GDPR and Domain Names with Frank Michlick, Registrar Consultant of DomainCocoon

Today we spoke with Frank Michlick, Registrar Consultant of DomainCocoon, to better understand the basics regarding the GDPR and how it will affect domain names.

What is the GDPR?

The GDPR (General Data Protection Regulation) is a new privacy regulation in the European Union. It was introduced to improve privacy protection for people living in all member countries and to force compliance by companies with stricter rules and penalties.

Who will it affect in the domain name space?

Everybody really. ICANN, TLD owners, Registry Operators, Registrars, Resellers and Registrants.

The biggest potential impact is on Registrars, who have the direct customer relationship and obtain the data from their customers. They are subject to potential fines from the EU, but they are also required to follow ICANN regulations which stand in conflict with the consensus requirements by ICANN.

Companies in the domain industry with many European customers, will most likely be asked to provide information as to how long data is stored, where it is stored, how it is processed and protected.

How will GDPR impact domains?

The most visible change is that there is less data displayed in WHOIS. There is also an ongoing debate (that started well before this regulation was put in place) as to which data should really be public and who should be allowed to access it. Privacy advocates have long been opposing public WHOIS by default, but before this legislation, this was largely ignored by ICANN. Less data in WHOIS means that registrar transfers may have to be changed. Currently registrars are proposing to leave out the first Form of Authorization email in the transfer process and just initiate the transfer if the customer presents the correct Auth Code.

In the name of “data sparsity”, is thick WHOIS (where the registry holds the contact data) actually needed?

In order to appease self-proclaimed spam fighters, security experts and some governments, ICANN wants to create an accreditation process for access to whois data. Most registrars would prefer this to be limited on a per domain name basis.

What happens next?

On May 25th, 2018, the legislation goes into effect. Most registries and registrars will have some sort of solution in place by then. ICANN is trying to find a temporary solution.

The EU law will be set into local law in the member countries. It’s expected that most EU countries will rework their existing privacy laws accordingly and potentially add additional rules.

Special thanks to Frank!