Domain privacy conflict fuels GDPR WHOIS incompatibility
The EU General Data Protection Regulation offers greater protection to citizens but is creating problems for registries obliged to follow certain ICANN rules that weren't designed with domain privacy concerns in mind. Luc reports from ICANN 60 in Abu Dhabi on what ICANN is doing to ensure GDPR privacy protocols are respected.
GDPR necessary but causing headaches
No matter where you reside, you must be familiar with those four letters driving every business in Europe into a state of panic and putting a large €-shaped smile on every lawyer’s face.
I am, of course, talking about the EU’s GDPR, the General Data Protection Regulation.
Adopted in April 2016, GDPR will be implemented after a two-year transition period on May 25, 2018. Applicable to every EU member state, this regulation aims to strengthen and harmonise procedures for ensuring European resident data protection.
While its intent is laudable and - in the opinion of yours truly - needed in a society where personal data is becoming more valuable than gold (Instagram, WhatsApp, and Waze acquisition prices were all based on user number, not revenue), it seems that for once legislation was pushed through too quickly. In fact, it appears that the data protection agencies in charge of both monitoring GDPR compliance and issuing fines when breached have been taken by surprise and are still trying to determine how to best implement this new regulation.
Making sense of GDPR
To better understand the problems associated with GDPR, consider this:
Any online service, including domain name registration, requires you to provide certain personal data. Without this data, the domain name system would be unstable and lawless.
Indeed, when EuroDNS registers a domain on your behalf, we need to know who you are to invoice you but also to record that the domain name belongs to you. This recording is operated in a database called WHOIS which allows any interested party to check “who is” the registrant of a given domain name. That this database is publicly available without any limitations is the main problems the industry must find a solution to before it can comply with GDPR.
It's worth noting here that EuroDNS does offer a domain privacy option which replaces personal details with proxy contact information in the WHOIS database; however, registrants are not required to utilise this service and not all registrars even offer the option. Either way, this is incompatible with an overarching principle of the GDPR: privacy must be a default setting rather than an opt-in.
Divide and draft: how ICANN is working towards GDPR compliance
The ICANN Community has been aware of this privacy issue since before GDPR was adopted, but as is always the case with the multi-stakeholder model, the policy development process is advancing at the pace of a snail (mmm, yummy!). A working group, whose goal is to create a next generation RDS to replace WHOIS, was formed in January 2016. However, there is no chance it will be able to produce anything which could be implemented by the industry come the May 2018 implementation date.
At ICANN 60, this working group reported the number of members contributing to the effort was so great (130+) that it’s had to break into smaller, more manageable, sub drafting teams who are tasked with working on specific issues.
Of course, moving forward, the top issue for the group will be defining what legitimate purpose the WHOIS database has and will continue to have in the future.
As Kevin Murphy details more fully in his excellent blog post – worth the read if you ignore our competitors’ ads - the Dutch registries behind .Amsterdam and .FRL chose to comply with GDPR the hard way. They anonymised the details of every individual in their WHOIS database, a move we've already seen the .CAT and .TEL registries take. However, unlike those registries, both of whom first requested ICANN approval, the two Dutch registries took action without ICANN's consent.
This, of course, provoked the ire of ICANN’s compliance department who sent a breach notice to the Dutch registry.
During ICANN 60, a well-timed letter from the Dutch Data Protection Agency arrived to confirm that the current WHOIS policy does not comply with GDPR as it does not specify limitations to the publication of personal data.
This prompted ICANN General Counsel to send its own reply, stating that neither registry was considered in breach but, instead, were working to find a solution with ICANN.
Europe leading the way toward greater domain privacy
It’s not easy to balance the needs of law enforcement agencies, cybersecurity firms, researchers, domain brokers – and ensure every registrant’s right to domain privacy. (Although it is worth noting that many ccTLD registries - .FR, .EU, and .IT for example – have managed to create a balanced system.)
Accomplishing this will require a change of culture by registries and registrars who will need to adopt a so-called “privacy-by-design” frame of mind when establishing procedures that ensure privacy.