GDPR and WHOIS: update

The GDPR and its implications for WHOIS

The GDPR regulates the processing of personal data with regard to the European Union in a much stricter way than in the past. In this dynamic, the new European regulation now obliges the registries and the registrars to obtain the consent of the registrants to collect their personal data and prohibits its disclosure to the public. The WHOIS then raised a problem for the protection of personal privacy. The public circulation of the identity, or other information relative to the holder of a domain name, as well as the administrative and technical contacts who may be natural persons, opens the door to the commercial exploitation of their data without prior consent. Now, this is precisely one of the problem issues the regulation was intended to handle. Changes relative to access to the personal data on the WHOIS sheets were in this respect essential for effective compliance. The model of WHOIS was called into question by the German EPAG registrar, which purely and simply stopped collecting the administrative and technical contact details for the new registrations, due to a strict interpretation of the regulation. ICANN then initiated legal action before the regional court of Bonn to apply for the continued collection of all the WHOIS data, so that this data remained available to the parties able to establish a legitimate reason for accessing it. ICANN appealed this judgement and the regional court of Bonn decided to hear the file again.

The ICANN’s compliance

ICANN was therefore forced to modify its WHOIS policy. To this end, it amended its contracts with the registries concerning their collection of personal data on 31 July 2017 (point 2.18 of the Registry accreditation agreement ) requiring registries to obtain the consent of any person who is a domain name holder before the publication of their personal data on WHOIS. From this perspective, ICANN retained the provisional model of WHOIS, reduced to the minimum and applied to all the domain name holders, in and outside the European Union on 28 February 2018  called the “Calzone Model”. The aim was to enable short term compliance between the WHOIS directory and the provisions of the GDPR, prior to a full revision of the system to find an optimal balance between the fight against cybercrime and data privacy. The information made available to the public will be the sign of the domain name, the administrative and technical info (dates, status, name of the registry, dns servers), the state and country of the holder, the name of the organisation for companies and a means of contacting the holder (anonymized email or web form). In the “Calzone Model”, the other information will in principle be confidential and only users accredited through an official programme, to be developed in the near future, will have access. For example, specialists in intellectual property law will be able to apply for accreditation from ICANN.

Application of the GDPR by the registries

Following the communications of ICANN, the registrars had to amend their way of processing personal data. In this respect, it is interesting to note a lack of consistency in their new confidentiality policies. For example, some registries now only leave visible the technical information of the domain and the country of the registrant. To communicate with the holder of the registered domain name, it is possible to use an online form to contact the registrant directly (GoDaddy, United States). Other registries have introduced a proxy service enabling the confidentiality of the personal data of the registrants (Namecheap). On the other hand, the Chinese registries continue, for the moment, to disclose the information about European citizens.

Which strategy to adopt?

 The above remarks lead us to believe that there is not yet stability regarding the application of the GDPR which remains disparate.

Faced with a project that is ongoing, the specialist counsels are still giving thought to the strategies to be adopted. In such a situation, it is in fact necessary to see how the dialogue will progress among the different players to find a model of WHOIS that is compliant with the GDPR, which will continue to be a key mechanism for combating cybercrime and more generally any infringement of rights perpetrated online.

At this stage, our team remains at your disposal for any further inquiries.