Blog | GDPR and .IE

The five-year anniversary of the General Data Protection Regulation (GDPR) was a few months ago – when it came into force on 25 May 2018. This regulation protects individuals’ rights over their personal data and applies to any entity that collects, handles or processes the personal information of individuals inside the European Union.

The national registry for .ie domain names (.IE) began preparing for the GDPR’s implementation in a period of great confusion. Before the GDPR was fully adopted, there was a significant amount of guess work involved as to what would ultimately be required by the regulation.

To navigate this lack of clarity, .IE worked with its accredited Registrars, lawyers and the Office of the Data Protection Commissioner to ensure that the .ie namespace was GDPR-compliant and respected the rights of data subjects.

Preparatory work included a wide array of legal and policy amendments, including to the Registrant Terms & Conditions, Privacy Policy, and WHOIS Policy.  A dedicated Data and Document Retention Policy was also introduced.

These policy changes were reviewed and approved the multi-stakeholder .ie Policy Advisory Committee (PAC), and came into effect at the same time the GDPR came into force.  These policies are available to the public on the Policy Page of our website.

In addition to this, .IE achieved ISO 27001 Certification – a globally recognised standard for cybersecurity and managing information security. This further demonstrates .IE’s commitment to safeguarding data, and adhering to the principles of data protection listed in the GDPR.

What is the GDPR?

The General Data Protection Regulation (GDPR) is a complex and strict law that protects personal data and privacy in the EU and the EEA. Data protection is a fundamental right under Article 8 of the EU Charter of Fundamental Rights, and the GDPR protects this right by imposing obligations on organisations, as long as they collect or handle data related to people in the EU. This is enforced through harsh fines and penalties.

In the Republic of Ireland, the supervisory authority for the GDPR is the Data Protection Commission (DPC), which is a national independent government authority. Beyond the GDPR, it also has functions and powers related to other important privacy laws, such as the Irish ePrivacy Regulations and the EU Law Enforcement Directive.

.IE and the GDPR

When the GDPR was still in development, .IE began its preparations by monitoring and participating in international discussions on the impact of the GDPR on the domain name industry.

.IE worked with legal representation and the Office of the Data Protection Commissioner to ensure that the .ie namespace was fully GDPR-compliant. The Article 29 Data Protection Working Party, a predecessor for the European Data Protection Board, was also a good source of information. Even still, the lack of any clarity for what the regulation would include made preparations a difficult task.

Despite this, the multi-stakeholder .IE Policy Advisory Committee (PAC) navigated the uncertainty well, and several important policy changes were made to the existing Privacy Policy, and WHOIS Services Policy. A new policy on Data and Document Retention Policy was also developed.

The processing of personal data must also be fair, and avoid being misleading or deceptive.  Organisations that process personal data must clearly provide individuals with information on the type of processing and who is carrying it out.

.IE always acts in a way that is consistent with these principles. Any Personal Data processing is done with lawful basis, is not misleading, and is clearly communicated in plain language through .IE’s Data & Document Retention Policy and Privacy Policy – which also provides important information on things like data subject rights, location of processing, analytics and cookies.

The main data processing activity within the scope of the GDPR at .IE is the collection of personal data from natural persons seeking to register a domain name (the Registrant).  When registering a .ie domain name, a contract, known as the Registrant Terms & Conditions, is established between the Registrant and .IE.

Some personal data from Registrants (for example: name and contact information) is needed for .IE to perform its contractual obligations to Registrants to register .ie domains and provide its WHOIS services.

Personal Data is also collected in connection with .IE’s legitimate interest in maintaining the integrity of the company website and its services, such as validating that Registrants have complete contact information and a proven connection to Ireland.  This is also related to the rights and authorities that the Government vested to .IE, which include to maintain, update, operate and control and defend the Registry.

Situations may also arise where Registrants give their specific and informed consent to publish their Personal Data using the WHOIS .  In these situations, Registrants may withdraw their consent at any time.

The collection of personal data related to domain registration is also required to comply with particular laws. The newly adopted Network and Information Systems Directive (NIS2) states that processing personal data to maintain an accurate and complete database of domain name registration data should constitute a legal obligation for Top Level Domain registries (such as .IE).  This legislation will be transposed in Ireland no later than October 17, 2024.

Data Minimisation

Another principle of data protection is that data controllers (like .IE) should only collect and process personal data that are relevant and limited to what is necessary for the stated purpose.

An example of this is .IE’s returning Registrant registration process. This process minimises the amount of personal data that existing Registrants who are already validated need to provide.  A returning Registrant does not need to resubmit personal data to establish a connection to Ireland, as long as their contact ID/contact information is consistent with their last registration request.  Their new registration request is instantly approved without the need to submit more personal data.

Accuracy

Data controllers like .IE must take reasonable steps to ensure that personal data are accurate and, where necessary, kept up-to-date. This includes taking reasonable steps to ensure inaccurate personal data are erased or rectified.

Beyond the manual review of applications for new Registrants, there are also polices and processes that allow Registrants to easily request updates to data. The database is updated, in real time, for changes requested by Registrars, acting on the instructions of Registrants. These requests can be submitted 24/7/365.

In addition, every month, .IE manually reviews data for domain registrations to ensure that information is accurate, and that an individual’s personal contact information is not inadvertently publicly released to the WHOIS.

.IE is also preparing to adopt new policies and procedures to better ensure the accuracy of registration information in preparation for the transposition of . This will include proportionate processes to verify domain name registration data.

Storage Limitation

Data controllers must not hold on to personal data for longer than is necessary for the purposes for which the personal data was processed. .IE’s Data & Document Retention Policy clearly explains the retention periods for certain personal data, and the rationale behind each period. Personal data is stored for no longer than necessary.

Integrity and Confidentiality

Data controllers must use appropriate technical and operational measures to safeguard data. To this end, .IE achieved the industry standard ISO 27001 security certification, which ensures that an organisation manages and mitigates its cybersecurity risks effectively.

ISO 27001 is the only certifiable international standard that ensures an organisation manages and mitigates its cyber security risks effectively. This demonstrates that .IE is well equipped against cyber threats and data breaches.

Accountability

Controllers are responsible for demonstrating compliance with the other principles of data protection. This means that controllers need to have appropriate processes and policies in place where necessary.

.IE practices this principle by making its policies and procedures regarding data protection open and in plain language.  .IE also has data processing agreements with its accredited .ie Registrars built into their contractual agreements.  .IE’s accredited registrars are also subject to, and comply with, GDPR requirements.

.IE also has internal policies on data protection and privacy for its employees; clear records of processing activities; has achieved ISO27001 certification; and cooperates with the Data Privacy Commission when necessary.

Conclusion

Practicing responsible data protection has been, and always will be, a top priority for .IE. With the upcoming transposition of NIS2, .IE will review its various policies and procedures to ensure that they are in alignment with new legislation.

A key lesson learned during the preparation stages of GDPR was that delayed and ambiguous legislation hinders effective compliance planning. With this in mind, .IE will continue to work with, and advocate to the Government of Ireland, wherever possible, to prevent a repeat of its GDPR preparations – which were largely marked by uncertainty and a lack of guidance.

Ensuring that the rights of data subjects are protected and built into any new processes is of the utmost importance for .IE. The very capable members of the Policy Advisory Committee will continue to help navigate .IE through any regulatory maze, as they have done so for years.

Declan McDermott is our Internet Policy & Compliance Officer.