GDPR and .IE
The five-year anniversary of the General Data Protection Regulation (GDPR) was a few months ago – when it came into force on 25 May 2018. This regulation protects individuals’ rights over their personal data and applies to any entity that collects, handles or processes the personal information of individuals inside the European Union.
The national registry for .ie domain names (.IE) began preparing for the GDPR’s implementation in a period of great confusion. Before the GDPR was fully adopted, there was a significant amount of guess work involved as to what would ultimately be required by the regulation.
To navigate this lack of clarity, .IE worked with its accredited Registrars, lawyers and the Office of the Data Protection Commissioner to ensure that the .ie namespace was GDPR-compliant and respected the rights of data subjects.
These policy changes were reviewed and approved the multi-stakeholder .ie Policy Advisory Committee (PAC), and came into effect at the same time the GDPR came into force. These policies are available to the public on the Policy Page of our website.
In addition to this, .IE achieved ISO 27001 Certification – a globally recognised standard for cybersecurity and managing information security. This further demonstrates .IE’s commitment to safeguarding data, and adhering to the principles of data protection listed in the GDPR.
The principles of data protection are as follows:
- Lawfulness, Fairness & Transparency
- Purpose Limitation
- Data Minimisation
- Storage Limitation
- Integrity and Confidentiality
Through its early preparation, collaborative approach, and its key focus on cybersecurity, .IE achieved the difficult task of becoming GDPR compliant, and continues to be so.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a complex and strict law that protects personal data and privacy in the EU and the EEA. Data protection is a fundamental right under Article 8 of the EU Charter of Fundamental Rights, and the GDPR protects this right by imposing obligations on organisations, as long as they collect or handle data related to people in the EU. This is enforced through harsh fines and penalties.
In the Republic of Ireland, the supervisory authority for the GDPR is the Data Protection Commission (DPC), which is a national independent government authority. Beyond the GDPR, it also has functions and powers related to other important privacy laws, such as the Irish ePrivacy Regulations and the EU Law Enforcement Directive.
.IE and the GDPR
When the GDPR was still in development, .IE began its preparations by monitoring and participating in international discussions on the impact of the GDPR on the domain name industry.
.IE worked with legal representation and the Office of the Data Protection Commissioner to ensure that the .ie namespace was fully GDPR-compliant. The Article 29 Data Protection Working Party, a predecessor for the European Data Protection Board, was also a good source of information. Even still, the lack of any clarity for what the regulation would include made preparations a difficult task.
Lawfulness, Fairness and Transparency
Under the GDPR, processing personal data must have a legal basis. Processing is only lawful if it is based any of the following lawful grounds:
- the consent of the individual;
- the performance of a contract;
- compliance with a legal obligation;
- necessary to protect the vital interests of a person;
- necessary for the performance of a task carried in the public interest; or,
- in the legitimate interests of the organisation (except where those interests are overridden by the rights & freedoms of the data subject).
The processing of personal data must also be fair, and avoid being misleading or deceptive. Organisations that process personal data must clearly provide individuals with information on the type of processing and who is carrying it out.
The main data processing activity within the scope of the GDPR at .IE is the collection of personal data from natural persons seeking to register a domain name (the Registrant). When registering a .ie domain name, a contract, known as the Registrant Terms & Conditions, is established between the Registrant and .IE.
Some personal data from Registrants (for example: name and contact information) is needed for .IE to perform its contractual obligations to Registrants to register .ie domains and provide its WHOIS services.
Personal Data is also collected in connection with .IE’s legitimate interest in maintaining the integrity of the company website and its services, such as validating that Registrants have complete contact information and a proven connection to Ireland. This is also related to the rights and authorities that the Government vested to .IE, which include to maintain, update, operate and control and defend the Registry.
Situations may also arise where Registrants give their specific and informed consent to publish their Personal Data using the WHOIS . In these situations, Registrants may withdraw their consent at any time.
The collection of personal data related to domain registration is also required to comply with particular laws. The newly adopted Network and Information Systems Directive (NIS2) states that processing personal data to maintain an accurate and complete database of domain name registration data should constitute a legal obligation for Top Level Domain registries (such as .IE). This legislation will be transposed in Ireland no later than October 17, 2024.
Under the GDPR, all personal data collected must be for specific purposes, and should not be further processed in a manner that is incompatible with those purposes.
For example, in order to register a .ie domain name, an individual Registrant must demonstrate a connection to Ireland and proof of identity. In most cases, this can be shown through a copy of an Irish passport or Irish driver’s license. These documents are deleted once the purpose for which they were collected is no longer relevant (for example, upon a successful or unsuccessful registration). The documents are not processed beyond the purpose they were collected for.
Another principle of data protection is that data controllers (like .IE) should only collect and process personal data that are relevant and limited to what is necessary for the stated purpose.
An example of this is .IE’s returning Registrant registration process. This process minimises the amount of personal data that existing Registrants who are already validated need to provide. A returning Registrant does not need to resubmit personal data to establish a connection to Ireland, as long as their contact ID/contact information is consistent with their last registration request. Their new registration request is instantly approved without the need to submit more personal data.
Data controllers like .IE must take reasonable steps to ensure that personal data are accurate and, where necessary, kept up-to-date. This includes taking reasonable steps to ensure inaccurate personal data are erased or rectified.
Beyond the manual review of applications for new Registrants, there are also polices and processes that allow Registrants to easily request updates to data. The database is updated, in real time, for changes requested by Registrars, acting on the instructions of Registrants. These requests can be submitted 24/7/365.
In addition, every month, .IE manually reviews data for domain registrations to ensure that information is accurate, and that an individual’s personal contact information is not inadvertently publicly released to the WHOIS.
.IE is also preparing to adopt new policies and procedures to better ensure the accuracy of registration information in preparation for the transposition of . This will include proportionate processes to verify domain name registration data.
Data controllers must not hold on to personal data for longer than is necessary for the purposes for which the personal data was processed. .IE’s Data & Document Retention Policy clearly explains the retention periods for certain personal data, and the rationale behind each period. Personal data is stored for no longer than necessary.
For example, the personal data, like the name and contact information, of .ie Registrants are only retained for the period of their contract, plus a two year period after deletion. This two-year retention period is for the possible establishment, exercise or defence of legal claims against .IE. However, it is well below the legal six-year statute of limitations, since any legal action would likely arise in the first year after a contact removal or domain deletion (with a further year for resolution).
.IE regularly deletes personal data that is no longer relevant. Personal data is deleted for unsuccessful domain registrations after 7 days. Any documents that contain Personal Data that were used to check a connection to Ireland are deleted no later than 30 days after a successful registration. This is done to allow for internal quality control checks.
Integrity and Confidentiality
Data controllers must use appropriate technical and operational measures to safeguard data. To this end, .IE achieved the industry standard ISO 27001 security certification, which ensures that an organisation manages and mitigates its cybersecurity risks effectively.
ISO 27001 is the only certifiable international standard that ensures an organisation manages and mitigates its cyber security risks effectively. This demonstrates that .IE is well equipped against cyber threats and data breaches.
Controllers are responsible for demonstrating compliance with the other principles of data protection. This means that controllers need to have appropriate processes and policies in place where necessary.
.IE practices this principle by making its policies and procedures regarding data protection open and in plain language. .IE also has data processing agreements with its accredited .ie Registrars built into their contractual agreements. .IE’s accredited registrars are also subject to, and comply with, GDPR requirements.
.IE also has internal policies on data protection and privacy for its employees; clear records of processing activities; has achieved ISO27001 certification; and cooperates with the Data Privacy Commission when necessary.
Practicing responsible data protection has been, and always will be, a top priority for .IE. With the upcoming transposition of NIS2, .IE will review its various policies and procedures to ensure that they are in alignment with new legislation.
A key lesson learned during the preparation stages of GDPR was that delayed and ambiguous legislation hinders effective compliance planning. With this in mind, .IE will continue to work with, and advocate to the Government of Ireland, wherever possible, to prevent a repeat of its GDPR preparations – which were largely marked by uncertainty and a lack of guidance.
Ensuring that the rights of data subjects are protected and built into any new processes is of the utmost importance for .IE. The very capable members of the Policy Advisory Committee will continue to help navigate .IE through any regulatory maze, as they have done so for years.
Declan McDermott is our Internet Policy & Compliance Officer.