Following last week’s discussion of the significant Whois changes that compliance with the GDPR will require, here are some resources that I hope will help put things into a broader context.
A letter to ICANN from Article 29 Working Party December 6 2017 (PDF)
The Article 29 Working Party (“WP29”) is an advisory body established in 1996 under the EU’s Data Protection Directive (soon to be replaced by the European Data Protection Board under the GDPR). This letter to ICANN directly addresses the public Whois and how that system intersects with data privacy laws. WP29 says “unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive,” suggesting that this will be the case under the GDPR as well since it is based on the same principles. WP29 also states:
“Whilst the data protection authorities united in WP29 recognize that, inter alia, enforcement authorities entitled by law should have access to personal data in the WHOIS directories, they also underline that the original purposes of the WHOIS directories can be achieved via layered access. In this respect, the unlimited publication of WHOIS-data does not appear to meet the criteria of article 6.1 (c) of directive 95/46/EC (personal data must be adequate, relevant and not excessive in relation to the purposes of the WHOIS directories).”
This is the same conclusion that we arrived at — the public Whois system as it exists today is incompatible with the principles of data privacy that the GDPR affirms. It is gratifying to see this strong statement coming out of the EU, especially since it aligns with our own understanding of the changes to our domain registration infrastructure that the GDPR will require. Hopefully, this prompts ICANN to review and update their policies, allowing Registrars and Registries to comply with applicable laws with no concerns about breaching the affected sections of their ICANN contracts.
“ICANN under pressure over GDPR preparations, as future of WHOIS is mired in uncertainty”
Originally posted on World Trademark Review, this blog post was written for the benefit of trademark holders but contains useful insights for anyone with a connection to the world of domain names. If you’re looking for an overview of recent events related to how ICANN’s Whois plans—and those of its larger community—are progressing, this article outlines many of the challenges the GDPR presents to those operating within the domain industry, and highlights some conflicting opinions put forth by various stakeholders.
ICANN’s GDPR legal analysis
ICANN is working with an EU-based law firm, Hamilton Advokatbyrå, to gather legal advice related to the GDPR’s impacts on the domain name system; this page on the ICANN site will hold analysis from Hamilton as well as related documents. The first part of this analysis was posted on October 16, 2017 and responds to a series of questions that ICANN had laid out. In this response, Hamilton suggested that ICANN should evaluate the purposes for which personal data is being processed (displayed in the Whois). They also confirmed that these purposes could likely be achieved while remaining in compliance with the GDPR by using a gated Whois model, as we discussed in our previous post. We don’t yet know how ICANN will act on this information. Part 2 of the Hamilton analysis, which will look at the GDPR’s broader impact beyond the Whois system, is said to be “coming soon.”
Dutch DPA: unlimited publication of Whois-data violates privacy law
The .AMSTERDAM and .FRL registries are at odds with ICANN over the publication of personal data in the public Whois for these two TLDs. You can read the letters back and forth between ICANN and Jetse Sprey, who represents the .FRL registry, on ICANN’s data protection page and there’s a good recap of the situation at Domain Incite. The Dutch Data Protection Authority stepped in with this statement indicating that publication of personal data in the public Whois does, in fact, violate current Dutch law, and will also violate the GDPR. This gave .AMSTERDAM and .FRL a basis to argue to ICANN that they’re not in breach of their Registry Agreement. The statement also acknowledges that there may be technical or legal reasons why personal data should be accessed, but argues that default publication of registrants’ full contact details in the public Whois should not be permitted.
Letter from CENTR answering ICANN questions (PDF)
ICANN contacted various registries with a series of questions requesting information about how data protection laws are currently addressed. You can read the initial request here (PDF). CENTR, the Council of European National Top-Level Domain Registries, was unable to share some of its confidential discussions but provided general information that came out of a June 2017 survey. One notable statistic from this survey is that over 40% of these registries plan to hide some fields from the public Whois. I’m looking forward to the results from the next survey, which should hopefully be available before the end of 2017, and will tell us more about the ‘state of mind’ of these European ccTLD registries.
While the future of Whois may be unclear at this point, it is clear that change is coming. We are moving ahead on our work towards a gated Whois, a solution which resulted from extensive legal and regulatory investigation and which we believe balances our legal obligations with our contractual requirements to ICANN. While a consistent, industry-wide approach to Whois, led by ICANN, would be ideal, it seems right now to be a far-off prospect.
Learn more about the GDPR:
GDPR Updates – Understand Enom’s approach to the policy
- GDPR-Related Contract Changes (Published on Mar. 5, 2018)
- The GDPR’s Right to Be Forgotten (Published on Jan. 18, 2018)
- Consent and the GDPR (Published on Dec. 21, 2017)
- How will the GDPR impact Whois? (Published on Nov. 9, 2017)
- The GDPR Overview (Published on Oct. 30, 2017)
GDPR Resources – View third-party resources on a specific GDPR topic
- Right-to-be-forgotten-related resources (Published on Feb. 1, 2018)
- Consent-related resources (Published on Jan. 4, 2018)
- GDPR Basics & Best Practices Resources (Published on Nov. 9, 2017)