GDPR: The Nightmare on ccTLD Street
Posted in: Domain Names at 28/02/2018 22:29
The looming start date for the General Data Protection Regulation (GDPR) on 25 May is creating nightmares, even havoc, for many businesses not just in Europe, but for any business that collects data on citizens of the European Union. And ccTLD registries are one of those facing problems in how to deal with its implementation.
“The GDPR”, says nic.at’s CEO Richard Wein, “is the biggest change in policy and procedures in the domain name community in many years. While EPP was a big change, it happened over time and there were no rigid deadlines, but change was smooth and happened quickly.”
The GDPR is a regulation that applies to any business that collects and stores data on citizens of the EU, even if they’re not in Europe, which has been developed by the European Parliament, the Council of the European Union and the European Commission. Its goal is to give more control to individuals over the data that is collected and harmomise data protection laws across the EU.
Its introduction, which incudes stiff penalties for those that don’t comply, could easily have come about because “industry didn’t act”, something Maarten Botterman, ICANN Director and Chair of the Dynamic Coalition, pondered last Thursday on day one of the Domain Pulse conference in Munich in front of the record 450 attendees.
Whether Botterman’s suggestion is correct or not, and he didn’t categorically state if he believed this to be true, businesses have to act. One industry that is facing some major changes is the domain name industry. In the case of ccTLD registries across Europe, some believe it was a perfect time for them to work together, possibly under the CENTR, the association of European country code top level domain (ccTLD) registries, umbrella, and to implement a universal solution that would mean them pooling resources and allowing registrars to implement one solution for all or most ccTLD registries. However there are 28 countries with the European Union, each with their own ccTLD. And pretty much each one has gone on their own to develop a solution.
For gTLD registries, to find a final way of dealing with the GDPR they have to wait for ICANN to develop a solution. And that seems at least months away. It was only in January this year that ICANN published 3 options on how to deal with the WHOIS data collected by generic top level domain (gTLD) registries with a webinar held in early February and the topic to be a major discussion at ICANN’s 61st public meeting to be held in San Juan, Puerto Rico, from 10-15 March. For the gTLDs, they have to consider the requirements in their contracts with ICANN, which currently don’t comply with the GDPR. For ccTLDs though they only have to consider national and European laws. And the GDPR won’t just apply to ccTLDs within the European Union. It will apply to any top level domain registry with registrants in Europe.
“The opportunity for the ccTLD registries across Europe to work together and propose one solution was a missed opportunity,” said Wein (pictured left) from the Austrian ccTLD registry, speaking to Domain Pulse following a registry panel discussion on GDPR at the Domain Pulse conference (the Domain Pulse blog and conference are unrelated) last week.
“Every ccTLD appears to be doing something different, even if very slightly, and it’s a pity that the industry couldn’t develop one standard. It will mean registrars will have to implement 10, 20, maybe even 28, different solutions depending on how many ccTLDs for EU countries they sell. The situation is a nightmare.”
“Then there comes the problem with no WHOIS available to law enforcement, government bodies and brand protection. How can they get the registrant information? Registries are not allowed to give out information such as to the police without a good reason. Potential buyers of a domain name will have no way of contacting the registrant unless their details are provided on the website. While under the law of many countries, including Austria, the website owner is required to provide information about who owns the website, it is difficult to verify if this is correct, and will be next to impossible when the GDPR comes into effect.”
“When there’s a request for WHOIS information from law enforcement, for example,” Wein continues, “it will require someone at nic.at to manually check that the required authorisations such as a court order are in place and then to provide the information. Currently enquiries are machine-to-machine, but from 25 May it will be human-to-human and only available in business hours. It will mean a change of procedures and in many cases be much slower.”
To deal with GDPR, nic.at’s solution is for no change to WHOIS availability for businesses, but for all individuals, their details will not be made public. However for Austria’s neighbours in Germany, DENIC will mask all WHOIS information, for businesses as well as individuals.
The implementation, says Wein, will “lead to more bureaucracy” and require an investment in resources, possibly even the hiring of additional staff.
“For registrars, they’ll need to implement solutions for every individual ccTLD registry. And the worry is that many, particularly smaller ones, may not even know what’s required, let alone know how to implement the solutions. We held a registrar day recently and when we asked about GDPR, only 7 out of our 70 registrars attending said they knew what was involved.”
While Wein believes the idea behind the GDPR to protect the data of individuals is a good thing, the implementation is another issue. Wein says “there should be a simple and quick way for businesses to collect information, and certain information like Admin A should be publicly available. It’s an overreaction from its basic intention. And it will cost businesses to fulfil the obligations.”