NOTICE: I am not a lawyer, and therefore this should not be construed as legal advice. This is how I see it, and I could be right, or I could be severely wrong. In any event, please speak with legal representation about the situation.
One of the last weeks most significant topics at the ICANN60 AGM was around the General Data Protection Regulation which comes into effect on the 25th May 2018.
This is a regulation, and not a directive as well. What’s the difference, well a directive would still need member states to pass their legislation to have it enabled. Regulation, however, does not require any of these and so is instantly in effect across all member states.
There are several terms which one should become familiar with
“Data Subjects” is a reference to individuals in the EU member states who are having their data processed/handled.
“Data Processor” is meant to cover anybody who has to process data to complete a contractual obligation to another entity. Registrars and Registries in the ICANN ecosystem are such entities which are classified as Data Processors.
“Data Controllers” is another interesting term, which covers all entities who require their subordinates to provide them with data to enable services to be provided. It has been argued that ICANN will be a Data Controller by definition. However, it still is yet to be determined if that is the case.
“Data Protection Officer” is a security leadership role, who is in charge of making sure all aspects of data processing and system processes are in line with the requirements for GDPR and any spin off’s around the globe.
“Data Protection Authority” is the entity per member state that is in charge of making sure everyone is implementing GDPR compliance correctly, as well as issuing fines, etc. for problems in their jurisdiction (i.e. country).
If you are interested in reading the regulation itself, then you can grab it from here. Warning, reading the document may cause your eyes to bleed and your soul to burn. You have been warned.
There is just so much to go through in regards to the GDPR and all the various known and unknown elements. So I will be covering this over multiple blog posts to try and make this as easy to understand. This blog post is the primer, so you at least understand the basic principles before we go into depth.
And yes, while it covers data subjects in EU member states – it does not exclude companies outside of the member states. Everybody is in the same boat. If you are selling products and services to anybody located within the EU, then you are bound by it.
To appoint or not appoint a representative to the EU GDPR?
According to the GDPR, outside organisations who process EU data subjects should appoint a representative to the EU and any allegations or issues would be referred to this rep. However, bare in mind that this representative could also become embroiled in any matters with non-compliance of the GDPR. This is in addition to the actual processor/controller themselves being involved.
And just to make it abundantly clear, just because you appoint a representative that doesn’t mean you will avoid any prosecutions, etc. for breaching the GDPR. They could still come calling to say hi regardless.
How do I know if I am bound/included by this?
There has been a discussion that if you do not directly target EU individuals, then it’s not such an issue – but from what I can see, the definition of targeting seems to be a little vague. One example is apparently if you only sell services on a very occasional basis to EU individuals, then it is claimed you are not targeting them. Or the information you are processing is not defined as “Sensitive Personal Data”.
However, one such scenario gives me the cranks and makes me wonder if there will not be a legal showdown at some time shortly is if you are a registry or registrar who provides services to end users, then you could take the example above, and it might not be a big deal. But, to me, if you offer a ccTLD or TLD that has a basis in the EU zone or could be construed that way, then too me you are targeting EU individuals. Especially if that ccTLD or TLD has registration requirements that only EU based residents can register them. So, therefore, you are bound by GDPR regardless.
I am going to go out on a limb here, and just say it. Until you have confirmation, you are not involved with GDPR, assume you are. It’s better to be safe than sorry in my books.