Update on ICANN and WHOIS

Kevin Murphy from DomainIncite has written an excellent article about the all the ins and outs how WHOIS might look like in May this year, which you can read here.

I do not entirely agree with Kevin if privacy services are going to be free.
In the current setup, our privacy proxy service still has added value when it comes to spam prevention.
I think it is more accurate, that if ICANN no longer requires personal data to be displayed in the WHOIS the need use a privacy service to prevent such display of personal data becomes obsolete, after all that is what a privacy service does, replacement of personal data from the registrant through the use a privacy proxy service.
Many data protection laws have a data minimization requirement, which is absent in the ICANN proposal. The Realtime Register privacy proxy service makes sure that such condition is fulfilled. Of course, there is a chance that ICANN will stop with the Thick WHOIS requirements, but for now, the ICANN community is not ready for such chance.

The ICANN model still requires that the organization/company field should always be displayed.
I do not agree, while it is true that companies are exempt from the GDPR, it is not up to ICANN to make the distinction here and would go against the recommendation of the ICANN PPSAI working group. This group recommended that there is no distinction between natural persons and companies when it comes to the usage of privacy proxy services. Why ICANN thinks they are in charge to make the distinction is beyond me.
In most cases, if not all, regional law or national law requires companies to publish their contact data on their website(s) NOT the WHOIS.

My advice to our customers, use our privacy service (or data protection compliance service) at all times. You can read more regarding this service here.

With ICANN 61 starting this week, we will soon know more how the WHOIS will look like. ICANN still seeking input, so some of it is subject to change, though I think we have a rough outline now on how it will look like.

 

 

GDPR and domain name resellers, 20 million reasons to read this.

Companies will face very harsh punishments for infringements under the GDPR. Art. 83 Paragraph 5 of the GDPR offers the supervising authorities the possibility of imposing fines of up to 20 million Euro or, for corporations, up to 4% of the worldwide turnover of the preceding financial year.

 

Tick tock, tick tock, goes the clock
The EU GDPR will go into effect May 25th, 2018. It looks like there is still a lot of time, but actually, there is not much time left to prep your organization for the GDPR!

Most of your company’s operations will be affected by the GDPR, from your human resources to your marketing department. Policies and processes need to be reviewed, altered and communicated. Privacy by design will be key.

From a wholesale registrar perspective, the impact of the GDPR in combination with domain names is relatively low.
However, the impact for you as a reseller is a massive one.
In respect to registering domain names, your company, as the data collector, sends a lot of Personally Identifiable Information (PII) all over the globe. Be it a ccTLD registration or a gTLD registration.
The GDPR will affect all of our resellers who deal with European citizens as customers even if you, as a reseller are not located in the EU.

We at Realtime Register will, however, assist you in the upcoming struggle.

Privacy protect
As you may have read in one of our previous blog posts, we will offer our privacy protect services for free for our resellers.
This will make sure that you can comply with the EU GDPR and ICANN regulations without too much hassle. We strongly suggest to evaluate your customers and see who will require this service. The easiest and safest way is to use Privacy protect by default for your customers.
For Dutch resellers, who have so-called ZZPers as customers, by law they are exempt from the demanded privacy. However, the GDPR did not take into account how these self-employed business owners should be treated, as the lines between being a professional and a natural person often cross each other.
If you make mistakes here and you forget to enable privacy protect and your customers PII is unprotected, you will be risking the high fines as mentioned earlier. Forgetting about (overlooking) a customer or customers could result in a data breach.

Currently, we are working with a leading juristically advice agency to set up a deal for several services including the new agreements and privacy statement you will need; more details will follow soon.

Some aspects of exporting PII data outside the EU and ccTLD registries (and several others) are still not clear. We will inform you about this as soon as there is more clarity on this subject.

The bottom line, when it comes concerning the GDPR to the GDPR, think twice about how you deal with PII. Be prepared the GDPR will be affecting your business in more ways than you expect.

Other geographical areas
China already introduced severe privacy laws, and companies need to comply early 2018. Overall there are over 100 countries with data protection laws, and 46 countries are currently drafting data protection laws similar to the GDPR.

It is a shame that ICANN and a lot of Registries do not support the privacy by design principle, at the moment, this would have made our lives a lot easier. Perhaps ICANN and Registries should consider the following.

On December 10, 1948 the General Assembly of the United Nations adopted and proclaimed the Universal Declaration of Human Rights.

Article 12:

No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.

So let us be sensible about privacy.