With the European Union’s General Data Protection Regulation (GDPR) set to go into effect on May 25, 2018, many questions remain as to what entities that control and process data from EU citizens must do to comply. One such issue is the ongoing effort by the Internet Corporation for Assigned Names and Numbers (ICANN) to ensure that the WHOIS service (an online database of identity and contact information for registrants of web domains) complies with GDPR.
Currently, domain name registrars are required to collect identity and contact information for individuals and entities (called “registrants”) that register domain names. Registries and registrars are required by their contracts with ICANN to make this information public through the WHOIS service, a searchable database that is frequently used by brand owners, lawyers, and cybersecurity researchers to identify and communicate with domain name owners who are believed to be involved in intellectual property infringement, malware distribution, and other bad acts. WHOIS information can also be useful for consumers trying to identify websites that traffic in fake news or scammers who purvey non-genuine goods.
GDPR, by regulating the use and availability of the personal information collected by domain name registrars, will likely affect access to WHOIS data at least in the short term. ICANN has received legal opinions suggesting that the current model of full public availability of registrant identity and contact information would not comply with GDPR. For example, while consent is a valid legal ground for processing data under GDPR, the new requirements for consent (which this blog has reported on previously) mean that the consents included in the contracts between registrars and registrants are unlikely to comply with GDPR.
While the details are very much in flux, ICANN is developing an interim model to ensure compliance that would likely involve a “tiered-access” system, under which a great deal of personal information will be unavailable to the public, while certain third-parties (such as law enforcement or others able to show a “legitimate interest” under GDPR) who receive accreditation will be allowed access to full WHOIS. The current version of ICANN’s interim model for compliance with GDPR was published on March 8, 2018 and can be found here.
Despite less than 60 days until implementation of GDPR, ICANN’s interim model leaves open substantial questions concerning the future availability of WHOIS data, including the following:
- The interim model would allow registrars to apply the new restrictions in GDPR “without regard to the location of the registrant,” thus potentially affecting the ability to identify and communicate with domain name registrants in the United States using United States-based registrars.
- The current ICANN model proposes making public an “anonymized” email address, which could be used to contact the registrant, but would make it more difficult to search for other domain names owned by the same registrant (called a “reverse WHOIS” search). This ability is currently an important tool for brand owners and cybersecurity researchers.
Beyond the difficulties in identifying what WHOIS must look like to comply with GDPR, ICANN is highly unlikely to implement the type of accreditation system envisioned by its interim model before the May 25 deadline. It remains unclear to what extent ICANN could provide a workaround prior to the new model being ready, but the result could be an indefinite “blackout” of WHOIS data by registrars who fear the substantial fines under GDPR.
Most recently, ICANN reached out to European Data Protection Authorities by letter seeking guidance on ICANN’s current compliance efforts, and alluded to the possibility that the DPAs could “continue to provide support to companies along the path to compliance beyond the GDPR effective date if the company has an established plan of action.” As it stands, however, brand owners, lawyers, and anyone else who relies on access to WHOIS data should pay close attention to this rapidly evolving situation.