EuroDNS signed the Registrar Accreditation Agreement signed, but…
It cannot possibly have escaped your notice; EuroDNS is offering registration of the new domain extensions. If you cast your mind back to our post last year, this means we’ve signed the 2013 version of ICANN's RAA. However this agreement contains a provision which is incompatible with the Luxembourgish law on personal data (for legal nerds that’s the law of August 2, 2002). This being the case, we thought you deserved an explanation.
Previously in the ICANN privacy saga…
When we last wrote about this issue, we had just asked the Luxembourgish Data Protection Agency to provide us with written guidance on the compatibility of the ICANN Registrar Accreditation Agreement and Luxembourgish data privacy laws.
The Luxembourgish Data Protection Agency replied, and as we expected, they confirmed that the two year period of retention of our customers’ personal data after we have ceased providing our services to them, is incompatible with Luxembourgish law. Luxembourgish entities may only retain their customers’ personal data for the duration of the provision of their service.
At EuroDNS, this means that if your domain name expires or you transfer it to another registrar (hypothetical example, obviously), we will automatically delete your personal data from our records.
Armed with this “written guidance from a governmental authority” as defined by ICANN, we have submitted our request to be exempt from retaining personal data for a duration exceeding the one stated in Luxembourgish law.
The authority that can fine EuroDNS and send its managing director to jail if we break the law on data privacy, is clearly telling us not to abide by this RAA provision. However, and despite what we believed would be a no-brainer, ICANN is yet to make a so-called determination on the validity of our request.
We are discussing our compliance with Luxembourgish laws (!)
After being stuck for a month on ICANN’s “Please wait…” screen. We decided to contact one of its directors who informed us that by submitting our waiver request we were officially discussing this incompatibility with ICANN. He assured us that ICANN would not require EuroDNS to break Luxembourgish laws and…
“…the fact that your waiver request is pending will not prevent EuroDNS from signing onto the 2013 RAA. If a registrar believes that a data collection or retention requirement in the 2013 RAA violates applicable law or any legal proceedings, ICANN and the registrar agree to discuss in good faith whether appropriate limitations, protections, or alternative solutions can be identified (see data retention specification at Section 2). Registrars will not be required to violate local law—the contract requires registrars to abide by applicable laws and governmental regulations (see Section 3.7.2). Your waiver request initiated this discussion between EuroDNS and ICANN.”
Based on this statement, we have decided to enter into the 2013 version of the ICANN Registrar Accreditation Agreement. But, we will not implement the provisions that the national data protection agency informed us would put us in breach of Luxembourgish laws.
Big sigh of relief; this means you can register your domain names under the new (and “old”) domain extensions with EuroDNS. You can rest assured that your personal data will be deleted if you decide to leave us.
It cannot be emphasised enough that data privacy rights are not a blanket to perpetrate illegal and/or malicious activities. Furthermore, should a Luxembourgish court order EuroDNS to retain and/or disclose the personal data of a customer, we will abide by such an order.
What’s next?
We will keep you informed of any progress on this matter, but in the meantime, please know that EuroDNS does not intend to break local laws and strives to protect its customers at all times.
If you have any comments, please feel free to contact me.