Admittedly we’ve been largely silent on the topic of the new European General Data Protection Rules (GDPR) because frankly, we don’t really know how to deal with it. The reality is, nobody really knows how to deal with it. The Registrar Stakeholders Group (RRSG) has been very frustrated, and ICANN, never missing an opportunity to avoid an issue, has been little help (they’ve issued a temporary specification allowing registrars to not display whois details, but they did not grant a requested moratorium on compliance. The obligation to collect said data still applies. At least one registrar, EPAG, based in Germany, has ceased collecting that data because they believe doing so violates GDPR, and ICANN has duly filed an injunction against them.)
We consulted with our external counsel who handled our positioning for the Canadian Anti Spam Legislation (CASL) who told us, in effect, “we don’t know what you should do either, just do what Tucows does”. In practice, because we use the OpenHRS/Tucows registry stack, we’re largely constrained by whatever they do, and for now, they’re redacting whois across the board, even for non-European registrants. Some registries are also following suit. (Tucows also happens to be the parent company of EPAG, mentioned above).
The whois database is the big thing across the entire domain business. All registrars are contractually obligated under the terms of their accreditation to publish whois records containing contact info for domain registrants, but doing so for European registrants, seemingly runs afoul of GDPR.
But it suddenly hit me as I thought about this more it reminded me of 2016, when changes in the European VAT shifted from those taxes being applied to the location of the vendor to being applied at the location of the consumer. That supposedly meant that all businesses around the world would have to collect VAT on their European clients and remit it back to Europe quarterly.
Uh yeah, we’re not going to be doing that.
So following on that theme…
Why should any business outside of the EU care what the GDPR contains?
How is it different from when some foreign court hands down a court order pertaining to one of our customers which we will not take action on until they obtain proper letters rogatory to have it enforced in our jurisdiction?
When the FDA sent us a list of domains belonging to Canadian companies that were fully compliant with Health Canada demanding we take them down, did we do it?
If we suddenly receive a court order from afar in a language we can’t even read are we going to hire a translator and then do whatever it tells us to do? (Turns out it was Polish and we had somebody here who could read it, but we still didn’t do what it was ordering us to do).
When China wants us to prevent any citizen from using our dynamic DNS service which would enable them to circumvent their Great Firewall of China are we going to hire a team of developers to code it into our system? (We were once offered exactly that deal by a large router company wanting to setup a dyndns business there and we turned it down).
No, no and no.
So why are non-European companies frantically running around, updating their privacy policies, trying to re-permission all their mailing lists, even to non-European users, trying to over-comply with something that at most only affects non-business customers in EU member states?
All prior history of internet governance would have us taking the position that being a Canadian company we are going to operate by Canadian law, and not by European law. Here we have PIPEDA which covers data privacy and more recently the CASL, anti-spam legislation. Further, the way CIRA operates the whois system for .CA – where individual registrants have their data redacted by default and companies have it displayed; seems to have hit a happy medium which has more or less worked fine for nearly 20 years.
But until such time as the EU enters into an international treaty with Canada to have us enforce the GDPR and collect VAT (oh yeah, I’m totally gonna vote for the hack who campaigns on that platform), why do we actually care what the GDPR says?
By even pretending to acknowledge the GDPR’s applicability to non-Euro businesses, we open ourselves up to having to comply with every other political jurisdiction in the world, now and in the future, such as Europe’s forthcoming Copyright Reform, which really is a bag of crap that contains provisions for things like mandatory ISP filtering on user uploaded content and “link taxes”.
Sure, Google and Facebook and Apple do have to worry about this, because they’ve domiciled their foreign HQ’s in Ireland so that they can shelter all that foreign revenue from US taxation. Karma’s a bitch. But for the rest of us small fries, who pay taxes on all our revenues here in our home countries, and who are not sheltering billions of dollars in offshore tax havens that happen to be under EU rules, can somebody explain to me how this is in any way our problem?
But GDPR gives us the opportunity to be better companies
So says this post by Hansel Dunlop over on Medium, and I totally respect his ethos and his aspirations to be a better company. But here’s the thing: Everybody had the opportunity to be better companies all along. Some of us already took that opportunity: easyDNS doesn’t sell our customer data, we don’t datamine it, we don’t track them across the Internet, we’re generally known for our transparency and we don’t take liberties with our clients’ confidence .
Dunlop warns us:
I would be very wary of a company who claims this legislation is onerous. It is potentially life threatening to companies who do very shady things without your consent. That much is true. That is the entire point.
I have two responses to this.
First, increasing regulatory and compliance burdens are very much asymmetrically adverse to small, medium and independent businesses. Larger companies have greater ability to absorb the additional compliance hurdles, have the market share to pass on any of their additional compliance costs to their customers and frequently use their position and influence to lobby and shape legislation so that it often skews in their favour.
Incrementally raising compliance burdens is an actual business tactic, as related to me by somebody I’d call “a crony capitalist insider” who once organized a meeting for me to talk to some folks from one of the big four Canadian banks about Bitcoin. What he told me, point blank was that the way business works was to work with policy makers to keep introducing new rules and regulations so that over time, the smaller and weaker competitors would be squeezed out and the larger incumbents could absorb their customers.
The way he talked about the prospect of being first mover in the Bitcoin space was very telling:
“Here’s what you need to do if you want to make a go of this. You get big institutional money behind you. You approach the regulators, and you start working with those regulators to shape the actual rules that are going to come out. When the regulations finally come out, you get to be on the right side of them; and then you turn around and you pull the ladder up behind you and bingo. You’re a monopoly.
I always felt that meeting was very educational but I had to take a shower the moment I got home. It was more evidence to what I already suspected, increasing regulatory burdens are usually more about consolidating markets than protecting consumers. I’m not saying that’s the case with GDPR, but I am saying that the additional burden of compliance always does hit the smaller companies harder than the 800lb gorillas.
My second counter to Dunlop, (but not aiming at his company), is that I would be skeptical of companies who are suddenly getting religion around their clients’ privacy and personal data sovereignty solely because they think they are legally compelled to do so. That’s not reassuring. You know those companies will do the bare minimum, you know they’ll be tempted to cut corners and you know they’ll game it. And if they follow the same line of reasoning we are here and surmise that GDPR isn’t applicable to them they’re going to abrogate it anyway.
(All those re-permissioning email requests your getting? My prediction is first thing that happens is everybody craps themselves because they’ll be lucky to pull a 20% confirmation rate and they realize that if they go through with this then they just killed their lists. Then they’ll pretend it never happened and keep emailing their entire list anyway. If you’ve used proper list building techniques from the outset, you don’t need to re-permission even if you’re within the EU, because you have opt-in and confirmation data for all your subscribers or else you have an active business relationship with them like CASL here in Canada, right?)
At the end of the day, a culture of customer respect is either baked-in to the company ethos or it’s conspicuous in its absence. A new set of regulations passed by faceless, unelected bureaucrats in another jurisdiction isn’t going to magically put it there. Like ICANN’s Whois Accuracy Program (WAP), and some complaints I have about CASL, all most new regulations typically do is make life harder for rule followers while not really doing anything about the rule breakers (except maybe to turn what were formerly rule followers into rule breakers by hiking the compliance burden over their heads).
For the most part, easyDNS already complies with most of the GDPR that I’m familiar with anyway. In general we deal primarily with data that our clients want the entire world to see, and we don’t store any of your billing details. As per the lawyers’ advice we’ll be adjusting our data retention policy which will more clearly specify when we delete your data after you cease being a client, but we’re doing so to make sure we’re onside with PIPEDA, which is Canada’s data privacy laws, not to be onside with Europe’s.
But as long as we keep doing our job of doing right by you, hopefully that day will never come.