In preparation for the enforcement date of 25 May 2018, Nominet conducted a review into how EU General Data Protection Regulation will affect its operations. A number of proposed changes were published for comment between March 1 and April 4 2018.
The key changes confirmed following this process are:
- Registrant data will be redacted from the WHOIS from 22 May 2018, unless explicit consent has been given.
- Law enforcement agencies will nonetheless be able to access all registry data via an enhanced Searchable WHOIS service available free of charge.
- Other interested parties requiring unpublished information will be able to request access to this data via our data disclosure policy, operating to a 1 working day turnaround.
- The registration policy for all .UK domains will be standardised – replacing the separate arrangements currently in operation for second and third-level domains.
- The .UK Registrar Agreement will be updated, renamed the .UK Registry-Registrar Agreement, and will include a new data processing annex.
- The existing Privacy Services framework will cease to apply.
Commenting on the changes, Nominet COO Ellie Bradley said: “We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation. While, as a result, we will be publishing less data on the WHOIS – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.”
The proposals also outlined an approach to replacing the existing privacy services framework with recognition of a Proxy Service offered by registrars. In response to the feedback, Nominet has decoupled this proposal from the bulk of the GDPR-related changes and will consult further on this topic in June 2018.
A summary of the feedback and Nominet response can be found here.
Additionally, the following red-line policies and contracts that will come into effect on 22 May 2018 are listed below.