Impact of GDPR on Web Hosting Providers and Hosting Customers

We were fortunate to speak with Thomas Keser, Managing Director of WebhostOne GmbH, about the impact of the GDPR, which has been in effect since May this year. In particular, we discuss the consequences of the new regulations for web hosts and hosting customers, and take a look at the planned E-Privacy Regulation.

ht: Hello Mr. Keser, would you be so kind as to introduce your company briefly to hosttest visitors.

tk: WebhostOne GmbH has been serving as a competent and quality-conscious service provider in the areas of web hosting, domains, reseller, and managed servers since 1998. In addition to providing high-quality services and products, we place special emphasis on the availability of competent and comprehensive support. Our high level of service orientation is reflected not only in our support hours, which extend beyond regular business hours, but also in the high customer satisfaction ratings we regularly receive from our customers on leading independent review platforms such as Trustpilot or HostTest. With our administration interface WHO-Adminpanel, we provide our customers with a unique system for managing their web hosting accounts, which even in the shared hosting sector offers performance features typically found only in VPS or Dedicated Servers. Features such as a freely editable php.ini and httpd.conf are just as standard as various Apache and PHP versions as modules or CGI for each individual web hosting account. Our servers are located in a modern, excellently connected data centre operated by TelemaxX GmbH in Karlsruhe. We source the electricity to power our IT infrastructure exclusively from renewable energy sources.

ht: The GDPR deadline was on 25.05.18: How many resources did you have to dedicate to this issue during those weeks?

tk: Data protection and data processing were already high on our agenda, so we were one of the few providers who could offer an ADV agreement before the GDPR, which then became mandatory. Our processes had already been checked for compliance and the necessary documentation was in place, so there was little need for major process changes for us. What caused us some headaches were the formulations of our own statements in the ADV and the data protection agreement. Due to many unclear legal terms such as "processing in good faith" and numerous opening clauses for the German legislator, it was also challenging for us to find the exact formulations and put them on paper. As the deadline approached, various public authorities and state data protection officers also published recommendations for action, which made it easier for us to compare and secure our own formulations and content legally. In addition to the legally compliant implementation of the regulations, we were also concerned with the legally compliant conclusion of the contracts for data processing agreements. The initial common opinion that these contracts could not be concluded electronically was later revised by various state data protection officers. This allowed us to create a suitable electronic process, which would have meant a huge administrative burden with more than 20,000 customers. Our focus was on automating the conclusion process for our customers as well as for ourselves as much as possible. In addition to this development work, we were mainly dealing with support requests related to the GDPR and the websites of our customers. Unfortunately, it is difficult to give a general recommendation here, as detailed analysis of the customers' processes beyond mere hosting is required. With the ADV agreement, our customers can generally secure themselves for the interface with WebhostOne.

ht: How much does this issue affect every web hoster?

This issue is significant for every web hoster because the main purpose here is the generation and processing of data. The intersection between the hoster and the customer includes, among other things, the administration interface used, as this is usually provided by the hoster and therefore they must ensure compliance with data protection requirements. An issue for us, for example, was the anonymisation of logged IP addresses and their retention period. The issue of IP address storage was not new, but within the GDPR framework, customers took it more seriously. Since we cannot individually verify whether our customers have permission to store IP addresses, we made it mandatory to mask IP addresses from then on, as they are captured and stored through our system. However, customers can still secure the full IP addresses with tracking software on their own. The collection and disclosure of names and address data of domain owners (Whois data) required for domain registration is also hotly debated. The registrars have taken a big step towards anonymisation by suppressing Whois data, which we do not fully welcome. This poses new challenges for us as a web hoster when it comes to advising and carrying out domain transfers or applying for SSL certificates. Other major topics in the hosting industry such as Big Data and Cloud Computing were surprisingly little addressed by the GDPR.

ht: Can you briefly explain the key points of the GDPR or the important areas for every web hoster?

tk: In short, the rules for data collection, processing, security, and storage are defined. It is always necessary to consider what permission is required for the collection and what consequences the data processing entails. Permission may include lawful consent, a legal obligation, or simply fulfilling a contract. To revisit the issue of IP addresses: here, the hoster often has more reasons or permission to store IP addresses (at least temporarily) than their customers. There is a legal norm permitting, for example, the storage of IP addresses to comply with cyber attack prevention and investigation. The processes for data processing must be secure and well-documented to ensure data integrity and confidentiality. As data subjects have the right to information under the GDPR and the accountability/burden of proof lies with the data controller, every step in handling the data should be carefully planned. This not only applies to one's own processing but extends to all suppliers and partners who come into contact with personal data. In this respect, we benefit from working only with selected partners from the German region. For example, from our ISO-certified data centre, which has always had very high security standards.

ht: With the different requirements, could you provide an excerpt of what a web hoster should implement accordingly?

tk: In principle, a web hoster should operate and deliver the provided software securely by default and also sensitise their customers to operating their own software (keyword: "privacy by default"). For us, this also means offering free Let's Encrypt SSL certificates with a click of a mouse, disabling older protocols, as well as disabling older PHP versions. The issue of PHP versions specifically poses challenges for many customers, but it also incentivises keeping their own software up to date to comply with the GDPR requirements.

ht: You are in close contact with your customers, what has become of the issue, now over six months after its introduction?

tk: Honestly, the issue has largely subsided. Many customers were surprised by the extent of the measures and it probably caused them a few sleepless nights. Due to the significant media coverage, it is still in the back of their minds, but has lost some of its initial fear factor. The feared warnings and complaints have largely not materialised, and the widely mentioned €20 million fine has not been imposed yet. Instead, stories that further tarnish the reputation of the GDPR and make it seem ridiculous are now making headlines. For example, the alleged violation of doorbell nameplates under the GDPR.

ht: Finally, I would be interested to know what you foresee for the future regarding data protection and E-Privacy. Is the GDPR everything, or do you believe that the pressure from authorities will continue to increase with the planned E-Privacy Regulation?

I believe that the GDPR generally offers too much room for interpretation, creating a constant uncertainty that is not good for the data protection climate. On the other hand, it has the potential to even move the giants of the internet industry. I did not expect Facebook to react so quickly to the issue of company fan pages and now offer an acceptable solution with the "Page Controller Addendum". It is difficult to predict where this will lead. Compared to the GDPR, the E-Privacy Regulation envisages much more significant interventions in internet traffic and is the subject of controversial debate. For us as a web hoster, the legal foundations will change, leading to a restructuring of ADV agreements, documentation, and data protection agreements, but within a manageable scope. However, the E-Privacy Regulation from the EU's package of measures would significantly alter the internet and the business model of many other industries that rely on tracking website visitors. The most important point here is the handling of third-party or tracking cookies, which is fundamental for the online advertising industry. This not only allows users to be informed about tracking but also enables them to reject it. The E-Privacy Regulation will drastically change the internet as we know it.

ht: I sincerely thank you for the great interview and the many insights into the GDPR topic.

The interview was conducted by Marco Keul

Profile

Name: Thomas Keser
Position: Managing Director
Employees: > 10
Company founded in: 1998
Customer base: > 20,000
View WebhostOne's profile