Nominet, the registry for .uk, is conducting a consultation on how it will handle whois data once GDPR comes into force. It’s worth noted that the consultation is only related to the *.uk namespace and is not about any of the gTLD registries on the Nominet platform.
While that is the main focus of the current consultation they’re also using it as an opportunity to make a few other amendments to their agreements, including revamping how they handle privacy / proxy registrations as well as removing the UK address requirement for direct .uk registrations.
So what exactly is Nominet proposing?
For ALL domain name registrations they are proposing to not display the registrant name unless the registrant has explicitly opted in. This would cover both natural persons and legal persons (think companies), which might prove to be slightly controversial. Registrants will be able to opt-in via the online services portal that all .uk registrants have access to, or via their registrar once their interfaces support the new commands. The changes to how they handle this all could have an impact on how registrars and the rest of the channel have implemented their integration with the Nominet backend.
They’re also proposing to offer a new form of registration data search for law enforcement and consumer protection agencies that are recognised under UK law.
Here’s how they’re describing the proposed changes:
From 25 May 2018, the .UK WHOIS will no longer display the registrant’s name or address, unless they have given permission to do so – all other data shown in the current .UK WHOIS will remain the same.
For registrants who wish for their data to be published in the WHOIS, we will provide appropriate mechanisms to allow them to give their explicit consent.
We will continue to work in the same way as now with UK law enforcement agencies seeking further information on specific domain names via our existing data release policy and via an enhanced version of our Searchable WHOIS service, available free of charge. Those users will have automatic access to the names and addresses we hold.
Any third party seeking disclosure for legitimate interests can continue to request this information via our Data Release policy, free of charge.
The standard Searchable WHOIS will continue to be available, but will no longer include name and contact details to ensure GDPR compliance. Those outside law enforcement requiring further data to enforce their rights will be able to request this through our existing Data Release policy.
The proposed new .UK Registry-Registrar Agreement (RRA) includes a new Data Processing Annex. This sets out terms for how we would work with our registrars when processing registrants’ personal data during the registering, renewing, transferring or managing of .UK domain names to ensure GDPR compliance.
The Privacy Services Framework will be replaced with recognition of a Proxy Service, within a new .UK RRA to allow registrars to offer proxy services to registrants who do not wish to have their details passed to Nominet.
Additionally, we propose changing the rules for the data we collect for domain names that end in second-level .uk domain registrations, such as example.uk. We will no longer require a UK ‘address for service’ bringing this into line with third-level .UK domains such as example.co.uk, example.org.uk and so on.
The consultation is open until 5pm UK time tomorrow.
Dirk Krischenowski says
If the registrant has given permission to display the registrant’s name or address, is the registry then obliged to display the data? What would be the incentive for the registrant and the registry to display the data?
Michele Neylon says
Dirk
If the registry’s policy is to never display the data I don’t see how they can be obliged to do so by a registrant.
There are quite a number of reasons why you’d want to display the data eg. for certain types of SSL certs it can help expedite the request.
Michele
Rob Golding says
>>If the registrant has given permission to display the registrant’s name or address, is the registry then obliged to display the data
Permission to do something isn’t an Obligation to do it.
I have permission to paint the walls at my office if I choose to, I’m under no obligation at all to dig out the brushes and rollers 🙂