I've been sitting on this one for a little while, but the issue of ICANN and their one-year reprieve from GDPR on their Whois lookup service recently reared its ugly head in conversation, and this seemed like the perfect response.
Nominet have taken a very different approach, notably by not asking for a reprieve.
If you don't know Whois, it is a domain registration system and searchable domain registry. A list of every domain owner with names, addresses and other details (though personal-use domain data is currently redacted).
The first thing of note here is that Nominet (the operator of the .uk registry) has been incredibly open about the struggles of complying with the new regulations set to come into force in two weeks. In fact, they have been open to such an extent that they have essentially crowdsourced advice from their registrants. You can find a summary of the feedback in the article below.
- There will be no distinction between corporate and private-use domains
- All data will be heavily redacted, obfuscating all Personally Identifiable Information (PII)
- Law enforcement agencies will be granted access to the data without warrant
- There will be no additional revenue from the 'Privacy Services Framework' (proxy service) for registrars, as it is no longer necessary
- IP lawyers will be annoyed at having to wait a day for data disclosure
Clearly, Nominet have their act together in the race to become GDPR compliant and you'll see the changes come into effect on 22nd May 2018.
On the ICANN side, I can only hope that they use this year for more extensive consultation (perhaps even open-consultation like Nominet). It needs to find an acceptable middle-ground that protects organisations with minimal hindrance to business and law enforcement and put this into force.
But when you are dealing with the vast majority of the world's domains, you are also dealing with big business, powerful lawyers and vested interests.
It remains to be seen what compromise it comes to, and the proposed accreditation scheme for non-law enforcement agencies sounds interesting (there is no way ICANN can spare the resources to answer every individual data disclosure request).
However, time is ticking, and EU data protection agencies will be watching closely.
Nominet drains mug of tea, leans back, calmly explains how to make Whois GDPR-compliant