World’s second largest domain name registrar lays out its position on GDPR as it relates to domain registrations.
On Friday, the day that the EU’s General Data Protection Regulation (GDPR) went into effect, ICANN filed a legal action in Europe against Tucows’ registrar EPAG. ICANN asked for a temporary injunction after EPAG notified ICANN it would no longer collect administrative and technical contact details for domains in an effort to comply with GDPR.
Tucows has issued a statement about its position, and it goes a long way to explaining the rationale behind its GDPR-related decisions.
At a high level, there are two things to mention when it comes to Tucows and GDPR.
First, Tucows has been the most forward-thinking and forward-planning registrar when it comes to Whois. At least from a public perspective, Tucows has been laying the groundwork for its plans publicly for many months. Then ICANN passed down its mandate with just days before GDPR went into effect.
Second, there is some nuance to what EPAG said that it would not collect that I didn’t pick up Friday evening in ICANN’s statement: ICANN will continue to collect registrant data for customers; its opposition is to collecting administrative and technical contact data.
Here are the items Tucows explains in its statement:
Personal data collection – Tucows takes issue with collecting admin and technical contacts in addition to registrant contacts. It points out that, while many times the contact details are the same for all contact types, this isn’t always the case. And when it’s not, Tucows is potentially collecting the personal data of people it doesn’t have a contractual relationship with.
This is a good point and one worth considering: do we really need all of these contact types for domains?
Personal data transfer to the registry – Tucows questions the need to pass personal data to registries under the thick Whois model, and points out that the thin Whois model under .com and .net has worked fine. There has been a movement to move everything to thick, in which the registries maintain the data. But plans to move .net and .com to thick have been delayed thanks to GDPR.
Personal data display– ICANN’s temporary specification for Whois requires registrars to display the organization name, state/province and country of the registrant in Whois. Tucows is opposed to publishing the organization name because it says many people don’t understand this field and enter their personal name instead of a company name.
Tucows concludes its response by saying it hopes the legal action will bring clarity. As I mentioned in the post Friday, I think Tucows was in favor of ICANN filing its legal action because it will force a response from EU courts about how they will interpret GDPR. More than anything, all parties in the domain ecosystem just want to know what they need to do to comply with the law.