[gnso-rds-pdp-wg] international law enforcement association resolution regarding domain registration data

Thu Apr 27 19:16:03 UTC 2017

Hi John,

Let's use this solution to explore and let me put you on the spot in 
this exercise ;)

Now I am going to modify your example and focus on RDS with gated access.
In this scenario, all info is available worldwide with the exception of 
EU Registrants that are not a company. This access is restricted and 
requires gated access.

The first thing that will happen is a rise of EU registrants with Rogue 
Pharmacies how will enjoy the protection of gated access for the wrong 
reasons in my opinion.

What is the solution?
LegitScript, and I suggest others will have a good look at Article 40 
(code of conduct) of the GDPR.
After you and others went through this process, you almost have gated 
access.

The only barrier left is Privacy Shield certification and its key 
requirements.
https://www.privacyshield.gov/Key-New-Requirements

Congrats! You are all set and done, welcome to the gated access!

Sure you have to comply with a set of rules and regulations, but access 
is there.

Of course, you will have to stop showing full WHOIS info like for 
pharmacy-xl.com also, and you cannot push the data to other companies 
without consent from the data subject, after all, you got a subsidiary 
company located in Dublin and you do not want to end up with a 20 
million Euro fine.

Best regards,

Theo

Well, on that note, let me propose a solution to consider.

Volker and others have pointed out that the EU has some legal requirements
pertaining to privacy. As far as I can tell, these generally don't exist
elsewhere. (That's not to say "nowhere," but it's the exception, not the
rule.) Let's stipulate, for the sake of argument, that registrars in those
countries have to adhere to those laws. However, the purpose of privacy
laws in Germany, France or Sweden are to protect the citizens of those
countries -- not registrants in other countries.

As a trade-off, it seems reasonable to me to explore a solution where EU
registrars agree to forego accepting domain name registrations from outside
their own jurisdiction. We can then have a bi-furcated system -- this
should only apply to registrants using the domain name for non-commercial
reasons, by the way, since the privacy laws only apply to individuals, not
corporations -- where, say, a German citizen can register with Key-Systems
(for example) and enjoy whatever data protections Key-Systems feels that it
needs to implement. (Volker, I'm not picking on you here, I'm just using
you as an EU-based example.) It's incredibly easy to implement technically:
just restrict the available countries in the drop-down menu during
registration to a single country.

After all, as a US citizen, why should I -- or a Chinese citizen, or a
Brazilian citizen -- have the right to avail myself of the privacy
protections afforded by the German government to German citizens? Those
aren't meant for me.

And, after all, why should privacy protections that apply to a minority of
the world's population force a global change everywhere?

I'd be interested to hear from registrars whether, in exchange for being
able to implement rigorous privacy protections for domain names used for
non-commercial purposes, they would be willing to forego accepting
registrations from outside of their own jurisdiction (or, perhaps, the EU).
This would allow Volker and others to comply with their own laws but in a
minimally disruptive way.

John Horton
President and CEO, LegitScript