Jump to content

General Data Protection Regulation: Difference between revisions

From ICANNWiki
m Reverted edits by Kiran Kumar (talk) to last revision by Dustin Phillips
Jessica (talk | contribs)
(25 intermediate revisions by 7 users not shown)
Line 1: Line 1:
The '''Global Data Protection Regulation (GDPR)''' or '''Regulation (EU) 2016/679'''<ref>[http://eur-lex.europa.eu/eli/reg/2016/679/oj Regulation (EU) 2016/679 of the European Parliament and of the Council] 27 April 2016</ref> is a regulation aimed at protecting all EU citizens and residents from privacy and data breaches. It was adopted on 14 April 2016 by the European Parliament (EP) after four years of collaborative drafting and negotiations.<ref>[https://www.lexology.com/library/detail.aspx?g=48ffff43-a5cd-40d3-ac1d-6c0a43cd4d21 Lexology - EU General Data Protection Regulation Finally Adopted] 15 April 2016</ref> The regulation is also an update of Data Protection Directive. Enforcement for the GDPR goes into effect on 25 May 2018.<ref>[http://ec.europa.eu/justice/data-protection/reform/index_en.htm Reform of EU data protection rules]. Retrieved 27 Jun 2017.
The '''General Data Protection Regulation (GDPR)''' or '''Regulation (EU) 2016/679'''<ref>[http://eur-lex.europa.eu/eli/reg/2016/679/oj Regulation ([[EU]]) 2016/679 of the European Parliament and of the Council] 27 April 2016</ref> is a regulation designed to modernize and harmonize the data protection laws across the European Union (EU), giving citizens and residents of the EU more control of their data and providing a more consistent regulatory framework for businesses.<ref>[https://www.infolawgroup.com/2016/05/articles/gdpr/gdpr-getting-ready-for-the-new-eu-general-data-protection-regulation/ GDPR: Getting Ready for the New EU General Data Protection Regulation] Accessed on 8 February 2018</ref> This new EU data protection framework will replace the Data Protection Directive, or '''Directive 95/46/EC''' of 1995. Enforcement for the GDPR goes into effect on 25 May 2018.<ref>[http://ec.europa.eu/justice/data-protection/reform/index_en.htm Reform of EU data protection rules]. Retrieved 27 Jun 2017.
</ref>  
</ref>  
[[File:GDPRTimeline.png|border|300px|right]]
[[File:GDPRTimeline.png|border|300px|right]]
Line 5: Line 5:


With the update on existing legislation, the GDPR is more precise and inclusive of what constitutes private information than its predecessor. Personal data, that is anything that can identify a user, including an [[IP Address|IP address]] is included, as well as 'sensitive personal data' which may include genetic and biomedical data.
With the update on existing legislation, the GDPR is more precise and inclusive of what constitutes private information than its predecessor. Personal data, that is anything that can identify a user, including an [[IP Address|IP address]] is included, as well as 'sensitive personal data' which may include genetic and biomedical data.
==Applicability and Scope==
Under the Data Protection Directive of 1995 only applied to companies with legal establishment in an EU country or uses equipment located in the country to process the data. The GDPR expands the territorial reach to include controllers or processors outside of the EU for data processing activities relating to the offering of goods or services to individuals in the EU or to the monitoring of their behavior.<ref>[https://www.wileyrein.com/newsroom-newsletters-item-May_2017_PIF-The_GDPRs_Reach-Material_and_Territorial_Scope_Under_Articles_2_and_3.html The GDPR's Reach: Material and Territorial Scope Under Articles 2 and 3]</ref> EU guidance has made it clear that any website that offers goods or services to EU residents, or that routinely processes and/or stores data of website visitors is technically subject to GDPR enforcement.<ref name="gdproutsideEU">[https://gdpr.eu/companies-outside-of-europe/ GDPR.eu - Companies Outside of Europe]</ref> Two exceptions apply to this broad statement:
#The GDPR only applies to organizations engaged in “professional or commercial activity.” Note that "professional or commercial activity" is only defined in contrast to "personal or household activity."<ref name="recital18">[https://gdpr.eu/Recital-18-Not-applicable-to-personal-or-household-activities/ GDPR Recital 18 - Not Applicable to Personal or Household Activities]</ref> "Enterprise" is defined in Article 4 as "a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity."<ref>[https://gdpr.eu/article-4-definitions/ GDPR Article 4]</ref> This seems to assign "professional or commercial activity" by inference to the activity of "enterprises," while "personal or household activity" is described as a "natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."<ref name="recital18" /> However, natural people can be "enterprises" under the definition. The EU guidance suggests, for example, that "if you’re collecting email addresses from friends to fundraise <nowiki>[for]</nowiki> a side business project, then the GDPR may apply to you."<ref name="gdproutsideEU" />
#Small- and medium-sized enterprises (SMEs - defined as having less than 250 employees) are not totally exempt from the GDPR, but they do not have to comply with the record-keeping regulations in Article 30.<ref>[https://gdpr.eu/article-30-records-of-processing-activities/ GDPR Article 30 - see specifically Article 30.5]</ref>


==GDPR and WHOIS==
==GDPR and WHOIS==
The GDPR directly impacts the domain name space, most notability the [[WHOIS]] service. Prior to the GDPR enforcement date, [[ICANN]]'s contracted parties ([[Registry|Registries]] and [[Registrar]]s) expressed concern about their about to comply with their contractual requirement and be GDPR compliant. In light of this concern and the uncertainty around the implications of GDPR on WHOIS, ICANN announced that it would defer action against registries and registrars for noncompliance related to registration data.<ref>[https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en ICANN Contractual Compliance Statement] Accessed 2 February 2018</ref>
The GDPR directly impacts the domain name space, most notability the [[WHOIS]] service. Prior to the GDPR enforcement date, [[ICANN]]'s contracted parties ([[Registry|Registries]] and [[Registrar]]s) expressed concern about their about to comply with their contractual requirement and be GDPR compliant. In light of this concern and the uncertainty around the implications of GDPR on WHOIS, ICANN announced that it would defer action against registries and registrars for noncompliance related to registration data.<ref>[https://www.icann.org/resources/pages/contractual-compliance-statement-2017-11-02-en ICANN Contractual Compliance Statement] Accessed 2 February 2018</ref>


===The "Cookbook"===
On 8 March 2018, the ICANN Organization released its "Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union's General Data Protection Regulation,"<ref>[https://www.icann.org/news/blog/data-protection-privacy-issues-icann61-wrap-up-and-next-steps Data Protection/Privacy Issues: ICANN61 Wrap-up and Next Steps]</ref> (or The Cookbook) including a description of the interim model, as well as explanation and rationale for its plan. The Cookbook also provides open question about several elements, seeking guidance from the community and DPAs.<ref>[https://www.icann.org/en/system/files/files/gdpr-compliance-interim-model-08mar18-en.pdf]</ref>
===Temporary Specification ("Temp Spec")===
On 17 May 2018 the Temporary Specification for gTLD Registration Data<ref>https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf</ref> was approved by the ICANN Board. If a contracted parties is based in the European Economic Area or deals with EEA-based registrants it is required for them to to redact the following data from public whois records, unless the Registered Name Holder consents to its publishing:
* Registry Registrant ID
* Registrant Name
* Registrant Street
* Registrant City
* Registrant Postal Code
* Registrant Phone
* Registrant Phone Ext
* Registrant Fax
* Registrant Fax Ext
Notwithstanding, if the contact (e.g., Admin, Tech) does not consent, the analogous Tech and Admin data must also be redacted.
===Accreditation Model===
Under the Temporary Specification Policy, Appendix A, point 4.1, it is extablished that Registrars and Registries must comply to requests from third parties with legitimate interests.<blockquote>Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR. </blockquote>At ICANN62 it was discussed how a layered Accreditation Model would look like, which would allow third parties with legitimate interests to have access to Personal Data in Registration Data regarding the fields relevant to their legitimate interests. This is, as of 27 June 2018, still under debate.
== Similiar Initiatives in Other Countries ==
India is exploring a  [[White Paper on Data Protection framework for India|similar data protection measure]], and has a call for public comments on a white paper. It is available for comment as of March 2018.


Brazil's legislative is currently debating two Data Protection Bills, one of which was designed as to be GDPR-compliant.


== References ==
== References ==
[[Category:Data Protection Regulation]]
[[Category:Legislation]]

Revision as of 19:10, 20 October 2022

The General Data Protection Regulation (GDPR) or Regulation (EU) 2016/679[1] is a regulation designed to modernize and harmonize the data protection laws across the European Union (EU), giving citizens and residents of the EU more control of their data and providing a more consistent regulatory framework for businesses.[2] This new EU data protection framework will replace the Data Protection Directive, or Directive 95/46/EC of 1995. Enforcement for the GDPR goes into effect on 25 May 2018.[3]

The GDPR places specific legal obligations on 'controllers' and 'processors', those who acts as intermediaries between the user/consumer and themselves, the government or any other actor. The controller determines how and why data is processed and processors act on the controller's behalf. Processors maintain data records and are held responsible in case of a breach.

With the update on existing legislation, the GDPR is more precise and inclusive of what constitutes private information than its predecessor. Personal data, that is anything that can identify a user, including an IP address is included, as well as 'sensitive personal data' which may include genetic and biomedical data.

Applicability and Scope[edit | edit source]

Under the Data Protection Directive of 1995 only applied to companies with legal establishment in an EU country or uses equipment located in the country to process the data. The GDPR expands the territorial reach to include controllers or processors outside of the EU for data processing activities relating to the offering of goods or services to individuals in the EU or to the monitoring of their behavior.[4] EU guidance has made it clear that any website that offers goods or services to EU residents, or that routinely processes and/or stores data of website visitors is technically subject to GDPR enforcement.[5] Two exceptions apply to this broad statement:

  1. The GDPR only applies to organizations engaged in “professional or commercial activity.” Note that "professional or commercial activity" is only defined in contrast to "personal or household activity."[6] "Enterprise" is defined in Article 4 as "a natural or legal person engaged in an economic activity, irrespective of its legal form, including partnerships or associations regularly engaged in an economic activity."[7] This seems to assign "professional or commercial activity" by inference to the activity of "enterprises," while "personal or household activity" is described as a "natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity."[6] However, natural people can be "enterprises" under the definition. The EU guidance suggests, for example, that "if you’re collecting email addresses from friends to fundraise [for] a side business project, then the GDPR may apply to you."[5]
  2. Small- and medium-sized enterprises (SMEs - defined as having less than 250 employees) are not totally exempt from the GDPR, but they do not have to comply with the record-keeping regulations in Article 30.[8]

GDPR and WHOIS[edit | edit source]

The GDPR directly impacts the domain name space, most notability the WHOIS service. Prior to the GDPR enforcement date, ICANN's contracted parties (Registries and Registrars) expressed concern about their about to comply with their contractual requirement and be GDPR compliant. In light of this concern and the uncertainty around the implications of GDPR on WHOIS, ICANN announced that it would defer action against registries and registrars for noncompliance related to registration data.[9]

The "Cookbook"[edit | edit source]

On 8 March 2018, the ICANN Organization released its "Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union's General Data Protection Regulation,"[10] (or The Cookbook) including a description of the interim model, as well as explanation and rationale for its plan. The Cookbook also provides open question about several elements, seeking guidance from the community and DPAs.[11]

Temporary Specification ("Temp Spec")[edit | edit source]

On 17 May 2018 the Temporary Specification for gTLD Registration Data[12] was approved by the ICANN Board. If a contracted parties is based in the European Economic Area or deals with EEA-based registrants it is required for them to to redact the following data from public whois records, unless the Registered Name Holder consents to its publishing:

  • Registry Registrant ID
  • Registrant Name
  • Registrant Street
  • Registrant City
  • Registrant Postal Code
  • Registrant Phone
  • Registrant Phone Ext
  • Registrant Fax
  • Registrant Fax Ext

Notwithstanding, if the contact (e.g., Admin, Tech) does not consent, the analogous Tech and Admin data must also be redacted.

Accreditation Model[edit | edit source]

Under the Temporary Specification Policy, Appendix A, point 4.1, it is extablished that Registrars and Registries must comply to requests from third parties with legitimate interests.

Registrar and Registry Operator MUST provide reasonable access to Personal Data in Registration Data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject pursuant to Article 6(1)(f) GDPR

At ICANN62 it was discussed how a layered Accreditation Model would look like, which would allow third parties with legitimate interests to have access to Personal Data in Registration Data regarding the fields relevant to their legitimate interests. This is, as of 27 June 2018, still under debate.

Similiar Initiatives in Other Countries[edit | edit source]

India is exploring a similar data protection measure, and has a call for public comments on a white paper. It is available for comment as of March 2018.

Brazil's legislative is currently debating two Data Protection Bills, one of which was designed as to be GDPR-compliant.

References[edit | edit source]