Membership is FREE, giving all registered users unlimited access to every Acorn Domains feature, resource, and tool! Optional membership upgrades unlock exclusive benefits like profile signatures with links, banner placements, appearances in the weekly newsletter, and much more - customized to your membership level!
Sedo Global Domain Report

Response to proposed changes to .UK policy arising from GDPR

Acorn Newsbot

Acorn Newsbot

Junior Member
Joined
Jan 28, 2006
Posts
23,087
Reaction score
153
In preparation for the enforcement date of 25 May 2018, Nominet conducted a review into how EU General Data Protection Regulation will affect its operations. A number of proposed changes were published for comment between March 1 and April 4 2018.

The key changes confirmed following this process are:

  • Registrant data will be redacted from the WHOIS from 22 May 2018, unless explicit consent has been given.
  • Law enforcement agencies will nonetheless be able to access all registry data via an enhanced Searchable WHOIS service available free of charge.
  • Other interested parties requiring unpublished information will be able to request access to this data via our data disclosure policy, operating to a 1 working day turnaround.
  • The registration policy for all .UK domains will be standardised – replacing the separate arrangements currently in operation for second and third-level domains.
  • The .UK Registrar Agreement will be updated, renamed the .UK Registry-Registrar Agreement, and will include a new data processing annex.
  • The existing Privacy Services framework will cease to apply.

Commenting on the changes, Nominet COO Ellie Bradley said: “We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation. While, as a result, we will be publishing less data on the WHOIS – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.”

The proposals also outlined an approach to replacing the existing privacy services framework with recognition of a Proxy Service offered by registrars. In response to the feedback, Nominet has decoupled this proposal from the bulk of the GDPR-related changes and will consult further on this topic in June 2018.

A summary of the feedback and Nominet response can be found here.

Additionally, the following red-line policies and contracts that will come into effect on 22 May 2018 are listed below.

dotUK Rules of Registration
WHOIS Contract Terms
Ts and Cs of Domain Name Registration
.UK Registrar Agreement (to be renamed .UK RRA)

The post Response to proposed changes to .UK policy arising from GDPR appeared first on Nominet.

Continue reading...
 
So basically whois information will be almost useless in future, unless the domain owner has consented to provide their details.
 
Yes. You won't know who owns any domain, let alone how to contact them. A phisher's paradise, since there will be no way to check a legitimate(ish) looking domain to see if it really does belong to a bank vs Joe Scammer.
 
This very day I have received a letter enquiring to buy a domain name from someone who used the Nominet whois data; no longer possible from June onwards. Rare, but it does happen.
 
I'm sure anyone who's actively looking to sell domains, will opt in to have their details viewable (I will be), so apart from possible problems with people using domains in scams, I'm not seeing there being much difference.
 
I guess at least now if you want your information kept private, you don't have to pay for the privilege
 
dnauctions said:
I guess at least now if you want your information kept private, you don't have to pay for the privilege
Click to expand...

The other difference is that companies will also be able to hide all their details, not just individuals.
 
It's a blunt approach by Nominet. There's no real justification for why corporate bodies should have WHOIS details redacted at all.

Having said that, I can see why Nominet has taken the approach that it has. Nobody really knows who GDPR will play out, but a major player like Nominet would likely be held to higher standards. And ICANN appears to have sat on its hands for the past two years, providing no leadership on the issue.

I'd like to think that any legitimate business - especially B2C - will opt in to show WHOIS details. And I hope that Nominet will refine its position once the GDPR dust has settled.
 
tocku said:
It's a blunt approach by Nominet.
Click to expand...

I don't feel that Nominet or even ICANN have had a say in the matter, the fact that this was a move without many industry sectors being consulted, they are just making adjustments that they feel will help the transition to full GDPR being at the very least understood better by domain holders and registrars.

It will be very interesting once the fines start being issued, I for one am holding off on a couple of travel projects to see how the GDPR hits small retail agents whose websites obtain personal data. I see many of the smaller businesses are looking to just close their sites for alternative contact points so they don't run foul of the GDPR.
 
Nominet provided a partial explanation, which I will paraphrase and add to: since they can’t be 100.00% sure that absolutely all registrants who have claimed to be companies are in fact companies AND the new penalties for abusing individual privacy are so huge, the prudent course was to (reluctantly) extend the Whois optout to every registrant on a blanket basis.

I can kinda sorta see their logic: definitely on the cautious side, but not outrageous.
 
But they're validating registrant data, so they should know who is a real company. Even if they made WHOIS available for any registrant with a valid (and matching) company number, that would be a positive step.

The argument that company websites are legally obliged to display contact information is a bit null and void if the domain doesn't have a public website attached.
 
martin-s said:
The argument that company websites are legally obliged to display contact information is a bit null and void if the domain doesn't have a public website attached.
Click to expand...

As far as I know, there's no obligation under the law for companies to identify themselves publicly on a domain name, only on website(s). Not under the law-of-the-land law, anyway... Nominet's current policies may differ, and of course they're what bind current domain registrants.

But a company without a website doesn't have a "company website" so they won't be in breach of anything in the future if their Whois is obscured. (I would assume they legally have to display contact info on anything they use as a website alternative, such as a company Facebook page)

Where it gets tricky is situations where the company is making use of the domain name in some oblique way involving public interaction (e.g. to publish an email newsletter from) but there's no associated website on it. Not sure what they should do under those circumstances.
 
BTW, another consequence of the changes is that, if you're a registrar providing a paid "privacy" service, that revenue stream is going to go away since all domain registrants will have privacy by default. Just something to be aware of.
 
Edwin said:
BTW, another consequence of the changes is that, if you're a registrar providing a paid "privacy" service, that revenue stream is going to go away since all domain registrants will have privacy by default. Just something to be aware of.
Click to expand...
In the same way as 123-reg (and others) sell privacy to .uk clients 'for personal use'. Unfortunately these companies will still find a way to offer a paid service that isn't required.
 
dnauctions said:
I don't feel that Nominet or even ICANN have had a say in the matter, the fact that this was a move without many industry sectors being consulted, they are just making adjustments that they feel will help the transition to full GDPR being at the very least understood better by domain holders and registrars.
Click to expand...

Of course Nominet (and all data controllers and processors) have a say in the matter - or at the very least how they implement changes. They are the ones that have to establish a lawful basis for processing data and have the appropriate policies in place.

GDPR was adopted almost 2 years ago, with the interim period providing sufficient time for organisations to sort out how to comply. And there was ample open consultation on GDPR going back to at least 2012.

ICANN's response has been wholly inadequate (registrars are contractually required to publish WHOIS data), and Nominet is understandably weary of WHOIS fragmentation.

Nominet's approach is understandable given where we are now, but a more refined solution could've been found if heads had been banged together in 2016.

dnauctions said:
It will be very interesting once the fines start being issued, I for one am holding off on a couple of travel projects to see how the GDPR hits small retail agents whose websites obtain personal data. I see many of the smaller businesses are looking to just close their sites for alternative contact points so they don't run foul of the GDPR.
Click to expand...

FWIW I don't think that much will change for most SMEs (especially if they are already 'data aware'). GDPR formalises several aspects of processing data and good security practice, but isn't that onerous for day-to-day stuff.

The ICO's lack of resources will probably mean that they will only pursue egregious or high profile cases, so you might be waiting a while for precedents to be established - and even then, each case will be looked at on its own merits against the regulations.
 
Edwin said:
Where it gets tricky is situations where the company is making use of the domain name in some oblique way involving public interaction (e.g. to publish an email newsletter from) but there's no associated website on it. Not sure what they should do under those circumstances.
Click to expand...

The Companies Act explicitly extended the scope of a 'business letter' to include websites and emails in 2006. It could be argued that a newsletter devoid of any commercial intent is not a business letter, but in practice it's better to avoid confusion by simply adding the statutory information in all emails. Pinsent Masons has a good guide:

https://www.out-law.com/page-431

In regards to WHOIS, there are legal, philosophical, practicable and commercial considerations:
  • Legally, there may be no compulsion on corporate bodies to have details published on WHOIS
  • Philosophically, I can see no justification in with-holding corporate ownership - transparency for the consumer ought to outweigh any spurious reasons to conceal the data. WHOIS has become a useful tool in 'due diligence'
  • Practically speaking I understand the implementation issues, hence hoping that Nominet can refine its approach in the future
  • Commercially, savvy companies will choose to opt-in. They will be seen as being more open and trustworthy
 
GDPR, having to conform etc. Since were leaving the EU why would we have to follow a EU directive and why does it have any significance?

The new and global trading United Kingdom will clearly be outside of the house of cards that is the Euro club and a currency that I believe in time will be a non currency.

Am I missing something??

Personally I've had enough of domaining and will be selling my portfolio, outside of the sectors I have an interest in.

So my only question is; Do we still have control over the .UK till 2019?
As I certainly dont want to be regging one for the price of two!!

But if I have to - I'll be opting in.
However I'm sure people who want to buy irrespective of this will find a way to track an owner!!
 
Last edited:
jimmc said:
GDPR, having to conform etc. Since were leaving the EU why would we have to follow a EU directive and why does it have any significance?

Am I missing something??
Click to expand...

Yup ;)
  • We're still in the EU until we leave
  • EU law will be enshrined into UK law (as part of the 'Great Repeal Act' - an essential part of the Brexit process if we're to avoid chaos)
  • GDPR's scope covers handling of EU citizens' data - whether the organisation is EU-based or not (and so Nominet has no choice but to act)
And unless Nominet has sneaked a change out, you'll still have .UK RoR until June next year.
 
You must log in or register to reply here.

Similar threads

Acorn Newsbot
Nominet Emergency Rescue: What’s an EBERO?
Replies
0
Views
160
Acorn Newsbot
Acorn Newsbot
Acorn Newsbot
Nominet Raising the bar on .UK domain safety: Nominet’s approach to new legislation
Replies
0
Views
213
Acorn Newsbot
Acorn Newsbot
Acorn Newsbot
Nominet Nominet named EBERO provider for .NOWRUZ gTLD
Replies
0
Views
252
Acorn Newsbot
Acorn Newsbot
KevDI
Domain Incite ICANN restarts work on controversial Whois privacy rules
Replies
1
Views
634
jmcc
J
Acorn Newsbot
Nominet Ensuring the Digital Inclusion Action Plan delivers for the UK’s most disadvantaged
Replies
0
Views
118
Acorn Newsbot
Acorn Newsbot
Domain Summit Europe 2025

The Rule #1

Do not insult any other member. Be polite and do business. Thank you!

Members online

Total: 344 (members: 3, guests: 341)
IT.com

Premium Members

Sedo Global Domain Report
Aucdom Auctions
Catch Club
dot Hiphop

Latest Comments

Upcoming events

New Threads

Domain Forum Friends

DNForum
ConsultDomain.de
Domaineforum.fr
Domainforum.ro
DN.ca
DomainFragen.de
Inforum.in

Our Mods' Businesses

DomainUI Mod
*the exceptional businesses of our esteemed moderators
General chit-chat
Help Users
  • No one is chatting at the moment.
      There are no messages in the current room.
      Top Bottom