Compliance with GDPR on the Nominet gTLD platform

What do I need to change?

  • Nothing unless you wish to allow a registrant to opt in to publication of data.
  • Inter-registrar transfers will not be able to rely upon access to the email address.

Compliance with GDPR on the Nominet gTLD platform

Nominet welcomed ICANN’s Interim Model for gTLD compliance with GDPR, but some reservations remain with the current proposal. In the absence of a compliant model that has been adopted by ICANN in cooperation with the community, Nominet submitted a waiver request to ICANN on the 18th April for. cymru and. wales gTLDs. ICANN has yet to give any substantive response to our waiver request; it is however clear that Nominet, Registry Operators and Registrars must be compliant on May 25th 2018.

In order that Nominet’s Registry platform and Registrars can be compliant on time, Nominet are implementing a model that has a strong resemblance to the ICANN cookbook of March 2018 but takes account of the actual data in our Registry systems while awaiting community decisions in other areas. The core technical changes to our system are configurable on a TLD by TLD level and therefore each Registry Operator on the platform may choose their own compliance model.

From May 22nd Nominet will implement the following technical model for gTLD compliance with GDPR.

1. Collection of data: 

1. Registrant contact data – data submission remains a requirement 

2. Administrative/Technical and Billing contact data - data submission remains optional. Whenever these contacts are not submitted, our systems have always substituted the Registrant contact for those roles in WHOIS output; this will remain the case

3. From May 22nd 2018 our systems will store disclosure preferences submitted via EPP

2. WHOIS output: 

a) This will be configurable on a TLD by TLD basis according to a Registry Operator’s GDPR compliance stance and each TLD will be able to set the default contact data fields to disclose

TLDs that will, by default, redact all registrant data with the exception of the Registrant’s State and Province and Country (note ICANN’s cookbook proposes publishing the Registrant Organisation, but in 60% of cases in our systems this matches the Registrant name, and would lead to the disclosure of substantial amounts of personal data) are listed below:

 

NominetMMXKKWT
.cymru .wales

.abogado .bayern .beer .boston .budapest .casa .cooking .dds .fashion .fishing .fit .garden .gop .horse .law .london .luxe .miami .rodeo .surf .vip .vodka .wedding .work .yoga

.blog

b) Each TLD will be configurable as to whether the default WHOIS output can be over-ridden by the EPP disclosure flags in RFC 5733 (EPP Contact Mapping)

 

NominetMMXKKWT
.cymru .wales

.abogado .bayern .beer .boston .budapest .casa .cooking .dds .fashion .fishing .fit .garden .gop .horse .law .london .luxe .miami .rodeo .surf .vip .vodka .wedding .work .yoga

.blog

c. Until the ICANN community has settled on an anonymised contact mechanism Nominet will not provide an anonymised email or a web form. Those with legitimate rights to access data will be able to request data disclosure via the usual process.

d. Searchable WHOIS as defined by the ICANN Registry Agreement will disclose the same level of data as that available on the public WHOIS. Only fields that are public will be searchable.

3. Data disclosure: 

a. Registry Operators may provide legitimate law enforcement authorities with appropriate jurisdiction access to full registrant contact data via a password protected interface

b. IP rights holders or others that are not legitimate law enforcement authorities with appropriate jurisdiction, but have a legitimate right to the data, can make a formal data disclosure request to the Registry Operator which will be assessed and processed on a case by case basis

4. Inter-registrar transfers: 

a. As existing contact data will not be available to a new Registrar we asked ICANN to consider the AUTH code sufficient information for transfers within. cymru and. wales TLDs, we also indicated that should there be a transfer dispute Nominet will co-operate in that dispute to determine the facts. ICANN have not responded on this. Registrars must ultimately make their own decisions on compliance with consensus policies that are incompatible with GDPR.

Details of OT&E availability will be announced in due course.

Nominet will continue to track the progress of the ICANN model and community discussions on GDPR compliance and once a cohesive workable model is adopted that is compatible with the GDPR we will seek to revise our implementation accordingly.