, so far we have seen zero new contracts from gTLD registries. I expect that we as a registrar we will have to sign over a thousand contracts just a few weeks before the 25th of May.

So check the matrix regularly to remain up to date.

More information regarding the Realtime Register Privacy Service can be located here

 

GDPR update, legal definitions and possible action items.

Below, a quick update and some information which is crucial to you as a reseller regarding the GDPR.

Privacy notice
We should have the privacy notice ready for you at the end of February.

Processing agreement
We expect to send this to our resellers at the end of February, given the vast amount of different jurisdictions and number of registries this may be delayed by a few weeks.

The processing agreement is required for your contractual agreements between you and our customers.

Legal definitions

  • ICANN, joint data controller
  • gTLD registries, joint data controller
  • ccTLD registries, data controller
  • Realtime Register (registrar), data processor
  • Reseller, data controller

Data processor
I consider Realtime Register a data processor, we process the data on behalf of you as a reseller.

Data collector/reseller
As a reseller, you collect the data from your customer(s).
From a contractual point of view, it is required you have the correct legal basis from your customer(s) to send us the data, data which we, as a registrar will transfer to the registry to register the domain name for your customer(s).

Depending on the TLD and the jurisdiction of the registry operator your legal basis will vary.
In some cases, a notice is required (easy).
In other cases, you will require consent for every piece of processing from your customer (very hard).

More information on how to obtain consent from your customer for domain name registrations can be read here. As getting consent is complex to use as a legal basis, you might want to read the following article by the UK DPA, please visit the following link

The GDPR and its impact on domain names is a very complex topic and our role as data processor is limited. So, if you are unfamiliar with the definitions above, I suggest you put in some research. A Data Protection Impact Assessment (DPIA) is a good idea to get a better understanding of which legal requirements apply to you under the EU GDPR.

More information regarding a DPIA can be found here.

When does the GDPR affect you as a reseller?
The GDPR would apply only to personal data included in the registration data of a natural person where:

  • The reseller/registrar and/or registry are established in the European Economic Area (EEA) and process personal data included in registration data;
  • The registrar/reseller and/or registry are established outside the EEA and provide services involving the processing of personal data from registrants located in the EEA; or
  • The registrar/reseller and/or registry are located outside the EEA and process non-EEA personal data included in registrations, where registry and/or registrar engage a processor located within the EEA to process such personal data.

Due to its complex nature, I will provide more info about the legal ins and out of publishing personal data in the WHOIS in another blog post.