The European Union’s General Data Protection Regulation (GDPR) will be getting implemented in May 2018. With this, the companies that are falling under European Union countries will need to comply with strict rules revolving around collection and usage of customer data, enforceable by the new GDPR law.
The GDPR compliance will take into account issues like the collection of personal identification information by various companies including big names like Google and Facebook. Here, the companies will need to implement strict data protection policies to safeguard the user data like IP information, cookies, name, contact or address and ensure that it is not publicly available.
Here, the case in point is the future of WHOIS public library – the protocol that provides information about the people who have registered any domain name.
Primarily, the WHOIS data is highly useful for the business houses and institutions who can track the information and its distribution pattern to identify any malware or potential threat. On the other hand, the open availability of sites and their critical information is a good treat for the hackers and spammers.
This has brought in a debate between the Internet Corporation for Assigned Names and Numbers (ICANN) – the organization that controls the domain names across the world, and the domain registrars, post the GDPR announcement.
Before we start discussing the debate, let’s get a quick history of GDPR:
What is GDPR compliance?
The GDPR is a kind of regulation that will require companies to protect the information and data of EU subjects and those who are dealing in any goods or services with the EU citizens.
The GDPR compliance was first approved and adopted by the parliament of EU in April 2016. The compliance after the two-year transition will be in force in May 2018.
What is the purpose of implementing GDPR?
GDPR has replaced the Data Protection Directive of EU which was implemented in 1995. It was much before the internet turned into an online hub for businesses like it is today. This has made the directives incapable of answering various issues regarding how data is collected, stored and processed by various websites. Hence, the GDPR will now set a standard for data protection to be followed by the companies to safeguard customer’s private data. The GDPR will protect:
- Personal information like the name, IP, contact, and address.
- Web data like cookies, forms, locations, RFID (Radio-frequency identification) tags.
- Biometric data.
- Political opinions.
- Racial or ethnic data.
- Sexual orientation.
- Health data.
The GDPR has defined various roles who will be taking care of compliance in their organization like data controller, data protection officer, and the data processor. The GDPR compliance will require the companies to assign a DPO who will be overseeing the data strategy of the organization and ensure compliance across all departments.
ICANN and WHOIS conflict post GPDR
Coming back to our main topic, the GDPR compliance has impacted nearly every organization doing business in the EU, and it has caused a policy meltdown at the internet overseer – ICANN.
The WHOIS protocol of ICANN requires the domain registrars to publicly make available the data related to the people or organizations who have registered any domain name. This is stark opposite to the GDPR law. The present WHOIS system displays the name, phone number, and address of the registrants. While ICANN being a US entity has managed to ignore this fact for quite long, the registrars located in the EU region has raised this issue.
With the deadline drawing closer, ICANN recently issued three interim models for domain registrars which will allow them to comply with both – ICANN’s rules and the implementation of GDRP in EU until it comes up with a permanent solution for the issue.
ICANN – Proposed Interim GDPR Compliance Models
The three interim models slightly differ from each other with respect to some parameters depending upon the status of the registrants, location registry, registrant or the DPO. Here’s a brief of the three models:
Model 1:
Overview: The first model will permit the display of thick registration data excluding or except for registrants’ contact details, email, address, name and postal address. To gain information regarding the excluded details, the third parties will need to first issue a self-certification stating clearly the objective behind accessing the data.
Key Pointers:
The model 1 will apply only to the personal data included in the registration data pertaining to some natural person, where:
- The registrar or registry are located in the EEA (European Economic Area).
- The registrar or registry is located outside the EEA but process data of the registrants located in the EEA.
- The registrar or registry are located outside the EEA and process non-EEA data included in registrations but engage a processor who is located within the EEA to process such information or data.
Under the model 1, unless the registrant explicitly states, the registries or registrars need to display the following minimum information in public WHOIS:
- Registered Name.
- The details related to the primary and secondary nameserver(s) for the Registered Name.
- The details about the registrar.
- The original date when the registration was created.
- The date of expiry.
- The name and the postal address of registrant (except telephone and email address)
- The available details of the administrative contact – email address, fax number, telephone number. (Thus, no name and postal address of the administrative contact).
- The available details of the technical contact for the Registered name – email address, fax and telephone number. (Thus, no name and postal address of the technical contact).
Model 2:
Overview: The model 2 is available in two variants – Model 2A and Model 2B and will permit the publishing of thin registration data which will also include the data pertaining to the technical and administrative email and contact IDs. The registries and registrars will need to provide access to the non-public information only for a definitive set of third-party accessors on the issue of accredited certification.
Key Pointers:
The Model 2A will apply to the personal data in the registration data without regard to whether the registrant is some natural or legal person, where:
- The registrar/registry is located within the EEA and process data included in the registration data.
- The registrar/registry is established outside the EEA and processes data included in the registration data of registrants located within the EEA.
- The registry/registrar is established outside the EEA and process non-EEA personal data, but engage data processors located within the EEA to process the personal data.
- The expiry date of Registration.
- Administrative contact’s email address for the Registration Name. (Thus, no name, telephone, postal address or fax of the contact).
- Technical contact’s email address for the Registration Name. (Thus, no name, telephone, postal address or fax of the contact).
The Model 2B will apply to all registrars without regard to the location of the registry, registrar, registrant or the data processor. Apart from this, there’s no other difference in Model 2A and Model 2B.
Under this model, unless the registrants otherwise permit, the registries and registrars would display the following data in public WHOIS:
- Registered Name.
- Details related to the primary and secondary nameserver(s) of the Registered Name.
- Details about the registrar.
- The original date when the registration was created.
- Please note that this model will not be displaying the name of the registrant whether a legal or natural person, until and unless the registrant opts-in.
Model 3:
Overview: The third model will allow the publication of thin registration data and other non-personal data. Here, if the requestor needs to access non-public information, he will need to provide a subpoena or equivalent court order/judicial tribunal.
Key Pointers:
The model 3 will apply to all registrations globally, without any regards to the location of the registry, registrar, registrant, and processor of the data.
Here, unless the registrant states otherwise, the registries and registrars would need to provide the following information:
- Registered Name.
- Complete details of the primary and secondary nameserver(s).
- Registrar’s details.
- The original date when the registration was created.
- Expiry date.
- No publication of the personal data.
Concluding lines:
Amongst the entire conflict, the major question is whether ICANN could come up with a permanent solution to comply with GDPR, without restricting global internet users’ access to the public data of WHOIS?
The organization is seeking community suggestions and feedback on the three interim models. It is very important that ICANN is able to save WHOIS data from being completely restricted.
Read this for more information.
