The swing of the EU pendulum
So, there's been a lot of fuss lately about the Whois databases of registry and registrar companies going dark due to European data privacy laws. This led to some panic among the internet community, but don't worry, it's not as bad as it seems. The EU legislators were trying to protect critical infrastructure and economies, so they included DNS industry actors in a Directive. However, some people are misinterpreting this as mandating registrars and registries to maintain complete domain name registration information databases. But that's not true, and the Directive's ambiguity poses a risk of fragmentation between the 27 national legislations.
After ICANN finally acknowledged its policies must consider European data privacy laws in May 2018, every registry and registrar around the globe swiftly redacted the public output of their whois databases. Thus leading to an (overacted) panic that the “whois had gone dark” from vocal members of the internet community.
It is undoubtedly accurate that the precipitation (ICANN only adopted the temp spec eight days before GDPR entry into force) led to over-redaction of whois data and placed the industry in a position where no one dares to undo the redaction by fear of disclosing data which could be considered protected. But this situation should not have led- the EU lobbyist patrons and - the EU legislators to the frenzy that pushed them to include the DNS industry actors in a Directive aimed at protecting the European Union’s critical infrastructure and economies.
Far from us, the idea is to diminish the importance of registrars, but one has to admit that registrars do look out of place in a list composed of electricity, oil, gas, water, air transport, rail transport, healthcare providers…
This rush also manifested in the drafting; the infamous article 28 (formerly 23) text was modified until the last minute.
As with the GDPR, this text will apply to every registry and registrar offering services to EU residents. Extra-European entities must designate a local representative responsible for compliance with EU laws.
Unlike GDPR, this text is a directive, not a regulation, meaning each member state must transpose it into national law and adapt it to local needs. Member states must proceed with this transposition until October 21st, 2024.
Some are (mis)reading the directive mandating all registrars and registries to maintain complete domain name registration information databases. This unfounded interpretation is mainly made by extra-European parties hoping that NIS 2 transpositions will allow the transfer of personal data outside the EEA without a specific legitimate purpose. Anyone with a basic knowledge of data privacy laws knows that the proportionality principle cannot be neglected and a balancing test operated.
NIS 2 indeed provides a new legitimate processing basis. But solely in the context of the protection of the DNS as a critical infrastructure. And it certainly does not mean the personal data in whois databases will automatically be disclosed.
Furthermore, article 28 forbids the unnecessary duplication of data processing between registries and registrars, which some gTLD registries understand as a possible way to get rid of all registrant data and become thin registries like Verisign, which only holds data about domain names and not their owners.
As always, the main hurdle that the member state, and by extension, the DNS industry, will face is the drafting of uniform and coherent legislation. And, given the Directive’s ambiguity (the introductory statement is 29 pages long and the text itself 32), the risk of fragmentation between the 27 national legislations is very high.
Despite the directive not being transposed, EU national registries are trying to anticipate the new obligations it will create, and their predictions are somewhat at odds!
The Dutch registry (.NL) seems to believe that merely validating registrant email addresses will be enough, as with gTLD. In contrast, the Estonian and Danish registries see it as validating their current validation procedure based on electronic ID schemes. But the reality is that, out of 27 Member States, only 14 have functional electronic ID schemes, which only function on their national territories.
A complete harmonisation is only possible and desirable if the member states leave some leeway to registries and registrars to validate registrant data as the circumstances dictate. The national legislators should create floor and not ceiling obligations regarding data validation. Data accuracy is undoubtedly essential, but there is no reason to increase the bureaucracy when it can seriously increase the digital divide and weaken the competitiveness of the European market without any evidence of its positive impact on cybersecurity.
In my opinion, it would be better if the national legislators create floor obligations regarding data validation instead of ceiling obligations. This could help harmonise the legislation without increasing bureaucracy and weakening the competitiveness of the European market. So, let's not shoot ourselves in the foot, and try to find a balance between data accuracy and unnecessary bureaucracy.