Can WHOIS survive GDPR?

IT news site, The Register, has put the issue as bluntly as ‘Incoming Euro privacy rules torpedo domain registration system’.

WHOIS

ICANN’s WHOIS Lookup is a free, open-access, service to lookup details of any domains, to find out expiry dates, registrar and, crucially, the domain name owner. This is obviously useful (and necessary) in a number of scenarios for example:

• dealing with cybersquatting;
• approaching domain owners for possible purchase(s); and
• identifying the owners of infringing domains.

The WHOIS service first launched in the early 1980s with its management, for the top level domains, being transferred to ICANN in 1999.

Background for WHOIS

A ‘domain name’ is the unique name of a website or website address. A ‘domain name registrar’ is a service which enables you to officially register your required domain name. The majority of domain name registrars are ICANN accredited. ICANN coordinates these unique domain identifiers globally to enable the running of the worldwide internet.

As part of the ICANN accreditation, accredited registrars are required (under their ‘Registrar Agreements’) to collect and provide ICANN with certain data and information (including names of owners) to enable such information to be published via ICANN’s WHOIS. According to the ICANN WHOIS website:

“Based on existing consensus policies and contracts, ICANN is committed to implementing measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, subject to applicable laws.”

So, at present, there is little alternative for registrars but to supply this information and allow the ownership data to be published online.

But why is this relevant to the GDPR?

As we know, from 25 May 2018, the Data Protection Directive (DPD) will be replaced by the EU General Data Protection Regulation (GDPR) which will have direct effect across the EU, without the need for national implementation. All businesses must comply by then.

The challenge is that much of the information published on WHOIS is ‘personal data’. How does that then sit with GDPR compliance?

Isn’t ICANN’s WHOIS a US-based organisation?

 Yes but, importantly, the scope of the GDPR extends far beyond the UK and even the EU.

Controversially, the GDPR will have ‘extra-territorial effect’. This means that compliance with the GDPR will be required outside of the EU in certain circumstances, for example:

• to organisations outside the EU that offer goods or services to individuals in the EU; or
• where data processing activities relate to the monitoring of data subjects behaviour which takes place within the EU.

GDPR is therefore likely to extend to WHOIS when registrars (established outside of the EU) provide domain name registration services to individuals located within the EU to WHOIS. Moreover, the personal data is then available for access, online, by anyone within the EU.

So, what’s the problem?

At least two internet registries (those for .amsterdam and .frl) are in conflict with ICANN over the continued legitimacy of their contracts, requiring WHOIS publication of registrants’ data. The registries have written to ICANN maintaining simply that ‘ICANN’s position is mistaken. Publishing all of the registrants’ data as required by the [Registry Agreement) is a clear breach of the EU Regulation 2016/679.’

Was valid consent ever given by the relevant individual owners to permit their personal data being made available on WHOIS? The registries have pointed out the absence of condition in Article 6.1 of GDPR which might otherwise have allowed for such publication.

At the most recent ICANN60 meeting, which took place in Abu-Dhabi 28 October – 3 November, the above concerns were dominant. Following this meeting, ICANN published a statement which admits that the impact of the GDPR on ICANN’s WHOIS is still “uncertain”.

ICANN have equivocated on this issue:

“During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division.”

And in the UK, what about Nominet?

Nominet provides its own ‘WHOIS’ directory for all .uk, .cymru and .wales domain names.

Its service is modelled on ICANN’s WHOIS requirements and provides open access to registration details of registered domain name owners (including their address).

Interestingly, the Nominet WHOIS service enables certain non-trading individuals to ‘opt-out’ of having their address published in the WHOIS directory. This is possible where: they are an individual (i.e. not a company or association); and the domain name is not used to (i) transact with customers; or (ii) to advertise goods, services, facilities etc.

It is not clear whether such a facility – opt-out only – could however be enough to offer GDPR compliance, going forward.

What next?

There have been urgent discussions as to how the WHOIS service may continue to run. The future availability of the WHOIS service in its current form to both IT professionals and the general public is now in doubt; the WHOIS service will inevitably have to change.

ICANN has declared “The ICANN Board, org and community are engaged in multiple efforts to assess the impact of the GDPR on registry and registrar obligations in ICANN agreements and policies, and we continue to work …. to understand this impact”.

There is no indication of the timescale by which ICANN expects to have a resolution.

As to Nominet, it is expected to publish its approach to GDPR early in 2018.

Ramifications for other commercial and public registers

The issues encountered for WHOIS may also be relevant for other public and private registers.

Personal data is often freely available from many registers, including the electoral register, the Land Registry and the DVLA.

As an example, is there adequate justification for publishing the full name, month and year of birth and nationality of each and every director of English companies on Companies House beta search service?

The WHOIS issue has even more obvious issues for commercial or private registers which have no statutory remit. A free database such as the movie database, IMDb, offers up huge amounts of personal information for directors, agents, actors and other film professionals often disclosing significant levels of personal information.

The record for instance for Eddie Redmayne gives extensive information including date of birth, education, career history and indeed height. This kind of information may be contributed by the actor’s agent or may be written and uploaded independently. Without explicit consent however from all individuals on the database it is difficult to see how and in what form such kind of extensive information can continue to be available to European viewers once the GDPR comes into force.

As we move towards the May implementation date, there is one certainty – that many businesses and public sector organisations will have to confront some very unexpected changes to their products and services.

This article was written by Robin Fry, Emily Parker & Sophie Moonshine. For more information, please contact a member of our Commercial, Media & Technology (CMT) team.