Following our previous communication regarding how Ascio will handle domain management related aspects of the General Data Protection Regulation (GDPR) I would like to give you an update of where we are and what we intend to do.
As many of you no doubt have read, The Article 29 Working Party (WP29) responded to ICANN’s request for a moratorium on enforcement action by Data Protection Agencies to give contracted parties time to implement the interim model that ICANN put forward. The WP29 response clearly states that it supports the reduction of personal data within the WHOIS and that the accreditation model to allow access to that data was nowhere near as defined as WP29 would like.
That advice and the follow-up communication means that Ascio can now begin to solidify our plans in relation to GDPR, this of course could all change but we now feel that we are approaching a point where partners need an implementable solution. The headline areas are:
WHOIS for Thin Top Level Domains (TLDs)
After the 25th May we will no longer publish elements of the social data associated with thin TLDs (com, net, cc, tv). All domains sponsored by Ascio will have social data replaced with “Not Disclosed” in the WHOIS fields with the exception of the Registrant State/Province, Registrant Postcode and Registrant Country. That data will still be published, partners and registrants may still chose to use the Ascio Proxy Service to mask that data. Following the WP29 advice the email addresses will also be redacted and Ascio will provide a webform alternative for interested parties to contact the registrant as shown below. This webform will be rate limited and protected using recaptcha to prevent abuse by bots. The system will send a partner branded message to the recorded registrant email address with a confirmation sent to the requestor. No other action or storage will be taken by Ascio.
We are conscious that certain registrants will still want their details published and to enable that we will be extending the Ascio Web Service (AWS) and the Ascio portal with an additional field that will allow partners to select if the social data should be disclosed. More details of that functionality are provided below.
Thick TLDs and Country Code TLDs (ccTLDs)
We continue to have discussions with the other major registry operators to best understand their plans in relation to the display of personal data within the WHOIS. It is likely that we will enable contact of the registrant through the webform for gTLDs, if not available through the registry WHOIS, and the new feature in AWS will serve to limit what data we send to registries if they reduce their data requirements. Some ccTLD operators have already indicated that specifying the contact type will be important in terms of whether the social data will be displayed in the WHOIS. I would encourage you to begin looking at the pre-existing fields in AWS and the portal when creating contacts.
The situation remains extremely fluid and it is unlikely that all TLDs will have an implementable solution ready by the end of May. We will address the most important ccTLDs first and make sure Partners are aware of changes that have the biggest impact.
The subject of transfer remains a topic of debate amongst the Registries, Registrars and ICANN. A call was held with ICANN last Friday to discuss the changes, we previously reported on, that were suggested by the TechOps Subcomittee. ICANN has asked for further details and rationale and as we continue to engage in that process we have taken the decision to implement the majority of those proposals.
As we are unlikely to have access to the registrant email address, in the future inbound transfers will no longer trigger the Form of Authorisation (FOA) process. As parsing data will be heavily impacted we can no longer support data-less transfers, partners will need to submit transfers with the full social data along with the correct authcode. The Registrant Verification (RV) process will remain in place and we will seek acceptance of the transfer through the details you provide.
Outbound transfers will now trigger an FOA process to ensure the registrant of record wishes to transfer their domain away. If positive acceptance is not provided we will not NACK the transfer and prevent it from happening. If positive acknowledgement is provided we will of course allow the transfer to take place. We feel this is in the best interests of the partner and registrant and provides a degree of security afforded in the existing transfer process. With this in mind we are also reviewing our authcode practices, we will provide updates on those efforts in the near future.
As you can appreciate, information is being provided and changing constantly, we intend to provide more visibly of that within the Ascio portal and Ascio TLDKits with dedicated GDPR resources.
Please click here for the API-Workflow