WHOIS is lining up to be the first victim of the General Data Protection Regulation (GDPR). It may soon be no more.
The Internet Corporation for the Assigned Names and Numbers (ICANN) is the international non-profit organization charged with defining rules that regulate domain registrations. ICANN requires registrars (like the Verisign’s and GoDaddy’s of the world) to transfer registrant contact information, like the registrant’s name, address and email address, for entry into the publicly available WHOIS database. Failure of a registrar to provide this information could result in the registar losing ICANN accreditation.
Now enter the GDPR which becomes effective on May 25, 2018. The GDPR governs collection of personal information within the EU and of information of EU residents that is collected outside of the EU The GDPR has broad coverage, to say the least. The GDPR attempts to unify data protection rules among all EU member countries. The GDPR even governs personal information that is publicly available and provided voluntarily. Valid consent to collect information must be given in a manner dictated by the GDPR, and provisions in online terms will not suffice. Domain registration procedures do not obtain valid consent required by the GDPR.
Potential fines for violations of the GDPR put fear in the hearts of very privacy profession – up to the greater of €20 million or 4% of a company’s global revenue!
When weighing potential massive fines for violating the GDPR and a loss of certification from ICANN from failing to transfer the registrant data to the WHOIS database, registrars are likely to risk the ICANN consequences – and ICANN recognizes the predicament. As a matter of fact, registrars have already begun refusing to transfer the data. See https://www.icann.org/en/system/files/correspondence/sprey-to-Marby-9oct17-en.pdf
ICANN has already received notice from an EU representative indicating that the WHOIS database does not comply with the GDPR requirements. See notice here: https://www.icann.org/en/system/files/correspondence/falque-pierrotin-to-chalaby-marby-06Dec17-en.pdf. The notice proposed alternative approaches that are probably prohibitively expensive for many registrars to implement. See here for a memo commissioned by ICANN from an outside law firm – it does not offer ICANN realistic options - https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf
It sounds like the WHOIS database’s days are numbered. What’s the downside? Identifying and contacting domain name registrants will become much more difficult. This can impact those seeking to acquire a domain name, or those seeking to enforce cybersquatter and trademark laws. Additionally, WHOIS is the best way to locate contact and server information when seeking to send a DMCA takedown notice for content that infringes a third party’s copyright. The WHOIS information is regularly used regularly by law enforcement. Also, in order to file a complaint under the Uniform Dispute Resolution Policy (UDRP), you must use the WHOIS contact information – so that procedure will need to be modified.
The writing is on the wall. Access to WHOIS data is going to become much more restricted for data of EU citizens.
If you want to discuss legal issues relating to information technology, please contact us.