geoTLD group chair Sebastien Ducos and vice-chair Dirk Krischenowski attended the public consultation of the brand new GDPR Domain Industry Playbook by eco (Association of the Internet Industry) at the representation of the German federal state Lower Saxony to the European Union in Brussels. About 25 participants from Europe and the US were present and contributed to the mixed presentation/workshop event which was an excellent format to work on the topic. Thomas Rickert from eco presented the eco Playbook and moderated the event.
The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars, Resellers and ICANN. By May 25, 2018, all parties need to be compliant, which means that not only contracts need to be reviewed, but also technical systems need to be revisited. To date, various legal memoranda have been shared and several parties have worked on their own compliance, but no industry-wide proposal has been published that allows for a discussion of the respective roles and responsibilities of the parties involved as well as a review of data flows. The Playbook will facilitate the process of finding a commonly adopted data model to allow for compatibility of the technical, organizational and legal models the parties will use.
The Registrant Data Discussion
A significant part of the discussion concerned the topic whether the Registrars still are going to provide the Registries with the full Registrant data set (owner, admin and tech data) as their contract with ICANN and the Registries demands. There was a strong opinion of the Registrars present at the meeting (some of the top 5 globally): With GDRP in place we will not longer forward the domain name registration data to the Registries, as they do not need them to maintain their Registry function.
It seems that the Registrars are trying to use the GDPR to wipe out a decade long multi-stakeholder discussion and consultation in the Internet Community which resulted in the thick Whois for all gTLDs. One reasons why Thick Whois was introduced is the fact that ICANN terminates year by year dozens of bad actor Registrar going bankrupt or just out of business leaving sometimes millions of Registants in the dark. Only thanks to those Registries which maintain a Thick Whois the damage is limited. The bad actor Registar problem will likely not be solved mid-term. And over-ruling the new Thick Whois quickly with Thin Whois again is also not a way that will happen, even with the GDPR.
In the present the subparagraphs of the GDPR allow for transferring Registrant Data to the Registry if there is (a) Consent and for (b) Performance of a contract and for (c) Legitimate Interests. Let’s focus on the Legitimate Interest as (a) and (b) are somehow tricky or literally possible. If a Registry demonstrates compelling legitimate grounds which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims, then the Registrant data would also be given to the Registry.
Justifiable Legitimate Interests of Registries
At the meeting in Brussels representatives of Registrars and Registrars discussed the diverting interests regarding the Registrant data, but it came out that there a number of good reasons and legitimate interests according to GDPR why the Registries may need to have these data. The reasons why Registry should continue to maintain Registant data are:
- Registries are maintaining the central abuse contact point for domain name abuse such as spam, phishing, pharming, botnet activity. Multiple participants in the meeting noted from their experience that Registrars often not respond to abuse notifications. Especially if harm is obvious, Registries act quite quickly.
- Registries are contractually obliged to to run mandatory security checks on their domain name. This can only be done properly if Registrant data are available.
- Registration requirements such as local present, member of a certain community (e.g. language, culture) or industry sector (e.g. bank, insurance) require full access to Registant data.
- Especially geoTLDs need to fullfil of contracts with their government.
- Other reasons
Such legitimate interests should be fixed in an update of the Registry-Registrar-Agreement (RRA) and in the Registry’s policy. The use of data just for marketing, market research or sales purposes is not justifiable under the GDPR.
Registries are the Storage of Security and Stability for gTLDs
In general, if Registries do not have access to Registrant data an important part of their role as responsible gTLD manager cannot be fullfiled anymore. Registries are ICANN‘s contracted guardian of the generic top-level domains (gTLD) and being responsible for stability and security of the zone in the first instance, but also for the gTLD‘s sustainable economic success. In opposite to Registrars the Registries are monitored very closely by ICANN and are the storage of stability in the domain name industry. Therefore the Registry needs to understand demographics, geographical distribution, business types and other marketing & sales related data from the WHOIS to thrive and prosper its gTLD. Without WHOIS data the Registry would run its gTLD in a blind flight mode with a significant economic loss expected over time – for Registries and Registrars too. If Registrars are interested in Registries doing marketing in their gTLD community they should together find a justifiable way for the data handling.