auDA – 2017 Policy Review Panel Submission

auDA – 2017 Policy Review Panel Submission

On Friday / Saturday during the plane ride home, I did up my submission for the Policy Review Panel. Yes, you are right – I was bored out of my skull and sleep alluded me. But it did give me enough time undistracted to get it done. The wonders of the internet on planes.

You can see the submission below, feel free to leave any comments, etc.

As you will notice, I have said that there needs to be extensive community consultation to make sure we get this right.

Submission to the 2017 Policy Review Panel

Remember, submissions close Friday, November 10 COB. If you have something to say, even if it doesn’t answer every question maybe just one, submit it.

GDPR – General Data Protection Regulation – Part 1

GDPR – General Data Protection Regulation – Part 1

NOTICE: I am not a lawyer, and therefore this should not be construed as legal advice. This is how I see it, and I could be right, or I could be severely wrong. In any event, please speak with legal representation about the situation.

One of the last weeks most significant topics at the ICANN60 AGM was around the General Data Protection Regulation which comes into effect on the 25th May 2018.

This is a regulation, and not a directive as well. What’s the difference, well a directive would still need member states to pass their legislation to have it enabled. Regulation, however, does not require any of these and so is instantly in effect across all member states.

There are several terms which one should become familiar with

“Data Subjects” is a reference to individuals in the EU member states who are having their data processed/handled.

“Data Processor” is meant to cover anybody who has to process data to complete a contractual obligation to another entity. Registrars and Registries in the ICANN ecosystem are such entities which are classified as Data Processors.

“Data Controllers” is another interesting term, which covers all entities who require their subordinates to provide them with data to enable services to be provided. It has been argued that ICANN will be a Data Controller by definition. However, it still is yet to be determined if that is the case.

“Data Protection Officer” is a security leadership role, who is in charge of making sure all aspects of data processing and system processes are in line with the requirements for GDPR and any spin off’s around the globe.

“Data Protection Authority” is the entity per member state that is in charge of making sure everyone is implementing GDPR compliance correctly, as well as issuing fines, etc. for problems in their jurisdiction (i.e. country).

If you are interested in reading the regulation itself, then you can grab it from here. Warning, reading the document may cause your eyes to bleed and your soul to burn. You have been warned.

There is just so much to go through in regards to the GDPR and all the various known and unknown elements. So I will be covering this over multiple blog posts to try and make this as easy to understand. This blog post is the primer, so you at least understand the basic principles before we go into depth.

And yes, while it covers data subjects in EU member states – it does not exclude companies outside of the member states. Everybody is in the same boat. If you are selling products and services to anybody located within the EU, then you are bound by it.

To appoint or not appoint a representative to the EU GDPR?

According to the GDPR, outside organisations who process EU data subjects should appoint a representative to the EU and any allegations or issues would be referred to this rep. However, bare in mind that this representative could also become embroiled in any matters with non-compliance of the GDPR. This is in addition to the actual processor/controller themselves being involved.

And just to make it abundantly clear, just because you appoint a representative that doesn’t mean you will avoid any prosecutions, etc. for breaching the GDPR. They could still come calling to say hi regardless.

How do I know if I am bound/included by this?

There has been a discussion that if you do not directly target EU individuals, then it’s not such an issue – but from what I can see, the definition of targeting seems to be a little vague. One example is apparently if you only sell services on a very occasional basis to EU individuals, then it is claimed you are not targeting them. Or the information you are processing is not defined as “Sensitive Personal Data”.

However, one such scenario gives me the cranks and makes me wonder if there will not be a legal showdown at some time shortly is if you are a registry or registrar who provides services to end users, then you could take the example above, and it might not be a big deal. But, to me, if you offer a ccTLD or TLD that has a basis in the EU zone or could be construed that way, then too me you are targeting EU individuals. Especially if that ccTLD or TLD has registration requirements that only EU based residents can register them. So, therefore, you are bound by GDPR regardless.

I am going to go out on a limb here, and just say it. Until you have confirmation, you are not involved with GDPR, assume you are. It’s better to be safe than sorry in my books.

auDA AGM confirmed for Monday 27th November 2017 @ 11:00am

auDA AGM confirmed for Monday 27th November 2017 @ 11:00am

Yesterday auDA released their notice of the Annual General Meeting for 2017 on Monday the 27th November 2017 @ 11:00 am.

AGM is being held at Bridge Room 2, Crown Plaza Melbourne
1 – 5 Spencer Street, Melbourne, Victoria

Some great members have been nominated (3) in Supply class and (5) in Demand Class.

You can see candidate statements below:

Supply Class Candidate Statements

Demand Class Candidate Statements

If you are a current financial member of auDA, there are two ways to vote.

  1. You can vote in person at the AGM
  2. You can fill out a proxy form and return to auDA by COB Thursday the 23rd November AEDT. Forms need to be filled out and hand signed, then scanned and emailed to Ron Ritchie <>

I am going to be attending in person so will have a few spots available in my car. Reach out to me if you would like to get a lift in.

You can find the pre-filled proxy form nominating myself as your proxy on my site.

Even if you are not voting for me, please find a candidate who you can back. There needs to be new blood at auDA – this is too important to sit on the sidelines


2017 auDA Elections

2017 auDA Elections

I have decided to throw my hat into the ring and have been nominated for a seat at the auDA board table in the Demand Directors position.

After being involved with the internet now since it’s early days, and having spent the last 10 years actively working with auDA and AusRegistry in both a technical and policy position I want to give something back to the community.

auDA still has important work to do, and we need to get on with the job.

.au namespace is still one of the most widely respected ccTLD’s in the world, and if we want to keep it that way it’s time to put all the petty squabbling and arguments to the side and to borrow a Donald Trump-ism “Make .au Great Again!”

I will be posting exactly what my position is on a number of topics here on my personal website in the next day or so for review.

I welcome any comments or questions and want to thank you for the vote of confidence.


Craig Marchant