No extraordinary failures involved
There is no extraordinary failure in a USA company assuming that the only law to apply is American and other legal systems are inexistent or subservient. That is business as usual - not a failure.
Thousands of internet registries and registrars will have just one week to overhaul their customer databases to fit with a policy that is still under development, or face ruinous fines. That is the end result of an extraordinary failure by the organization that oversees the internet's domain name system to address a change in …
Indeed, but it should be of no surprise given that it has been considered as a cushy job and perceived not to being very demanding for sometime. This is not something that is unique to ICANN and is wide-spread across the industry. In this instance they have been exposed by being crushed by the irresistible force due to their gross failings to grasp implications of the new legislation. A lesson for all in the industry.
It is your *registered address*! It is the address that you have chosen to register as the *public* point of contact for the website that you have chosen to *publicly* publish! Of course this must continue. Your lack of ability to set up a spam filter or use a firstname.lastname@example.org address doesn't stop you from publishing the site (though maybe it should) so why should it stop me from inviting to partake of the latest special offer?
"It is the address that you have chosen to register as the *public* point of contact for the website that you have chosen to *publicly* publish!"
Utter bollocks! You haven't chosen, you've been required to provide your email address and that's been made public. Having a domain doesn't mean you have a website. I have my own domain which I use for email, but I don't have a website running on it.
It seems to me that, as the information that whois systems run by registries within GDPR countries must provide is specified by binding ICANN contract terms, it follows that fines levied on the registries for GDPR violations can be passed on to ICANN since its their contract terms that forced the violation and doing anything else leaves the registries in double jeopardy - itself a legal offence committed by ICANN.
If this isn't the case, what did I miss?
I believe that law overrules contractual agreements. If the contract says you must do A, but the law says that doing A is illegal, don't complain that if you do A, the law comes calling for YOU, not the other party to the contract. This puts the European registries in a tight spot.
"This puts the European registries in a tight spot."
It shouldn't. Like everyone else they've had plenty of warning. As you say, statute law overrules contractual terms so ICANN's contract terms will shortly become invalid with respect to any data subject resident in the EU irrespective of where the registrar is or the TLD of the registration. The registries should have realised this and made their preparations in good time. The only question remaining is what do the contracts say about terms being made illegal - does the contract remain in force with only the affected terms struck out or is the entire contract invalidated?
The registries should have realised this and made their preparations in good time.
I wonder how many of them already have the systems in place for this to happen and now they're just waiting to flip the switch? "It;s time. Push the button, Max!"** Hopefully there's popcorn ready as this could be interesting.
**reference "The Great Race".
"As you say, statute law overrules contractual terms so ICANN's contract terms will shortly become invalid with respect to any data subject resident in the EU irrespective of where the registrar is or the TLD of the registration. "
I imagine the question the registrars are asking isn't whether ICANN can enforce those terms in a court of law (obviously not), but whether they would enforce them independently. Being in the legal right is fine, but if ICANN decided to revoke your access due to being in breach of their terms, and that potentially caused your customers to lose access to their domains, what would you do? Take them to court, but that takes time, during which you and your clients have potentially lost lots of money and business.
It should be far fetched to think they would do something like that, but with their past history, plus the fact that they're now WARNING of compliance audits rather than promising assistance, I wouldn't put it past them.
@Jim Mitchell It's not that the law overrules contractual agreements, but that contracts mandating actions contrary to the law are unenforceable.
That may sound like a differentiation without a difference, but actually it does matter, because the "obligation" under the contract remains, but ICANN can't enforce it to the extent that it contravenes the law. So if there is some lesser/partial/limited interpretation of those clauses, that lesser/partial/limited interpretation still stands.
(Put another way: if the law dictates that 100% contractual compliance is unlawful, but 50% wouldn't fall foul of the law, then you don't get away with 0%!)
Registries may face fines in legal reality, but I think the people likely to actually look at requesting action be taken will be somewhat reasonable. I, at least, won't be expecting complete adherence on the date from registries that got no guidance. As long as it seems that registry X is doing its best to implement the regulations, I don't think registry X should be called out. Instead, call out the ICANN for ignoring its responsibilities and any registrations that choose not to care.
"I, at least, won't be expecting complete adherence on the date from registries that got no guidance."
The registries have had as much guidance as everyone handling PII in other lines of business. GDPR mandates various behaviours which affect registries. That mandate overrules any clause in the ICANN contract which is in conflict.
Sorry, I spoke unclearly. My comment on guidance refered to guidance from ICANN. Most of the registry-specific things seem not to be ready because ICANN put in roadblocks, perhaps due to contracts and their power over the registries. That gives me some level of sympathy for registries, if it is really the case that they now have to figure it all out. Therefore, if I am right in my guess, I see a reason for mild sympathy if the registries are trying but don't get everything finished in time. As before, I feel no sympathy for ICANN, no sympathy for any registry that doesn't bother to try to get this in line, and my sympathy will evaporate if it is the case that registries could have done this already and ICANN wasn't holding them up.
the approach has been there for years already. Though would be nice if the service was a standard(free) option with all domains, rather than a premium charge(as it seems to be with register.com whom I use or godaddy who my employer uses). Workaround to that would be just bake the service charge of the privacy service into the overall cost of the domain.
You kind of answered the question yourself - in my case, the domain name registrar gets an additional £6 plus VAT from me for what it seems will soon be required by law.
I paid the protection racket money because I suddenly got severely spammed, followed by phone calls, after registering a .net for a community project. I asked why I was getting this spam, having registered various domains for years without this trouble. It seems .uk addresses already have this privacy system applied to them automatically, but .net, .org etc do not.
So your point that that whole thing already has a way of dealing with GDPR is already validated. But they will lose a chunk of protection money.
Whether or not you agree with hiding personal details from random whois searches or not. This does highlight an unresolved issue, if one country or group of countries creates legislation making something illegal and yet following that law would be illegal in a particular companies home country, what on earth is going to happen? It will happen one day, and no one has a solution. Every country can not have it's own way over every company in the world, it just won't work.
This is exactly why WHOIS and GDPR are so broken. Each TLD has its own regulations. Most of those have specific ownership and usage requirements, and a process to challenge domains that appear to have violations. The '.com' is the commercial TLD that is supposed to have a high degree of accountability. The '.edu' domains are supposed to be registered only to schools, not people. Etc., etc.
ICANN may be slightly screwed as a global service but the non-ICANN TLDs can simply forbid EU members from using them.
"ICANN may be slightly screwed as a global service but the non-ICANN TLDs can simply forbid EU members from using them."
And the EU can block access to all ICANN domains and launch a multi-billion Euro fine court case.
Lets see who shits themselves first
I think you're getting two things confused here. ICANN is absolutely NOT the government and has no actual legal powers except those which are specified within it's contracts. While those may be legally binding, they're not the same as an actual law.
GDPR is (or will be) law. Which supercedes anything in ICANN's contracts as illegal contractual clauses are not enforceable. So this isn't a case of EU vs US law. This is a case of EU law versus a US corporation which is (attempting) to operate contrary to EU law.
The whole reason ICANN wants to retain the whois service is because of the pressure from the US copyright industry. As noted by others, whois is also widely abused by spammers and most registrars offer a privacy option that keeps details from the whois database anyway. If that were illegal action would already have been taken over it.
So there's essentially no issue with ICANN allowing registrars to ditch the whois requirement because a) it would be illegal for registrars to enforce it and b) the only gnashing of teeth will be from copyright-chasing lawyers and spammers.
"The whole reason ICANN wants to retain the whois service is because of the pressure from the US copyright industry. "
WHOIS has been broken for a couple of decades - well before the copyright cartels got involved.
The problem has always been that no one has managed to come up with a pragmatic and effective way of keeping contact details of business domains online and _accurate_ vs the issue of personal protection for anyone silly enough to register a domain using their home address and phone numbers, whilst preventing scammers from abusing the process.
What's needed is a complete replacement which allows abuse _of_ the network to be dealt with quickly and providing a path for proper legal discovery (with protections from abuses by copyright trolls) when it comes to abuse _on_ the network.
There is no conflict here. If a company wants to do business in a particular country, it needs to follow the laws of that country.
If it doesn't want to (or, decides it can't) then it stops doing business in that country.
Just because the internet now exists doesn't change how that works.
asking me to confirm to whether or not I consent for them to continue holding personal data on me and the specific purposes for which they will be using it,
*= even though I don't have an account with them, if they hold personal data they still need my consent to hold it.
Isn't this wrong? There are multiple options for the legal basis, consent is only one of them. They might decide they ought to be able to claim that knowing my browsing habits is a legitimate business requirement.
The biggest "problem" is when they used to rely on 'we could do it, and we're too big to bother with fines, so we did it.' For some reason that isn't in the GDPR.
Say that as an EU citizen (for the moment) I have a ".com" domain registered with a USA based registrar. I assume that USA law applies to the way that the registrar behaves. How is the EU going to prosecute the USA based registrar for correctly following USA law?
Is this conundrum, perhaps, why the registrars of the ".eu" domain wanted to ditch non-EU registrants? Not the spiteful petty revenge portrayed by the UK press?
If you solve that one can the same solution be used to prosecute all the Indian call centres who use my personal information to call me because I have a virus on my system?
> How is the EU going to prosecute the USA based registrar for correctly following USA law?
Assuming the registrar has any legal entity in the country (i.e. either a subsidiary, or people employed) then they'll be the ones being taken to court as the representatives. This is what's been happening with Uber in London, for example.
A court could go after the money; to Visa, Mastercard etc and tell them to stop accepting payments in the countries where the law is being broken.
The courts could tell the ISPs in the country to block any requests to the particular domains owned by the extra-territorial entities, similar to how they block the fake rolex and torrent sites.
" the accredited access component. Registries and registrar will need to figure out a way to grant specific people access to non-private data but there is no guidance over the best way to do this or even who is eligible to gain that level of access"
Same as getting user of a home IP address or a wire tap in most Democratic countries. A warrant issued to police as a result of application to court with reasonable excuse. Not fishing expeditions, or unproven allegations of infringement. Prove some real intent at copyright infringement or illegal content in open court FIRST, then get warrant for the actual court case.
But ICANN has been resistant to changing the current rules, in large part because powerful US corporate interests want the current rules retained and feel that European laws should not override the current system put in place by US corporations and overseen by a US organization.
A not for profit organisation being influenced and pressured from outside sources, typical.
It wants companies to continue to gather all the same registration information – including people's names, home addresses and telephone numbers - even if they don't publish it all.
Most of that information you do not need.
It wants them to come up with some kind of system to let authorized users to access that information.
Depends on what kind of authorised users you are talking about. Vetting?
It wants them to make it possible for third parties to contact registrants via email without having to seek permission from anyone else.
No just plain no! I do not want my email and my home address spammed thank you.
So people have known about a major change for ages, but not put into place systems to deal with it, or even agreed how those systems should work or what they should achieve?
At least this is a unique case, and nothing like this could possible happen again, ever. And definitely not on 29 March 2019.
WHOIS should just be taken behind the shed and shot. Anyone who thinks that kind of personal information should be publicly available, in this day and age, is an idiot. If anyone's up to no good on their domain then there should be a process for the police to get the info from the registrar - it doesn't need to be public. My WHOIS registration for my domain shows my old address and an old phone number. And ICANN can go swing if they want to show my current info to the world.
Biting the hand that feeds IT © 1998–2019