GDPR Domain Industry Playbook
The domain industry is facing considerable challenges with the upcoming General Data Protection Regulation (GDPR).
The GDPR will be applicable as of May 25th, 2018 and there will be severe fines for breaches. Registries and Registrars will therefore need to take action to make their systems compliant with GDPR. The most debated aspect in this context is whether the current Whois service can be maintained. Based on information available and legal assessments the current Whois system is not sustainable.
But what changes need to be made to the data flows exactly? This question remained unanswered so far.
The current status at ICANN
An additional layer of complexity is that changes to the current system will likely result in a breach of the contracts with ICANN.
During the ICANN meeting in Abu Dhabi, ICANN has issued an announcement according to which it will not enforce the contracts for the time being if certain parameters are met. However, ICANN has not yet provided more details on those requirements.
In summary, no data model has bee suggested that can be discussed by the parties involved and no holistic approach has been taken to assess the collection and other processing of personal data. However, ICANN has encouraged the contracted parties to make a proposal.
On 11th December 2017, eco held a public consultation in Brussels on the draft "eco GDPR Domain Industry Playbook". Approximately 100 representatives of registries, registrars, the EU Commission, ICANN, law enforcement agencies, and other stakeholders attended the event either locally (approximately 30 attendees) or by...
GDPR Domain Industry Playbook
eco has volunteered to facilitate the process of achieving a solution that allows for compliance with GDPR and also mitigate the risk of ICANN sanctioning breaches of its contracts.
This project is called the „GDPR Domain Industry Playbook“ and it will not result in a legal assessment, but a practical guide to operationalizing GDPR.
When it comes to gTLD registrations, there are multiple parties involved and any compliance efforts need to take into consideration the respective roles and responsibilities of all those. The players are:
- Registrars (and their resellers as the case may be)
- Escrow Agents and
- the Emergency Backend Operator (EBERO).
The next steps
Time is of essence as not only a model needs to be agreed on, but it also needs to be implemented before May 2018.
eco has therefore agreed on an iterative approach after having consulted the matter with the eco Names & Number Steering Committee.
Drafting of a rough data model including explanations why certain proposals are made.
Discussion of the rough data model with a small group of registry and registrar representatives with legal, operational and technical background.
Publication of the proposal for review by interested parties.
Consultation on the proposal with contracted parties and ICANN representatives to which EC representatives, DPAs and representatives of the ICANN community will be invited.
How do we proceed from here?
Please note that eco is trying to help with this in the interests of its members and the wider community. It will be dependent on the feedback received whether the process can be completed successfully. Thus, we encourage interested parties to watch out for updates and work with us.
Information on the timing of Step 2 will be announced soon.
Information on the timing of Step 3 will be announced soon.
It shall also be noted that ICANN has confirmed that the GDPR challenge is a contractual compliance matter in a first phase. Thus, particular focus will be on agreeing a model with the contracted parties, who are at the risk of facing either ICANN breach notices or GDPR fines.
As a second step, a community process shall be conducted, which might be started in parallel, to update policies as required. This process will follow ICANN procedures and will encompass the whole community in a consensus process.
The GDPR Domain Industry Playbook shall serve primarily as an implementable basis for the first phase, but it can well be used beyond that and inform policy processes (as much as policy processes underway and the documentation thereof informs the drafting of the playbook). In the long run, it might be the basis for an industry code of conduct as foreseen by the GDPR.