Menu Close

Personal Data Protection and ccTLDs

By Erick Iriarte Ahon, .PE Legal Advisor and Co-Coordinator of LACTLD’s Policy and Legal Working Group

In order to analyze the state of personal data protection regulation in the region and the impact of these regulations on the operation of the various ccTLDs that are members of LACTLD, the Association’s Policy and Legal Working Group conducted a survey during the pandemic.

Firstly, it found that 75% of the surveyed subjects has legislation in place on personal data protection, and only slightly over 12% has no regulation whatsoever on this matter (the remaining sample indicates that while there is no regulation in place, this matter is under parliamentary discussion). Even though some countries in Latin America and the Caribbean have no specific legislation on this matter, it is important to mention that the Universal Declaration of Human Rights (UDHR) already provides for regulation on privacy issues and all of the constitutions in the region mirror such position (apart from being linked to the Pact of San José). It is also worth noting that the specific legislation in place has been growing since 1999, when Argentina introduced special legislation in relation to the protection of personal data.

Also, the survey finds that slightly over 50% of ccTLDs claim that there is a specific government authority in charge of matters related to the protection of personal data. According to these results, half of these entities is autonomous while the other half relies on a different government entity. It should be highlighted that, in Latin America, the design of such authorities is hybrid: They are in charge of both personal data protection and access to public information.

In general terms, any user can register a domain in the ccTLDs. In many cases, ccTLDs have turned to automatic means to facilitate the registration process, but this can also hinder the identification of the registrant. In this regard, the survey shows that only 23.5% of ccTLDs verify all of their requests, while 58.8% of them do so for some cases —this happens, for the most part, with restricted registrations. For example, subdomains for government entities.

Moreover, the survey shows that almost 90% of ccTLDs have a privacy policy. This type of policy establishes a legal guidance even when there is no explicit legislation, since the lack of an ad hoc rule does not hinder the use of an international good practice in relation to the protection of personal data. However, only a little over 50% of them have data security protocols. This is attributed, among other factors, to the lack of specific legislation on cybersecurity in many countries of the region. We, thus, face the challenge to implement as a good practice the compliance with minimum standards for the protection of data, taking into consideration, for example, ISO 27001.

The lack of protocols is paired with the lack of an official in charge of data protection, who only exists in 11.8% of the surveyed ccTLDs (and who is probably explicitly required by law).

Also, 35.3% of ccTLDs responded that they have a person in charge of performing such role, though the position is not officially defined as such in their organization.

WHOIS privacy services, which have been growing in the domain industry in the last few years, were also analyzed in our survey. The answers obtained revealed that 58.8% of regional ccTLDs offer this type of services. While 41.2% of the surveyed ccTLDs do not have the WHOIS privacy services, registrants are able, in many cases, to have access to them indirectly through international registrars.

The survey conducted by the Policy and Legal Working Group revealed a series of relevant outcomes in relation to the data requested by ccTLDs in the registration process. It was noted that most ccTLDs collect more information about the registrant and the administrative contact when compared to the technical contact. A noteworthy discovery was that data related to ID cards are the less requested data, together with fax number information. As regards the storage of the requested data, the survey found that 35.6% of ccTLDs do not retain such data after the domain is removed or deregistered, while the rest of them keep the information for varying periods of time.

Even though many of the data requested in the registration process are not published in the WHOIS, these can be requested by public authorities through court orders or intellectual property administrative entities.

Finally, the survey allowed us to reach some conclusions on the impact of the General Data Protection Regulation (GDPR) on Latin American and Caribbean ccTLDs’ policies. According to their answers, 58.8% of them have introduced or plan to introduce modifications in relation to the GDPR —especially for holders of domain names under European jurisdiction—, while 41.2% of ccTLDs have yet to do so.

– The original post was published in the LACTLD Report No. 12