The GDPR is coming and a number of ccTLD registries are giving registrars heart palpitations. It’s a month till the European Union’s General Data Protection Regulation comes into play and the Icelandic, Norwegian, Slovakian and United Kingdom ccTLD operators are only just announcing how they’ll deal with it.
For Iceland’s .is they will stop publishing names, addresses and telephone numbers of personal contacts by default from the ISNIC WHOIS database. For individuals who wish to continue to publish their information, they must log in, go to “My Settings” and select “Name and Address Published”.
ISNIC will however, at least for the time being, continue to publish email addresses, country and techincal information of all NIC-handles associated with .is domains. Those customers (individuals) who have recorded a personally identifiable email address, and do not want it published, will need to change their .is WHOIS email address to something impersonal. However the Icelandic country code top level domain isn’t happy with the new regulation. They note the GDPR “will neither lead to better privacy nor a safer network environment.”
For the sake of the internet community, e.g. Individual users, Service Providers, Hosting Companies, and many other stake holders, ISNIC will continue to publish email addresses and the country name of all contact types until further notice.
For NORID, the registry for Norway’s .no, they have made a few changes to their policies that come into effect on 5 May. NORID state they will “only collect data that we need, and that the domain holder shall be informed about which data is being processed by Norid. Starting on 5 May, we will collect less data about the holder than what we currently do.” Following consultation with the with the Norwegian Data Protection Authority, NORID will launch a new version of WHOIS on 22 May.
And Nominet, the .uk registry, has announced their changes. Following a consultation period that outlined their proposed changes that were published for comment between 1 March and 4 April, Nominet have announced that:
- Registrant data will be redacted from the WHOIS from 22 May 2018, unless explicit consent has been given.
- Law enforcement agencies will nonetheless be able to access all registry data via an enhanced Searchable WHOIS service available free of charge.
- Other interested parties requiring unpublished information will be able to request access to this data via our data disclosure policy, operating to a 1 working day turnaround.
- The registration policy for all .UK domains will be standardised – replacing the separate arrangements currently in operation for second and third-level domains.
- The .UK Registrar Agreement will be updated, renamed the .UK Registry-Registrar Agreement, and will include a new data processing annex.
- The existing Privacy Services framework will cease to apply.
“We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation,” said Nominet COO Ellie Bradley. “While, as a result, we will be publishing less data on the WHOIS – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.”
The proposals also outlined an approach to replacing the existing privacy services framework with recognition of a Proxy Service offered by registrars. In response to the feedback, Nominet has decoupled this proposal from the bulk of the GDPR-related changes and will consult further on this topic in June 2018.