One month to adapt? They have had two years. Also, I fail to see how this is a problem, considering that quite a few domains nowadays seem to use WhoisGuard or a similar service anyway.
Even longer if you consider the time GDPR was worked on. The writing has been on the wall for a really long time, so asking for an interim arrangement is really barefaced.
I am not saying that this is an excuse to not protect the data.
I am saying in general that GDPR has not been thought through enough and has been pushed without consideration for a lot of edge cases.
"Congress shall make no law respecting an establishment of religion, or prohibiting the free exercise thereof; or abridging the freedom of speech, or of the press; or the right of the people peaceably to assemble, and to petition the government for a redress of grievances."
The first amendment also contains not much consideration for edge cases. That is a feature, not a bug.
GDPR sets principles, it isn't a technical specification. The edge cases will be sorted out by courts, as usual for legal issues. Meanwhile, everything looks like that the EU will not immediately start to impose big fines if there are small gaps, as long as affected institutions and enterprises show effort to comply and to fix remaining issues.
I disagree; all complex laws. That's the main reason for the existence of supreme courts; to decide on a reading when courts below disagree ("circuit split", in the US).
My claim is that you can't avoid it. It's like trying to write a large program with zero bugs without being able to test it. Citing Knuth, "beware of bugs in the above code; I have only proved it correct, not tried it."
To put it another way: can you cite any complex bill that hasn't ever gone to the Supreme Court?
whois privacy being a service extra (sometimes included for free sometimes a paid extra which can expire and expose your data if you miss the email) where other TLD's (.uk springs to mind) already have the ability to withheld the personal details of domain registrants (private individuals have the ability to held their data, company registrations have their data shown) at the registry level and not having to use a 3rd party company.
I am an engineer working for a registrar and we've been told by at least one TLD that there is no difference. We used to "mask" the registrant email regardless of whether or not the customer had opted-in for proxy registration, and we were told this was not allowed by the TLD operator.
Well your still seen as the owner of the domain in the register’s eyes and not a proxy company which may help if you need to transfer the domain away from your registar for any unexpected reason.
It's not like WHOIS wasn't problematic before, e.g. even inside ICANN people have been pointing out conflicts with data protection laws for over a decade. And ICANN not being from regions with stricter regulation isn't actually that relevant, since ICANN doesn't directly run WHOIS. The registries and registrars do it, many of which are in the stricter jurisdictions.
GDPR being globally applied certainly ups the overall pressure, and is the reason they want to change the overall wHOIS rules instead of making special rules for individual countries, but the key thing seems to be the fear that there actually might be painful fines now.
I would bet substantial number of companies have not even begun GDPR compliance until around Q3 2017. It would be interesting to see the prevelance of GDPR in quarterly earnings call transcripts over time..
Judging by the volume of sales people contacting me at work, I would bet a substantial number of companies have not even begun GDPR compliance until at least Q2 2018.
Yeah, but how many are just US-based without an office in the EU or a real presence in the EU? ICANN is an international organization with a regional office in the EU and an engagement center, with EU customers representing a big chunk of sales/revenue. There's really no excuse for ICANN, whereas if you're a SASS company based in the US, which may have 10% of revenue coming from the EU, it's more understandable.
You still have to implement it in case you are visited by EU national (even if that is just a person visiting the site without intention to buy) - as you shouldn't log EU personal data without permission. Even if you filter out European IP addresses you have to consider that EU national can be visiting from the US for example and you still cannot log without permission.
The only people that seem to have this problem are:
(1) the ones that didn't bother to read the text of the law (which is surprisingly accessible)
and
(2) armchair lawyers that come up with all kinds of outrageous edge cases that nobody really cares about but that then get used to discard the law saying it's incomplete and that 'nobody knows how to be compliant'.
For real businesses that are affected by the law the vast majority of the impact is crystal clear and if they've done their homework they'll be more-or-less compliant by May and will at least be able to prove they made a good effort to comply.
I really should work up a to-do list that will get the average SaaS start-up to 90% compliance with the minimum amount of work.
This is false. There are third parties specialised in getting you compliant if you're unsure what to to - you can send your (legal/technical) questions to them and they answer you.
It still baffles me to this day that people just lie/spread misinformation on the internet (yes, there is a relevant XKCD for this) yet here we are.
