The European Union’s General Data Privacy Regulations (GDPR) came into effect on 25th May 2018 and has taken the domain name industry by storm with domain registrars, registries and ICANN scrambling to be on the safe side of the law. The key players in the Domain Name industry have reacted in diverse manners, based on their own interpretation of the regulation. GDPR is having a tsunamic effect on the DNS industry.
At the core of GDPR is data privacy. GDPR (EU) 2016/679 is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. Domain WHOIS is all about providing public access to domain registration data. Domain ownership (full contact details), registration date, expiry date and other information have been made public for decades now and could be accessed by anyone anywhere doing a simple search.
How ICANN has reacted to GDPR
GDPR was made on 14 April 2016 with implementation set back then for 25 May 2018. ICANN has had a lot of activities around shaping its policies to accommodate the EU regulation.
Indeed, ICANN had been in communication with the EU regarding GDPR. A recent pushback from the European Commission’s Article 29 Data Protection Working Party (WP29) regarding ICANN’s temporary proposals is publicly available [PDF].
The Registration Data Access Protocol (RDAP) was developed by the Internet Engineering Task Force to eventually replace the dated WHOIS protocol. This new protocol is superior to WHOIS in terms of data access security, support for international characters, extensibility, and in the standardization of query, response and error messages. The RDAP gTLD Profile maps ICANN policy and contractual requirements onto technical requirements in order to standardize directory services across gTLD contracted parties.
An RDAP pilot program, which will conclude on 31 July 2018, is currently underway. RDAP among other features provides the option to enable differentiated access. For example, it offers limited access to anonymous users and full access to authenticated users. Authenticated users would include law enforcement who need full access to domain ownership data in the course of their criminal investigations.
In other to maintain Contractual Compliance with its Registry and Registrar Agreements, the ICANN Board of Directors on 17 May 2018, adopted by resolution the Temporary Specification for gTLD Registration Data. The Temporary Specification provides a single, unified interim model that ensures a common framework for handling registration data, including registration directory services (e.g. WHOIS). It aims to ensure the continued availability of WHOIS to the greatest extent possible while maintaining the security and stability of the Internet’s system of unique identifiers.
How some Domain Registries have reacted to GDPR
CentralNic & GDPR
A notable mention is CentralNic Group PLC [LON: CNIC]. While not a registry in the strict sense of the word, the public traded company is a domain registry service provider and serves as the technical/billing backend for dozens of new gTLDs and ccTLDs – and by extension powers, over 5 million domain names. CentralNic has drastically reduced the amount of information displayed in WHOIS records to only the barest minimum. The company had published a document [PDF] outlining “How the GDPR Will Affect the CentralNic Registry System” before the regulation came into force.
The change by CentralNic has affected the WHOIS data for some 45 new gTLDs including .xyz, .website, .online, .design and .space.
ZACR & GDPR
The ZA Central Registry (ZACR) is the South African domain registry that manages the .za namespace (ccTLD for South Africa) as well as some South African city gTLDs (.joburg, .capetown and .durban) and the continental .africa extension. ZACR is Africa’s largest domain registry with over 1.2 million domain names under its management as of June 2018.
ZACR’s change to WHOIS data is not unlike that of CentralNic. Most registrant data are simply redacted with a message: “Please query the RDDS service of the Registrar of Record identified in this output for information on how to contact the Registrant, Admin or Tech contacts of the domain name.”
The changes have already been implemented on .co.za, .net.za, .org.za, .web.za, .durban, .capetown, .joburg and .africa.
Donuts Inc. is a domain name registry with a portfolio of 239 new generic top-
Council of Country Code Administrators (CoCCA) is an internet infrastructure support company. It develops, maintains and supports a domain registry software that is used by the managers of some 59 Top Level Domain registries.
CoCCA has since updated its registry software to make it in compliant with GDPR.
Considering the CoCCA software powers dozens of TLDs, the update makes compliance with GDPR easy for CoCCA-powered ccTLDs that are open to registration globally.
CoCCA also offers a shared infrastructure for some ccTLDs.
The principle of data minimisation, where only personal data that is adequate, relevant and necessary is collected, retained and disclosed has been adopted by the TLD managers using CoCCA shared infrastructure: .af, .cx, .gs, .gy, .ht, .hn, .ki, .kn, .sb, .tl, .kn, .ms, .nf.
Regarding Data Collection, part of the principle adopted states:
only registrant contact details are required, administrative, technical and billing contacts are optional.
Regarding data disclosure, part of the principle states:
If a data subject is an EU resident or a non-EU resident who uses an EU registrar (or one of their resellers) personal data will be redacted from publicly available interfaces. For the avoidance of confusion, personal data will be redacted based both on the declared address of the contact and the location of the registrar.
A Registrar’s GDPR dilemma
EPAG is an ICANN Accredited Domain Registrar based in Bonn, Germany. EPAG has to balance its compliance with its ICANN’s contractual obligations with GDPR compliance.
ICANN took German Domain Registrar EPAG to court
EPAG had informed ICANN it would no longer collect administrative and technical contact details because it believes doing so will violate GDPR. ICANN’s temporary specification for WHOIS, however, states that accredited registrars must continue to collect the information even though they are not required to display same publicly in WHOIS. The impasse led to ICANN taking EPAG to court to seek an injunction against EPAG, forcing EPAG to be in compliance with ICANN’s own contract with the registrar.
The Court ruled recently and has determined that it would not issue an injunction against EPAG.
In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
Domain WHOIS Privacy Services
Domain Whois Privacy is an optional add-on solution offered by some gTLD name registrars. A user buys privacy from the company, who in turn replaces the user’s information in the WHOIS data.