On 1 March Nominet finally announced how they’re proposing to deal with the upcoming General Data Protection Regulation, with a consultation to run until 4 April and then Nominet will have to finalise their plans with the regulation to come into place on 25 May. The situation is a nightmare for registrars who have to plan and implement changes for all top level domains impacted by the GDPR.
As EPAG’s Managing Director Ashley La Bolle told Domain Pulse (the blog) following the Domain Pulse conference in Munich in late February:
“The domain industry has been really late to the game on GDPR implementation. It’s already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we’re not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance.”
In case you don’t know what is the GDPR, it’s data protection regulation intended harmonise data protection laws across the EU and replace existing national data protection rules. The introduction of clear, uniform data protection laws is intended to build legal certainty for businesses and enhance consumer trust in online services. The new regulation applies to businesses within the EU, or any business in the world that collects data on European citizens, such as when someone is registering a domain name. With any data that is collected, it is imperative that those collecting the data have clear and freely given consent from the individual. Huge fines apply for any organisation contravening the GDPR of up to €20 million or 4% of the company’s global annual turnover of the previous financial year.
For the changes Nominet is proposing for .uk, as with most ccTLD registries, they have allowed the domain name registrant information, also known as Whois, to be publicly available for their domain names. However in the new proposal all registrant information will be hidden. But Nominet’s concerns don’t just deal with .uk. They also manage .wales and .cymru, and Nominet, like all other generic top level domain registries have to wait until ICANN finalise how they will resolve the issue.
We have opened a comment period from today until 4 April on our .UK proposals to comply with GDPR legislation.
In summary, Nominet proposals are as follows:
- From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.
- For registrants who wish for their data to be published in the WHOIS, we will provide appropriate mechanisms to allow them to give their explicit consent.
- We will continue to work in the same way as now with UK law enforcement agencies seeking further information on specific domain names via our existing data release policy and via an enhanced version of our Searchable WHOIS service, available free of charge. Those users will have automatic access to the names and addresses we hold.
- Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.
- The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance. Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.
- The proposed new .UK Registry-Registrar Agreement (RRA) includes a new Data Processing Annex. This sets out terms for how we would work with our registrars when processing registrants’ personal data during the registering, renewing, transferring or managing of .UK domain names to ensure GDPR compliance.
- The Privacy Services Framework will be replaced with recognition of a Proxy Service, within a new .UK RRA to allow registrars to offer proxy services to registrants who do not wish to have their details passed to Nominet.
- Additionally, we propose changing the rules for the data we collect for domain names that end in second-level .uk domain registrations, such as example.uk. We will no longer require a UK ‘address for service’ bringing this into line with third-level .UK domains such as example.co.uk, example.org.uk and so on.
A webinar for Nominet members to hear more about our proposals will take place on Wednesday, 7 March from 2.00-3.00pm GMT.
These changes cover the .UK namespace. Pending outcome of ICANN discussions, and feedback from this comment period, Nominet will set out our proposed approach for GDPR compliance for .cymru and .wales domains.