Consequences of the European General Data Protection Regulation on the WHOIS database

Les conséquences du Règlement Général pour la Protection des Données sur le fonctionnement des WHOISIn May 25, 2018, the European General Data Protection Regulations (GDPR) will enter into force and replace the European Data Protection Directive 95/46/EC that currently harmonizes data privacy laws. There is a growing concern among consumers to protect their privacy. With the constant evolution of technology and the increase in the quantity of data collected, the 1995 Directive had to be updated in order to stay relevant. One of such changes concerns WHOIS databases. Indeed, the GDPR provides new standards concerning the way WHOISes work.

The WHOIS database contains registrants’ names and contact details. Currently, ICANN is looking to replace the WHOIS system with the Registration Directory Service (RDS). Such a change will lead to different approaches regarding data storage and publication. On the one hand, judicial authorities and intellectual property practitioners wish better access to data in order to act against cybercrimes. However, on the other hand, privacy and data protection groups would rather obtain more restrictions on access and storage of data to protect the privacy of web users.

The GDPR will set the standards regarding those issues by imposing obligations upon businesses, registrars and registries. There is concern that the standards within the next generation gTLD Registration Directory Service and in the GDPR will not be compatible. Indeed, if a registrar or a registry complies with the new standards prescribed by ICANN, they might be in breach of the GDPR. WHOISes operated by registrars and registries will probably have to be handled differently, but should they follow the new provisions established by ICANN or by the GDPR? Both provide for sanctions in the event of a breach of their standards. The ones provided by the GDPR appear to be higher fines than the sanctions set by ICANN. Some registrars and registries have concluded that a breach of the next generation gTLD RDS is preferable than a breach of the GDPR.

ICANN discussed the matter at the Johannesburg meeting where it decided to create an ad hoc group to determine how WHOIS are used. The aim is to collect what they call “user stories” to assess the degree of compliance with the GDPR.

Hopefully, a solution will have been found by May 2018. Otherwise registrars and registries will have trouble complying with both the GDPR and the RDS. Dreyfus has been specialized for years in the field of domain names. Regarding this subject, we can provide legal advice on the best way to uncover the identity of domain name registrants.