On 14 Feb 2018, at 20:36, John Horton <john.horton@legitscript.com> wrote:

Rubens,

I think I see where the disconnect might be. Section 3.2.2 says "Extraterritorial reach as described in section 3.2.1 above will apply, for instance, when registrars and registries established outside the EU provide their domain name registration services to natural persons in the EU."

Are you interpreting that to mean: "If a registrar/registry outside of the EU markets/offers their services to natural persons in the EU (that is, you either have some customers in the EU or you potentially could), then they are fully subject to the GDPR for all of their registrations."? Because I think that's a misreading of it. I think it means "with respect to the actual provision of services to a natural person in the EU." In other words, taking it to an extreme, I think you might be interpreting the Hamilton language in 3.2.2 to mean that all of a non-EU registrar's registrants are entitled to full GDPR protection if that registrar has even a single potential customer in the EU. However, I think they mean that even a non-EU registrar has to ensure that any natural person in the EU is afforded GDPR protections (and I'd agree with you on that -- my own company has been deep into GDPR compliance even though we aren't in the EU).

I am interpreting that way, but I am not the only one as the GDPR implementations will show in a few months. We should note that both US and EU courts routinely take cases of non-citizens/non-residents based in their own law, so as long as someone has a cause of action, there is legal risk. One just needs to find one jurisdiction among the many in the EU that is willing to bring a case on behalf a non-EU citizen/resident, and when a single lawsuit can make for the margin of selling 100,000 domains, you can be sure that a good number of companies won't take that risk.

I will gladly take any written/binding European DPAs guidance that it's not the case in order to advise for discriminating EU/non-EU residents/citizens as registrants, but for now the perceived risk doesn't allow that. And I will add a grain of salt to that concern: let's say you are sure that the registrant is not afforded GDPR data privacy; what can be said of the other contacts ? Since those contacts are data subjects that a registrar doesn't have a contract with, how to determine their eligibility ? Send them all e-mails so they can enter into a non-paying agreement confirming their lack of eligibility ?