[gnso-rpm-wg] Impact of GDPR on URS (and later UDRP)

George Kirikos icann at leap.com
Sat Jan 13 15:53:10 UTC 2018


Hi folks,

Just to followup on this GDPR topic that I brought up in December, see
the blog post published by ICANN yesterday:

https://www.icann.org/news/blog/data-protection-and-privacy-update-seeking-community-feedback-on-proposed-compliance-models

in particular "Model 3":

"Model 3 would allow for the display of Thin registration data and any
other non-personal registration data. To access non-public
information, a requestor would provide a subpoena or other order from
a court or other judicial tribunal of competent jurisdiction. This
model would apply to ***all registrations on a global basis.***"
(emphasis added)

Model 3 is also discussed at the bottom of page 8:

https://www.icann.org/en/system/files/files/interim-models-gdpr-compliance-12jan18-en.pdf

It seems to me that changes to the URS and UDRP procedures might be
required, should Model 3 be adopted (I didn't bother to look at Models
1 and 2 in detail yet, but presumably there might be similar
concerns).

ICANN is allowing feedback for 17 days (!!), with a deadline of
January 29, 2017. Since that post was yesterday, that means there are
16 days left to submit feedback.

Sincerely,

George Kirikos
416-588-0269
http://www.leap.com/


On Tue, Dec 5, 2017 at 11:56 AM, George Kirikos <icann at leap.com> wrote:
> Hi folks,
>
> With the WHOIS changes that are apparently coming due to GDPR, e.g. see:
>
> https://opensrs.com/blog/2017/11/gdpr-updates-whois-changes/
> https://opensrs.com/wp-content/uploads/gdpr_ind.pdf
>
> this will likely require that we review the impact on URS (and later
> UDRP) procedures that provide notice to registrants, as well as other
> technical aspects. e.g. the URS contains lines like:
>
> "1.2 Contents of the Complaint:
> ....
> 1.2.3 Name of Registrant (i.e. relevant information available from
> Whois) and Whois listed available contact information for the relevant
> domain name(s)."
>
> This information will no longer be public for a class of registrants
> (depending on the implementation by registrars). It's different from
> "Proxy" WHOIS, where there is a *public* contact point (who can then
> change it to the true underlying registrant)
>
> If there's no other group looking at this issue, it would appear that
> it would fall to us to make any relevant technical changes to the URS
> (and UDRP) *before* our final report, to meet the GDPR deadline.
> Otherwise, in a post GDPR setting, the existing policies might lead to
> problems for all parties (complainant, registrar, registrant,
> registry, providers, etc.).
>
> Perhaps as a starting point, we should canvass the URS (and UDRP?)
> providers for their GDPR implementation plans?
>
> Sincerely,
>
> George Kirikos
> 416-588-0269
> http://www.leap.com/


More information about the gnso-rpm-wg mailing list