Will May 2018 be the death of Whois?
The privacy regulation will have a major impact on industries that handle personal data of people in the EU, including the domain name industry. Domain name companies are scrambling to figure out how to comply with the regulation, all while racing against the clock with unclear guidelines from the EU and ICANN. A sweeping new privacy regulation. It will apply to all companies that handle data about EU residents, not just companies based in the EU. “The goal is to strengthen and unify data protection for all individuals of the EUto protect personal data and ensure free flow of data within the EU,” said Thomas Rickert, an attorney and Head of the Names & Numbers Forum at eco, which represents domain name registrars and registries. The regulation aims to minimize data collection and increase transparency. GDPR will certainly affect Whois and what data registrars collect about their customers, plus who they share it with. This includes registrars, registries, data escrow companies and even ICANN itself. “It’s safe to say that, since ICANN is spelling out the requirements on what needs to be collected and how data is being dealt with, ICANN is also a data controller and therefore the sanction risks are also with ICANN since they’re basically prescribing exactly what needs to be done with it.” It has created a matrix of data flow in the domain name process and opened it for public comment. The default is that data shouldn’t be collected and processed. So ICANN and its contracted parties will need to have a good reason for collecting data and an even better one for publishing it. Don’t expect everyone to be on the same page; law enforcement and intellectual property interests will push back against a reduction in public data. Right now registrars handle private information for.com and.net domains and publish this in Whois. These two domains are supposed to transfer to a thick Whois model, but don’t be surprised if this is delayed. New top level domain name companies are going to lean on their registry service providers for GDPR compliance when it comes to Whois. GDPR could impact the value of Whois privacy services, which are a big cash cow for many registrars.
A guide for the perplexed
For a data engineer, the first four chapters are of most relevance. If you enact a process on behalf of the “Data Controller” then you are probably a “Data Processor”. As a “Data Subject” your rights are covered by a number of articles within the regulation. A Data Subject could ask your organisation to present their data to your competitor and you would be legally obliged to do this. The point of the regulation is to protect your personal data and therefore a “Data Controller” has to put in reasonable steps to ensure that any requests you may make actually do come from you. Where your data is acquired other than directly from you as “Data Subject” the organisation has to give you the contact details of the “Data Controller” from which they obtained it. General obligations Article 24 & 25 say that whatever safeguards, technical or organisational, to protect personal data must be put in a way that is by design & default. Article 35 says that when processing is likely to result in high risk we have to carry out a data impact assessment that takes into account the scope, context and purpose of activity. Article 30 makes it plain that a catalogue of processes must be maintained, who is responsible for them and the categories of personal data processed. In certain circumstances an organisation may have to appoint a data protection officer. The core function of the organisation is bulk processing of special categories of data such as forensic information. The regulation makes clear that the Data Protection Officer cannot be instructed or coerced by the Data Controller or Data Processor in the execution of their duties. If you put in place all the technical and organisational safeguards necessary to comply with GDPR then the personal data you hold on behalf of your “Data Subjects” should be well protected. Chapter 5 deals with transfer of data to countries and organisations outside of the EU Chapter 6 describes the posers and responsibiltiies of official/supervisory authorities. If an organisation has to gain explicit permission to use someones data then t.hose organisations that treat their customers with respect and demonstrate their trustworthiness are likely to be the winners from GDPR..
The GDPR will cause challenges for connected care developers
Telecare and telehealth apps and devices are potentially generating huge amounts of data that could be used for various purposes. Today, data is increasingly more used to help patients without the need of the patient’s own active involvement. This includes various kinds of health data as well as user location and movement data which could be used to identify abnormalities. If a user does things differently, for example not leaving or going to the bed as usual, a notification can be sent to relatives or care givers. Legislative authorities in the EU are developing and designing legal frameworks that should be in line with the new data driven world of mobile health. As part of this, the European Commission will in 2018 implement a General Data Protection Regulation that aims to harmonise data protection rules in the EU, ensuring legal certainty for businesses and increasing trust on eHealth services with a consistent high level of protection of individuals. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international businesses by unifying the regulation within the EU. When the GDPR takes effect, it will replace the data protection directive and it becomes enforceable from May 25 next year after a two-year transition period. It does not require national governments to pass any enabling legislation and will be directly binding and applicable. Ers Frick, Senior Analyst, Berg Insight says:”While the future is data driven, end-users do care more and more about integrity aspects. The GDPR aims to increase privacy for the end-user which is a step in the right direction. The regulation by default actually prohibits processing of health data unless explicit consent has been given. At the same time, this will cause challenges for those telecare and telehealth solution providers that are not proactively working on their preparations.” “If the solution providers are not enough prepared for handling, processing and storing sensitive data in accordance to GDPR, they could risk heavy fines if not fulfilling the requirements.”