The EU's General Data Protection Regulation (GDPR) has only just started to be enforced, but it is already creating some seriously big waves in the online world, as Techdirt has reported. Most of those are playing out in obvious ways, such as Max Schrems's formal GDPR complaints against Google and Facebook over "forced consent" (pdf). That hardly came as a shock -- he's been flagging up the move on Twitter for some time. But there's another saga underway that may have escaped people's notice. It involves ICANN (Internet Corporation for Assigned Names and Numbers), which runs the Internet's namespace. Back in 2015, Mike memorably described the organization as "a total freaking mess", in an article about ICANN's "war against basic privacy". Given that history, it's perhaps no surprise that ICANN is having trouble coming to terms with the GDPR. The bone of contention is the information that is collected by the world's registrars for the Whois system, run by ICANN. EPAG, a Tucows-owned registrar based in Bonn, Germany, is concerned that this personal data might fall foul of the GDPR, and thus expose it to massive fines. As it wrote in a recent blog post:
We realized that the domain name registration process, as outlined in ICANN's 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so. What's more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts [for each domain name].
All of those activities are potentially illegal under the GDPR. EPAG therefore built a new domain registration system with "consent management processes", and a data flow "aligned with the GDPR's principles". ICANN was not happy with this minimalist approach, and sought an injunction in Germany in order to "preserve Whois data" -- that is, to force EPAG to collect those administrative and technical contacts.
(Score: 2, Interesting) by The Mighty Buzzard on Saturday June 02 2018, @02:57AM (9 children)
It doesn't matter what's in whose best interest on this issue. What matters is that no nation or union should be allowed to arbitrarily declare rules that citizens of other nations must follow. That is a far more important issue. Frankly, I'm not even sure any non-EU nation is going to agree to cooperate in any way whatsoever once it gets to the courts.
My rights don't end where your fear begins.
(Score: 4, Informative) by maxwell demon on Saturday June 02 2018, @08:32AM (5 children)
The ICANN does business in the EU. Therefore for that business, it has to obey EU rules. It's that simple.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by The Mighty Buzzard on Saturday June 02 2018, @10:30AM (4 children)
Incorrect. The EU leaves its area of authority to do business with ICANN.
My rights don't end where your fear begins.
(Score: 2) by maxwell demon on Saturday June 02 2018, @10:45AM (3 children)
So you are saying the ICANN is not involved when an European individual or company registers a domain name?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by The Mighty Buzzard on Saturday June 02 2018, @11:42AM (2 children)
I'm saying EU residents go to ICANN not the other way around.
My rights don't end where your fear begins.
(Score: 2) by coolgopher on Sunday June 03 2018, @02:12AM (1 child)
ICANN is still registered as a US entity, is it not?
(Score: 2) by The Mighty Buzzard on Sunday June 03 2018, @10:39AM
Is that relevant? ICANN doesn't pop shat up on anyone's computer saying please become a registrar and give us moneys. They go to ICANN knowing full well what it entails.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Saturday June 02 2018, @02:53PM (2 children)
If what non-EU companies do with data on European citizens had no impact at all on these citizens the GDPR would not have been created. The reality is that EU citizens are targeted on a large scale in ways that effectively mean that these companies operate in the EU according to non-EU rules. If you're so upset about EU regulations having an effect on US companies then you should be able to understand that people in the EU are upset by US companies operating in the EU as if US rules apply there. Yes, I know, an argument often used is that the internet has no borders. Fine, now you've got yourself a GDPR that has no borders.
(Score: 2) by The Mighty Buzzard on Sunday June 03 2018, @01:44AM (1 child)
Impact is irrelevant. Authority is what's relevant and the EU does not have it in this instance any more than China has the authority to tell non-Chinese websites that they can't print non-governmentally-approved facts on the grounds that Chinese people might see it. Do you begin to see the bullshit now?
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Monday June 04 2018, @07:28AM
There's no bullshit. They can make their laws and enforce it on their territories. In theory as long as you don't ever visit China or need to do business with China it doesn't affect you. Same goes for the EU. The second you step foot in their territory they could arrest you for breaking their laws.
But in practice China does abduct people:
https://thediplomat.com/2016/04/china-abducts-taiwanese-in-kenya/ [thediplomat.com]
https://www.newyorker.com/news/news-desk/why-did-china-kidnap-its-provocateurs [newyorker.com]
Do note the USA does that sort of stuff too:
https://en.wikipedia.org/wiki/Extraordinary_rendition [wikipedia.org]
https://www.newsroom.co.nz/2018/03/12/96067/opinion-megaupload-case-still-a-travesty-of-justice# [newsroom.co.nz]
https://www.techdirt.com/articles/20170825/16404938087/once-again-new-zealands-spying-megaupload-execs-found-to-be-illegal.shtml [techdirt.com]
https://www.reuters.com/article/us-usa-cybersecurity-arrest/moscow-accuses-united-states-of-kidnapping-russian-hacker-idUSKBN0FD0Z020140708 [reuters.com]
You can see a different style and priority :).