Admittedly we’ve been largely silent on the topic of the new European General Data Protection Rules (GDPR) because frankly, we don’t really know how to deal with it. The reality is, nobody really knows how to deal with it. The Registrar Stakeholders Group (RRSG) has been very frustrated, and ICANN, never missing an opportunity to avoid an issue, has been little help (they’ve issued a temporary specification allowing registrars to not display whois details, but they did not grant a requested moratorium on compliance. The obligation to collect said data still applies. At least one registrar, EPAG, based in Germany, has ceased collecting that data because they believe doing so violates GDPR, and ICANN has duly filed an injunction against them.)
We consulted with our external counsel who handled our positioning for the Canadian Anti Spam Legislation (CASL) who told us, in effect, “we don’t know what you should do either, just do what Tucows does”. In practice, because we use the OpenHRS/Tucows registry stack, we’re largely constrained by whatever they do, and for now, they’re redacting whois across the board, even for non-European registrants. Some registries are also following suit. (Tucows also happens to be the parent company of EPAG, mentioned above).
The whois database is the big thing across the entire domain business. All registrars are contractually obligated under the terms of their accreditation to publish whois records containing contact info for domain registrants, but doing so for European registrants, seemingly runs afoul of GDPR.
But it suddenly hit me as I thought about this more it reminded me of 2016, when changes in the European VAT shifted from those taxes being applied to the location of the vendor to being applied at the location of the consumer. That supposedly meant that all businesses around the world would have to collect VAT on their European clients and remit it back to Europe quarterly.
Uh yeah, we’re not going to be doing that.
So following on that theme…
Why should any business outside of the EU care what the GDPR contains?
How is it different from when some foreign court hands down a court order pertaining to one of our customers which we will not take action on until they obtain proper letters rogatory to have it enforced in our jurisdiction?
When the FDA sent us a list of domains belonging to Canadian companies that were fully compliant with Health Canada demanding we take them down, did we do it?
If we suddenly receive a court order from afar in a language we can’t even read are we going to hire a translator and then do whatever it tells us to do? (Turns out it was Polish and we had somebody here who could read it, but we still didn’t do what it was ordering us to do).
When China wants us to prevent any citizen from using our dynamic DNS service which would enable them to circumvent their Great Firewall of China are we going to hire a team of developers to code it into our system? (We were once offered exactly that deal by a large router company wanting to setup a dyndns business there and we turned it down).
No, no and no.
So why are non-European companies frantically running around, updating their privacy policies, trying to re-permission all their mailing lists, even to non-European users, trying to over-comply with something that at most only affects non-business customers in EU member states?
All prior history of internet governance would have us taking the position that being a Canadian company we are going to operate by Canadian law, and not by European law. Here we have PIPEDA which covers data privacy and more recently the CASL, anti-spam legislation. Further, the way CIRA operates the whois system for .CA – where individual registrants have their data redacted by default and companies have it displayed; seems to have hit a happy medium which has more or less worked fine for nearly 20 years.
But until such time as the EU enters into an international treaty with Canada to have us enforce the GDPR and collect VAT (oh yeah, I’m totally gonna vote for the hack who campaigns on that platform), why do we actually care what the GDPR says?
By even pretending to acknowledge the GDPR’s applicability to non-Euro businesses, we open ourselves up to having to comply with every other political jurisdiction in the world, now and in the future, such as Europe’s forthcoming Copyright Reform, which really is a bag of crap that contains provisions for things like mandatory ISP filtering on user uploaded content and “link taxes”.
Sure, Google and Facebook and Apple do have to worry about this, because they’ve domiciled their foreign HQ’s in Ireland so that they can shelter all that foreign revenue from US taxation. Karma’s a bitch. But for the rest of us small fries, who pay taxes on all our revenues here in our home countries, and who are not sheltering billions of dollars in offshore tax havens that happen to be under EU rules, can somebody explain to me how this is in any way our problem?
But GDPR gives us the opportunity to be better companies
So says this post by Hansel Dunlop over on Medium, and I totally respect his ethos and his aspirations to be a better company. But here’s the thing: Everybody had the opportunity to be better companies all along. Some of us already took that opportunity: easyDNS doesn’t sell our customer data, we don’t datamine it, we don’t track them across the Internet, we’re generally known for our transparency and we don’t take liberties with our clients’ confidence .
Dunlop warns us:
I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.
I have two responses to this.
First, increasing regulatory and compliance burdens are very much asymmetrically adverse to small, medium and independent businesses. Larger companies have greater ability to absorb the additional compliance hurdles, have the market share to pass on any of their additional compliance costs to their customers and frequently use their position and influence to lobby and shape legislation so that it often skews in their favour.
Incrementally raising compliance burdens is an actual business tactic, as related to me by somebody I’d call “a crony capitalist insider” who once organized a meeting for me to talk to some folks from one of the big four Canadian banks about Bitcoin. What he told me, point blank was that the way business works was to work with policy makers to keep introducing new rules and regulations so that over time, the smaller and weaker competitors would be squeezed out and the larger incumbents could absorb their customers.
The way he talked about the prospect of being first mover in the Bitcoin space was very telling:
“Here’s what you need to do if you want to make a go of this. You get big institutional money behind you. You approach the regulators, and you start working with those regulators to shape the actual rules that are going to come out. When the regulations finally come out, you get to be on the right side of them; and then you turn around and you pull the ladder up behind you and bingo. You’re a monopoly.
I always felt that meeting was very educational but I had to take a shower the moment I got home. It was more evidence to what I already suspected, increasing regulatory burdens are usually more about consolidating markets than protecting consumers. I’m not saying that’s the case with GDPR, but I am saying that the additional burden of compliance always does hit the smaller companies harder than the 800lb gorillas.
My second counter to Dunlop, (but not aiming at his company), is that I would be skeptical of companies who are suddenly getting religion around their clients’ privacy and personal data sovereignty solely because they think they are legally compelled to do so. That’s not reassuring. You know those companies will do the bare minimum, you know they’ll be tempted to cut corners and you know they’ll game it. And if they follow the same line of reasoning we are here and surmise that GDPR isn’t applicable to them they’re going to abrogate it anyway.
(All those re-permissioning email requests your getting? My prediction is first thing that happens is everybody craps themselves because they’ll be lucky to pull a 20% confirmation rate and they realize that if they go through with this then they just killed their lists. Then they’ll pretend it never happened and keep emailing their entire list anyway. If you’ve used proper list building techniques from the outset, you don’t need to re-permission even if you’re within the EU, because you have opt-in and confirmation data for all your subscribers or else you have an active business relationship with them like CASL here in Canada, right?)
At the end of the day, a culture of customer respect is either baked-in to the company ethos or it’s conspicuous in its absence. A new set of regulations passed by faceless, unelected bureaucrats in another jurisdiction isn’t going to magically put it there. Like ICANN’s Whois Accuracy Program (WAP), and some complaints I have about CASL, all most new regulations typically do is make life harder for rule followers while not really doing anything about the rule breakers (except maybe to turn what were formerly rule followers into rule breakers by hiking the compliance burden over their heads).
For the most part, easyDNS already complies with most of the GDPR that I’m familiar with anyway. In general we deal primarily with data that our clients want the entire world to see, and we don’t store any of your billing details. As per the lawyers’ advice we’ll be adjusting our data retention policy which will more clearly specify when we delete your data after you cease being a client, but we’re doing so to make sure we’re onside with PIPEDA, which is Canada’s data privacy laws, not to be onside with Europe’s.
But as long as we keep doing our job of doing right by you, hopefully that day will never come.
Melvin R SHEERAN says
So glad your doing these writings . . . . Helps us get our Heads out of the SAND and see who’s trying to Kick our A . . .
The USA has a whole bevy of extra territorial laws
The EU has a few.
GDPR is not difficulty to comply with , and its basic requirements are virtually human rights , privacy , right to be forgotten etc
as , you say “because frankly, we don’t really know how to deal with it. ” ,perhaps you might abstain from writing nonsense until you do , regards
Mark E. Jeftovic says
I was speaking within the context of a domain registrar who is contractually obligated under the terms of accreditation to collect and publish whois data, and the GDPR which forbids it. Given that nobody has solved this, I’m all ears.
Benjamin Scherrey says
You cannot have a right that requires someone else to perform an action on your behalf – that’s literally enslavement. The “right to be forgotten” is, in fact, a “right to avoid responsibility for one’s actions” and eliminates a lot of legitimate business opportunities and impedes on the rights of others to access public information about actual facts. It’s nonsense and downright immoral.
Nothing nonsensical in this post. If anything it’s remarkably practical, level headed, and points out the flaws in the extra-territoriality provisions, trying to reach EU law into other jurisdictions who have no legal reason to comply with the GDPR.
All the EU has done is give European citizens a false sense of security, because unless there’s a treaty that enforces something like this in the company’s home country, GDPR has no legal teeth if that company has no physical presence in an EU member state.
“Right to be forgotten”? Don’t make me laugh. No other nation, as far as I know, recognizes this as a “human right”. Only the other hand, the right to the freedom of speech trumps any “right to be forgotten”, so how is this a “virtual human right”? Privacy doesn’t extend to being forgotten if you do something stupid in public. Your “right to be forgotten” laws are pretty much the joke of the rest of the world.
EXCELLENT article – as a small-to-medium online service provider based in Canada who has had many of the same concerns raised in this article, it’s gratifying (and somewhat of a relief) to find out that it’s not just me. The article also essentially confirms many of the same things I had suspected, but wasn’t really able to confirm: particularly that, for a Canadian business that’s already gone to the effort of ensuring PIPEDA and CASL-compliance, it’s effectively safe to ignore GDPR (especially if they have no presence or customers in the EU).
I can’t add anything to the discussion itself, but I WILL note that I find it extremely telling that GDPR’s cheerleaders so frequently trot blatant circular/tautological reasoning & textbook examples of the “No True Scotsman” fallacy – usually in the form of “If you have confusion about GDPR, then you must not be competent” (see the post by “Dave”, for example). Which, now that I think of it, is probably also an example of the Post Hoc fallacy.
Then he cites US extraterritorial laws – though how that has ANYTHING to do with Canada or this actual article is unclear. As best I can tell, his point there boils down to “two wrongs make a right” – or that the US’s actions justify the EU to get “revenge,” and who cares if the rest of the world gets caught up their pathetic little feud.
It’s also laughable that ANYONE would cite “right to be forgotten” as some kind of positive – when that has been widely acknowledge as a total failure, which mostly only benefits people who want to unduly hide evidence of past misdeeds (criminal convictions, etc) that the public has a genuine right to be aware of. I’m honestly looking forward to the first time someone from the EU demands I take something down because of the “right to be forgotten”: my response will be to suggest, instead, they can kindly go “forget” themselves – long AND hard.
Mike Meredith says
On a practical note (and as an EU resident), I’m happy for my contact details to published in whois; it’s part of my job. At the very least I’d like to see my domains with the hostmaster@$work published.
The GDPR’s ‘right to be forgotten’ isn’t quite as dumb as it’s made out to be; the right is subject to any number of restrictions. In effect the right is limited to removing personal data in the event that it is being misused (i.e. processed for a purpose for which it is not intended) or there is no longer a valid reason to keep it. As to the example of hiding misdeeds, no the right to be forgotten doesn’t allow that.
Mark E. Jeftovic says
The functionality to re-enable visibility on your Whois records is coming. I know what you mean, as a business I want our address info visible for all to see too.
I just got an email from your hostmaster address with the following subject:
URGENT: Review and update your data use preferences
So it seems that you are doing something? Can you give an update on this? Thanks.
Mark E. Jeftovic says
Hi Sandra, yes those are coming from Tucows/OpenSRS our registry backend platform. They are real, and you can action those (as long as you are following a link to https://approve.easydns.com ). We are putting a clarification into today’s #AxisOfEasy
I just received a new version of this e-mail, now captioned “GDPR Action Required. Sorry, but true…”
When visiting the action page it says consent is optional, but it does not explain what the consequence is of withholding consent. Neither does the “Data Use Information” page.
I have .com and .org domains and am inclined to give consent. However, I would like to understand what would be the consequences of not giving consent?
Mark E. Jeftovic says
We’re working on getting these dialed back or off, they are coming from our registry backend provider and it looks like they are going out on a per-domain basis. Sorry for this.