GDPR: EPAG’s MD Explains The Nightmare on Registrar Street

At the recent Domain Pulse conference in Munich, on 22 and 23 February, the upcoming General Data Protection Regulation (GDPR) was a focus of discussions both during conference presentations and panel discussions and during breaks. Its implementation is becoming a nightmare for many industries, with registries, both gTLD and ccTLD facing their own problems, and registrars.

That ICANN is a year too late in working out a solution for gTLDs and ccTLDs has made registrar’s life a nightmare as each one has introduced their own unique solution, Ashley La Bolle, EPAG’s Managing Director told Domain Pulse, following the panel discussion (see the interview below).

With ICANN simply not ready for the GDPR;’s start date on 25 May having not even finalised how they will respond, and registries throughout the European Union seemingly all having a unique method of dealing with the regulation, it’s what Richard Wein, nic.at’s CEO told Domain Pulse, is a missed opportunity for registries to worked together on one solution. For ICANN and generic top level domain registries (new and legacy) there is sure to be some heated discussions, and criticisms of ICANN for being so slow to adapt, at the ICANN meeting in Puerto Rico this month.

At the Domain Pulse conference (which is unrelated to the Domain Pulse blog), the panel discussion that focussed on GDPR involved representatives from registrars, registries and eco, the German internet association. Titled “The Challenge of Compliance: NIS Directive, GDPR, ePrivacy Regulation – the EU’s Digital Roadmap and the Domain Industry”, it featured Volker Greimann from Key-Systems, Boban Kršić from DENIC, Ashley La Bolle from EPAG Domainservices, Ingo Wolff from tacticx and was moderated by Thomas Rickert, lawyer and representing eco. The panel discussion saw criticisms of ICANN with some wondering what will ICANN do if the community, and in particular registrars, disagree with what ICANN proposes.

During the discussion La Bolle said many registries haven’t given the information they require to registrars, neither their reasons and the legal basis, for data they require. “It’s not a lot of information we need. And we can no longer wait for ICANN or independent registries, we have got to implement changes that comply with GDPR.”

Following the panel discussion, Domain Pulse spoke in more detail Ashley La Bolle, Managing Director of EPAG Domainservices GmbH (second from the left in photo below), who spoke of her frustrations of the way most registries have responded to the GDPR with unrealistic timelines for registrars to implement the required changes.

Domain Pulse: What are your opinions on the GDPR implementation?
Ashley La Bolle: The domain industry has been really late to the game on GDPR implementation. It’s already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we’re not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance. We do, however, see opportunities for registries to change requirements to be compliant without requiring registrars to make technical changes on very short notice. Some registries, for example, are planning to simply delete any non-essential data that registrars send in a domain order during a specified transition period. Only after that transition period will they begin returning an error message when non-essential data is sent with an order.

DP: How has it impacted on EPAG’s resources and staff?
ALB: EPAG is working closely with OpenSRS and Enom to develop a GDPR implementation plan for the entire company. But even when we are able to pool resources on planning, there is quite a bit of work that has to happen in addition to that. The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.

DP: What will be EPAG’s way of dealing with it?
ALB: The Tucows approach includes data minimisation, contract changes, Whois changes, and a consent management flow. Regarding data minimisation, we will only process a limited set of registrant data and in most cases will no longer process data for the administrative, technical, or billing contacts. At the same time, we are adjusting contracts with registrants, resellers, and registries. Another important part of our approach is the introduction of a gated Whois service, meaning personal data will no longer be published in the public Whois. Authorised third parties with a demonstrated legitimate interest to access the data, will still be granted access following an authentication process. These parties may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. Finally, we are building a consent management flow in order to allow registrants to give consent for any data use that is not required by contract.

DP: What problems have you experienced in implementing the requirements?
ALB: The main obstacle we have encountered is the lack of preparedness in the domain industry that I mentioned before.

DP: One issue Richard Wein, nic.at’s CEO, has raised is it was a great opportunity for ccTLD registries to collaborate on one solution – I assume this would have made your life a lot easier and required less input of staff and other resources?
ALB: We would prefer a common solution across ccTLD registries. When each registry comes up with an individual approach, it is a nightmare for registrars to implement each individual approach and explain it to their customers. This is an industry that thrives on standards and common practice and the GDPR does not change this.

DP: Are you on track to comply with the requirements for ccTLDs and gTLDs, and given there is no real solution for gTLDs yet, how are you dealing with this?
The result of the domain industry being so late to react to the GDPR is that we have had to design our own approach – one that we feel is both legally compliant and customer friendly. At the same time, we have supported efforts by ECO to propose a common model as described in their Domain Industry Playbook.

DP: Do you have any thoughts on how ICANN has dealt with GCPR?
ALB: We wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.