GDPR Compliance: The Clock is Ticking
It seems as if the GDPR has been the topic of conversation across the globe since the beginning of this year and now as the deadline is swiftly approaching, it’s clear the world still isn’t exactly sure what to make of it. The GDPR is the European Union’s (E.U.) new data privacy law which focuses on the collection, publishing, retention, and deletion of personal data online. GDPR compliance states that companies who seek to do business with any persons physically residing in the E.U. have to receive a customer’s consent to use their data and in return, offer full transparency and adhere to several requirements regarding personally identifiable information.
What’s interesting about the GDPR is that every industry has their unique battles with GDPR compliance.
The domain industry, for example, has a few hurdles still to overcome. Whenever someone registers a domain name, a public record is created called a WHOIS record which includes information such as name, contact address, phone number and email. WHOIS is in direct conflict with the GDPR because it publishes personally identifiable data of all persons who register a domain name. Many people don’t even know their information is in a public record until they are bombarded with unsolicited phone calls and emails. The workaround for this is WHOIS Private Registration, which acts as an alias and shields your personal information by supplementing that of the domain Registrar 3rd party you purchased it from. All attempts to contact the domain administrator are first filtered for spam, so you only get the important and legitimate requests.
The simple solution?
The simple solution to GDPR compliance would be to continue to utilize Private Registration in the domain registration process which is a well-established service in the domain industry. If someone does not want their information published, they can choose to mask it from public consumption as they can now. If for some reason they are not interested in Private Registration, they would need to opt-out and consent to their personal information being published on the public WHOIS database. However, this is not as simple of a solution as one might think because not all domains offer Private Registration and the GDPR requires an opt-in process to consent, which says privacy is an inherent right to individuals, not a service they can choose if they feel so inclined.
ICANN (the domain governing body) isn’t the only organization that relies on WHOIS. Law enforcement is adamant about the importance of WHOIS lookup in locating criminals and battling cybercrime activity. In response to the GDPR compliance, ICANN wrote to the Article 29 Working Party who represents the data protection authorities of all 28-member states of the European Union, with a proposed model that satisfies the GDPR and preserves the important elements of the current ICANN and WHOIS structure. This model was shot down in a letter from the Article 29 Working Party:
“Given the level of abstraction of the models, it is difficult to assess the scope and impacts of the proposed approaches,” wrote the EC’s director-general of technology and communications, Roberto Viola.
“The Commission, therefore, encourages ICANN to further develop possible options in cooperation with the community in order to balance the various legal requirements, needs, and interests.”
Basically, they’re saying “nope, try again” in a nice way.
The “abstraction of the models” they refer to in their response is regarding the idea of a gated WHOIS. Their main concern is that it’s unclear who exactly will have access to the data. What is clear, is that everyone has their own agendas in mind. Law enforcement agencies have concerns that a world without a mechanism such as WHOIS, will provide a haven for criminals to act online anonymously and IP and trademark professionals worry that without WHOIS access, it will be nearly impossible to serve parties with takedown notices in cases of trademark infringement.
The entire domain industry composed of Registries, Registrars, customers and various stakeholders with a vested interest in the industry are looking to ICANN for a uniform solution. However, as the date draws closer and with no resolution yet in sight, some companies are starting to forge ahead alone and introduce new privacy policies that define how their brand will address the GDPR. The disadvantage with all of these ad hoc solutions is that every Registry will have a unique method of handling the data, and Registrars will have to adapt and adhere to each different one, creating delays in domain registration and support for the customer. Ultimately, everyone is trying to do the right thing by getting their ducks in order and complying with the GDPR, but what the domain industry needs moving forward is uniformity.
Not only does the GDPR affect foreign entities who wish to conduct business with any persons in the E.U., but also how every company in the E.U. conducts business. Every part of a European Union company’s business model will need to comply, including something as simple as how they handle an employee’s private data. If we think we have a hard time ahead, think of all the other industries dealing with similar issues. The medical industry, law enforcement and insurance, all rely on records that contain personally identifiable information.
The E.U. is not about to roll over on GDPR compliance, which will begin enforcement on May 25th. As for the domain industry, there are a lot of decisions that still need to be made and all parties are working hard to find and implement solutions which balance the interests of all those involved.