Why Registrars require an EU based Escrow provider

Domain names, registrant data and data protection, they all have a long history in the ICANN universe. Let’s do some time traveling and let me take you back in time, starting a decade ago…

March 2007
ICANN de-accredits RegistryFly, this disaster demonstrates clearly that Registrars should escrow registrant data to an escrow provider in case a registrar goes “down.”

To counter the RegistryFly disaster, ICANN introduced escrow requirements, ICANN picks up the bill, but of course, indirectly the registrars are paying for it, how much is unknown though, as we do not know how much ICANN is paying Iron Mountain USA.

October 2015
The escrow of data to the USA went on for years without problems, until October 2015, when the CJEU invalidated Safe Harbor. Most companies, registrars included relied on Safe Harbor to transfer data to the USA. But all of the sudden this was no longer an option.

This raised awareness among registrars. Our contractual ICANN obligation to escrow data was no longer an option as it was deemed illegal by the CJEU.

ICANN had appointed more escrow providers during the years including the EU. The problem, these escrow providers are not funded directly by ICANN. The prices are high, up to 2500 Euros a month.

This means that registrars using another provider would pay twice, first the provider of their choice and second Iron mountain through the ICANN fees. Effectively this means you’re sponsoring the competition, which is insane.

Further developments………

November 2015
The invalidation of Safe Harbor demonstrated another issue; legal agreements could be here today and gone tomorrow.
Realtime Register entered into a contract with Iron Mountain using a so-called SCC aka Model Contract. This solution provided us an option to continue our escrow obligations.

July 12, 2016
The European Commission deemed the EU-U.S. Privacy Shield Framework adequate to enable data transfers under EU law.

Realtime Register continued to use the SCC as it provided more safeguards for registrants compared to Privacy Shield, which was deemed invalid by legal experts the moment it was released.

August 2017
Denic the German ccTLD Registry for .DE informs ICANN registrars their far developed plans to become an ICANN designated escrow agent. ICANN acknowledged that EU Escrow providers would get the same treatment funding wise like Iron Mountain USA. Next year this treatment will be available to other escrow providers like for example China, China has very strict privacy laws.

Most recent developments……………

October 3, 2017
The Irish High Court rules on Facebook surveillance case:
Irish DPC has “well-founded concerns” over US surveillance of Facebook.
EU-US data transfer complaint referred to European Court of Justice for the second time.
The court found that the DPC has “well-founded concerns” that the SCC Decision by the European Commission (2010/87/EU) may be invalid.

11 October 2017
Realtime Register submits a letter of intent supporting Denic and urges ICANN to make haste.letter of intent

Looking ahead…………

Future
Most likely the CJEU will rule that SCC’s can no longer be used in the future. Privacy Shield will most likely be invalidated (again), causing massive operational and legal problems for registrars. ICANN should push forward with the Denic proposal as soon as possible.