The difficulties created by GDPR to the global business system has now escalated into a legal battle between ICANN and a German registrar regarding the implications of GDPR.
A German Court has recently rejected a suit filed by ICANN against the domain registrar EPGA asking for injunction against stopping of collection of information from the domain registrants. (Refer details here).
The dispute was regarding whether the details collected by the registrar of a domain name was “Excessive” and not in accordance with the “Data Minimization” principle. EPGA is owned by TUCOWS which is supposed to be the second largest domain registrar in the world.
It is reported that ICANN had earlier represented before GDPR authorities that collection of Admin and Technical Contact details were necessary along with the Registrant’s details which GDPR considers as unnecessary. The German Court appears to have agreed with the view of GDPR.
Now the ball is in the court of ICANN. Will it simply accept the diktat against its own rules or will it fight by defending to its “Legitimate Interests” and cancel the registrar’s license which is based on its present contractual obligations.
The domain names can then be transferred by ICANN to other registrars who may bid for the same under a “Transfer Mechanism” which may include the explicit consent of the data subjects to continue to adhere to the current ICANN regime.
How GDPR may convert entire Internet into Deepweb
Already, the “Privacy” issues have made most registrars to adopt a suppression of Who-Is information behind a veil of secrecy. This has enabled more and more criminals use temporary domain names for committing crimes and law enforcement struggling with the identification of domain name managers.
Now the GDPR is complicating the matter further first by the “Right to Erasure” right. “Right to Erasure” means that a domain name registrant who has used a domain name can demand that all information about the domain name should be deleted from the records of the registrar. In order to comply with this requirement, the EU based Registrars would introduce a system where by such requests are diligently handled.
As a result, “Deletion on Request” would become a standard procedure for Registrars first in EU, then by others for “Registrants from EU” and then by multi national companies having an office in EU and perhaps as a standard practice by others.
When such developments take root, criminals will have a field day. The domain name data will first get shielded under the “Privacy” clause and then will vanish.
As a result the internet will be as secretive as the deep web in respect of domain ownership.
This could be a serious law enforcement issue that would convert Europe into a haven for Cyber Criminals.
Recently a demonstration was reported from London misusing the “Freedom of Expression” and demanding introduction of “Shariat Law” in UK. The Privacy laws through GDPR will create another instrument by which terrorists will spread their tentacles world wide sitting in the safe havens of EU. It is unfortunate that EU authorities are either naive to disregard this threat or are themselves compromised and letting Privacy be used as a shield for criminal activities.
I suppose Indian authorities including NIXI which is in charge of the local domain names will not let these mis-application of Privacy laws and create a safe haven for Cyber Criminals. When India introduced dot in domain name registrations, there were many German registrants who registered dot in domain names for squatting purpose or for future criminal intention. Now many of these will start questioning NIXI if they are GDPR Compliant.
NIXI should understand that there are Data Retention Laws in India under ITA 2000/8 which require certain data to be kept by intermediaries for a reasonable period. Though MeiTy has not yet designated domain name registrations as data to be retained for a particular period, presently it is a permanent record and any change would need modification of the terms of registration agreement.
NIXI should reiterate that GDPR is not applicable in this instance since our “legitimate interest” and “local laws” are not in agreement with GDPR and these prevail over GDPR.
Justice Srikrishna also needs to take note of these developments and ensure that our own Data Protection Laws donot endorse GDPR blindly.
I request the MeiTY to respond to this concern.