“Cybercriminals could be the biggest fans of GDPR”: new warning over WHOIS policy
- IP expert highlights need to clarify GDPR’s territorial scope
- Contends that a key aspect of ICANN’s independent assessment is “wrong”
- Warns of “absurd implementation and bad policy which no one wants”
With the General Data Protection Regulation (GDPR) becoming enforceable on May 25 2018, all eyes are on its potential impact on rights holders’ access to accurate and reliable WHOIS data. One industry expert warns of the “absurd” policies that could result from incorrect analysis of the regulations – adding that cybercriminals “anywhere in the world” could soon become the biggest fans of GDPR.
We previously presented two guest blogs on the GDPR and WHOIS. These looked at, respectively, how access to current levels of WHOIS data could be under threat and what the proposed interim models for compliance – published by ICANN – may mean in practice (with the warning that one of the options would effectively result in the WHOIS database as we know it today going dark). It is an issue that trademark counsel need to be following, and in our latest analysis piece, available in full below, David Taylor, partner at Hogan Lovells, highlights the urgent need to clarify the GDPR’s territorial scope. Failure to do so could lead to an incorrect interpretation of the rules and result in “bad policy” that will benefit cybercriminals.
The GDPR sets out to do many good things, and protecting the personal data of consumers is one of them. Its potential impact on the DNS and WHOIS is currently very much under the microscope as we wait to see what ICANN decides as a GDPR compliant model to move forward with before May 2018.
There is an urgent need to clarify the GDPR’s territorial scope. Of the many changes the GDPR will usher in this May, the expansion of EU privacy law’s territorial scope is one of the most important. The GDPR provides for broad application of its provisions both within the EU and globally. But the fact that the GDPR has a broad territorial scope does not mean that every company, or all data processing activities, are subject to it. Rather, the GDPR puts important limitations on its territorial scope that must be acknowledged and correctly analyzed by those interpreting the regulation for the global business community. Otherwise, it could lead to absurd implementation and bad policy which no one wants.
EU establishment: the reality
- Where registrars are established in the EU, the registrars' use and processing of personal data is subject to the GDPR. That is no surprise to anyone.
- Where registrars have no establishment in the EU, but offer domain name registration services to data subjects in the EU, the processing of personal data in the context of such offer will also be subject to the GDPR. Again no surprise and logical.
- However, where a registrar is based outside the EU, without an establishment in the EU, and uses a processor in the EU, such non-EU based registrar (as a controller) will not be subject to the GDPR due to the EU based processor's establishment in the EU. It would only be caught by GDPR if the processing is done "in the context" of that establishment. That is the key and if we are not careful in our reflections on the future of WHOIS we may find ourselves faced with potentially absurd results if this is not interpreted correctly. All obligations directly applicable to the processor under the GDPR will of course apply to the EU based processor.
A wrong interpretation on WHOIS
If we look at the example of WHOIS (searchable registries of domain name holders) where there is presently much debate amongst the many and varied actors in the domain name industry over whether public WHOIS databases can remain public under the GDPR. The second part of ICANN’s independent assessment of this issue offered an analysis of the GDPR’s territorial reach that deserves closer scrutiny. Addressing the territorial limits of the law, the authors state: “Therefore, all processing of personal data is, no matter where it is carried out, within the territorial scope of the GDPR as long as the controller or processor is considered established within the EU; the nationality, citizenship or location of the data subject is irrelevant.”
In other words, the authors conclude that as long as a controller or processor has an “establishment” in the EU, all processing of personal data it undertakes, regardless of the location or nationality of the data subject and regardless of whether the processing has any nexus to the EU, is subject to the GDPR.
This is wrong. The analysis overlooks key language of the GDPR. Under Article 3.1, the law applies not to any processing that is done by a company that happens to have an establishment in the EU, but to processing done “in the context of” that establishment.
This distinction makes a difference. Imagine, for example, a Canadian company that has an office in Paris. Under the authors’ analysis, the GDPR would apply to all processing done by that company simply by virtue of it having a Paris office, whether the data subjects interacting with it were French, Canadian, or even American, whether they accessed the company’s services from France, Canada, or the US, and even if all the processing occurred outside of the EU. This would be an absurd result inconsistent with the text of the GDPR and sound policy. In order to determine whether the GDPR applies, one must look not only at whether the company has an establishment in the EU, but also at whether the processing occurred within the context of that establishment. If the processing occurs in the US or Canada for a Canadian data subject without any link to the EU establishment, clearly the processing is not done in the context of the EU establishment. Thus, the GDPR does not apply.
The territorial reach of the GDPR may also unfortunately afford protection to cybercriminals as domain name registrations outside the EU. In effect, EU-based registrars are obliged to implement the same protections for all registrants, irrespective of whether they are data subjects in the EU. This means that if there is a cybercriminal in the US, and he/she has no connection to the EU in any way but decides to select an EU-based registrar for his/her domain names and then used those domain names for DNS abuse or other malicious or infringing activities, the GDPR requires that the EU-based registrar who will be considered a controller and is thus subject to the GDPR also with regard to data subjects outside the EU has to comply with the GDPR with regard to that registrant and thus the US based cybercriminal. This could have far reaching consequences and indeed we may yet find that cybercriminals anywhere in the world could be one of the biggest fans of GDPR.
Whilst this does seem bizarre, the context is that the EU-based registrar has to comply with the GDPR as the "law of the land", and the law of land does not exclude any data subject from the protection on the basis of its location, residence or nationality.
Understanding the territorial reach - and the limitations of that reach - of the GDPR is critical. The GDPR has the potential to shift global data privacy law and policy. As such, stakeholders must be well-informed on both the substance as well as the reach of the law’s protections.