The TRA published on Sunday this week a brand new Regulation Governing Domain Names. This regulation makes a number of important changes that open up the domain name market by providing a mechanism for allowing companies with no connection to Oman to register <.om> domain names and permitting the transfer of the registration of domain names between registrants without any apparent restrictions. The regulation also attempts to make the WHOIS system for <.om> domain names compatible with the Personal Data Protection Law that is due to enter into force early next year. This post provides an overview of some key aspects of this new regulation.
Introduction: Omani Domain Names & Web Safety
The <.om> top-level domain names is one of the most critical domain names to the safety of internet users around the world. Due to the similarity of the <.om> country-code to the <.com> domain name extension, Omani domain names have an extremely high potential of being misused by typosquatters and web criminals who wish to use <.om> domain names carry out phishing attacksfor stealing the identity and credit card details of internet users. This threat is not hypothetical, as a study from 2016 found that at least 295 Omani domain names were maliciously registered including <bankofamerica.om>, <netflix.om>, <facebookc.om>, <linkedin.om>, and <gmail.om>.
This unique attribute of <.om> domain names does not exist in regard to country codes such as <.ae>, <.bh>, <.kw>, <.qa>, or <.sa>, and as a result it is not surprising that the TRA, being the custodian of this critical web asset, has historically taken a very conservative approach for the registration of Omani domain names in comparison to our neighbours, which until the passing of this new regulation, have been available only to Omani legal entities and Omani nationals. I believe that restricting the registration of <.om> to Omani companies and nationals is the right thing to do, but the TRA has made a decision to move towards a more open approach, albeit very cautiously.
Registration by Non-Omani Companies
The TRA has been considering opening up the registration of Omani domain names to non-Omanis for a while now and issued a publication consultation paper on this matter in 2021. While there is no public records of the motives behind the TRA’s desire to allow the registration of Omani domain names to foreigners, one can easily see the financial gains that the TRA can make by increasing their registrations (according to 2021 statistics, there are less than 5,000 registered <.om> domain names).
The TRA has decided to take a cautious approach in opening up the registration of <.om> domain names to non-Omani companies and individuals by providing in article 5 of the new regulation that the it may permit non-Omani individuals and companies to register <.om> domain names. Article 10 also states that the TRA may permit non-Omani companies to register <.co.om> and <.com.om> domain names. In both of these cases, the regulation suggests that the TRA will have to take action to issue specific conditions and controls for permitting this. It is possible that registration by non-Omani companies is limited to high-value reserved (special) domain names or those that reflect the trademarks owned by non-Omani companies. Accordingly, at the moment, it is still not possible for non-Omani companies and individuals to register domain names, but the TRA now has the power to permit this in regard to <.om>, <.co.om>, and <.com.om> domain names. The regulation does not allow the TRA to permit the registration of <.عمان> domain names to non-Omani companies and individuals.
The authority may permit non-Omanis or establishments and companies from outside the Sultanate of Oman to register (.om) second-level domain names directly, in accordance with the conditions and controls issued by the authority.
Regulation Governing Domain Names 2022, TRA Decision 1152/2/3/2022-5 (issued 23 November 2022, published 27 November 2022) OG 1469, art 8 para 2.
In addition to this new major development, the regulation now allows non-Omani residents to register <.me.om> domain names. Unlike the <.om>, <.co.om>, and <.com.om> provisions, this is a provision that becomes effective immediately upon the entry into force of this regulation.
Transfer of Registrations between Registrants
A peculiar aspect of the previous Omani domain name regulation is that it was not permitted to transfer a domain name registration from one person to another. The logic behind the restriction was to limit cybersquatting and reduce the opportunity for the creation of a market for the sale of domain names. Under the older regulation, transfer of the registration of a domain name was complicated and allowed only in the case of a merger of a company, the transfer of an intellectual property right, and the enforcement of a court judgment or arbitral award.
Due to the complexity of domain name transfers, domain name owners used to follow risky workarounds for transferring the registration between themselves. The primary mechanism was to request the cancellation of a domain name, and arrange with the registrar to have the new registrant register the domain name immediately upon the release of the domain name after its cancellation. This was problematic because it would result in a the website going offline for a period of time, and it provides no guarantee that another person would not register the domain name before the other party.
This restriction was an actual problem to this very website since the domain names of both Decree.om and Qanoon.om are registered in the names of the co-founders and there was no mechanism to legally transfer their ownership to the legal entity we are creating to manage the project.
Luckily, under article 21 of the new regulation, it is now possible to make a request to the registrar to have the domain name transferred from any natural or legal person to another natural or legal person after the payment of a transfer fee.
Data Protection Law and WHOIS
Domain name registries usually provide a mechanism to enable members of the public to see the details of the person or entity that has registered a domain names through a service called WHOIS. The use of this service has been brought into question by the passing of the GDPR as the risks it imposes to the privacy of an individual through release of their name, address, and contact details are seen by the international community to outweigh the public interest in having this information public. As a result, ICANN had to reconsider its rules for publicising WHOIS records and many country-level registries have reconsidered the amount of information they publish through this service.
In Oman, before the passing of the Personal Data Protection Law earlier this year, we had no rules that prohibit the publication of personal information through the WHOIS service. Given that the Personal Data Protection Law is framed around the concept of human dignity, the right approach to make the Omani domain name registration system compliant with it, should be to prevent public access to the WHOIS system. The global community has come to accept the reality that this system does not provide real value to rights-holders due to the difficulty in forcing registrants to provide real and up-to-date information. The utility of WHOIS has also been significantly undermined in more recent years due to the popularity of using proxy registration services that register the domain name of a privacy company on behalf of the actual registrant.
The position of the TRA in regard to what information is actually available on the WHOIS system is not clear. Unlike the previous regulation which had a dedicated chapter to govern the WHOIS system, the new regulation states that the authority shall provide a WHOIS service which may include registrant details. It also essentially states in article 6(4) of the new regulation that those applying to register a domain name automatically agree to have their registration details publicly available through the WHOIS service. Due to the fact that the Personal Data Protection Law has not entered into force until now, along with the fact that the executive regulation of this law is still not out yet, it is not clear if the approach adopted by the TRA is compatible with the law.
Domain Name Disputes
The majority of domain name disputes around the world are governed by a special process for swiftly dealing with domain name disputes called the UDRP carried out by UDPR providers such as WIPO and Forum. In 2008, the Ministry of Commerce and Industry issued in 2008 the Executive Regulation of the Industrial Property Law which stated in article 66 that Omani domain names disputes are governed by the UDRP and that WIPO is the body responsible for resolving these disputes. However, the TRA has not implemented the regulation issued by Ministry of Commerce and Industry, and instead has been resolving Omani domain name disputes internally. The new regulation codifies the practice of the TRA by confirming in article 32 that the TRA is the body responsible for resolving domain name disputes. This same article also states that the TRA may refer disputes to a dispute resolution centre.
Article 32 of the new regulation can be understood to have implicitly repealed article 66 of the Executive Regulation of the Industrial Property Law (especially since this regulation is cited in the recital of the new regulation), but we must acknowledge that article 66 reflected the best international practice for resolving domain name disputes, and that the TRA did not replace this provision with an actual domain name dispute resolution policy. This means that we still do not understand what rules apply for making a domain name dispute, what remedies are available for rights-holders, and if there are any timelines or formalities for making a domain name complaint. The UDRP provides a straightforward framework for resolving such disputes, and it would be wise for the TRA to adopt it, especially since the TRA was considering this policy through the public consultation paper it published in 2008.
Article 32 of the new regulation states that the TRA will publish a list of dispute resolution providers, if it decides to use them. Until that happens, complaints regarding the abuse of domain names are to be submitted to the TRA.
FINAL THOUGHTS
The new Regulation Governing Domain Names provides the TRA with a lot of discretion in liberating the domain name market, but the majority of the key provisions in the regulation, such as those relating to the registration of <.om> domain names by non-Omani companies, are not directly applicable and will only be allowed after additional specific instructions are made by the TRA, which reflects TRA’s understanding of the worldwide risks associated with the use of <.om> domain names.
Our favourite new provisions are, without a doubt, the new rules allowing the transfer of the registration of domain names under article 21, which can finally allow domain name registrations to be transferred without having to rely on risky workarounds.
The regulation enters into force after four months from its date of publication.
TRANSLATION NOTE
Decree’s translation of the Regulation Governing Domain Names refers to the second-level domain name designated for museum as <.museum.om> in the second table of article 33. This was referred to as <.meseum.om> in the Arabic version of the Official Gazette, which we believe is a typo that contradicts article 15 of the regulation.