When the European General Data Protection Regulation (GDPR) comes into force on 25 May 2018, access to critical domain name registration data identifying registrants will be limited. European data protection authorities have indicated that the current unrestricted publication of personal data on the WHOIS is not compliant with the GDPR.
ICANN slow to respond
ICANN, based in California, was slow to respond to GDPR despite the fact that it accredits both registries and registrars which sell gTLD domains such as .com, requiring them to provide accurate WHOIS information. This requirement to publish full WHOIS information will no longer be compliant with the GDPR. Therefore, work has been done to come up with a solution for gTLD WHOIS which will adhere to the privacy requirements of GDPR.
In February, ICANN published its draft of a proposed new interim model for gTLD WHOIS, which outlined a plan to mask the registrant name, street, city, postcode, phone number and email address, as well as the entire details of the administrative and technical contacts. The model envisages layered access to WHOIS data, whereby certain accredited users (law enforcement, IP professionals, etc) would be able to obtain the full WHOIS data for a given domain. ICANN sent its draft model to the EU’s Article 29 Working Party (Article 29) – comprised of the data protection authorities for each EU member state – and requested feedback on whether it would comply with the GDPR.
On 11 April Article 29 responded to ICANN. Article 29 cautiously agreed with ICANN’s approach of limiting WHOIS data publication through layered access and the accreditation of users, and to allow for contacting registrants without publishing their email address. However, Article 29 identified a number of outstanding issues which require more work. Its main point was that there needs to be much stronger controls around the type of data that is provided to accredited users, who can be accredited, and who has access to the data. Crucially, Article 29 advised that each request for full WHOIS data needs to be tied to a specific purpose, and be necessary to achieve that purpose. This implies that an accredited user would not be granted bulk access to WHOIS data, but instead have to justify each WHOIS lookup record they request.
Bad news for brand protection
This is not good news for the brand protection industry. The letter from Article 29 suggests that it will become a cumbersome process for IP professionals to obtain WHOIS data through any kind of accreditation system. Furthermore, since it is likely to take considerable time for ICANN to agree and implement an accreditation system, there could be additional challenges during the interim period beginning on 25 May. As ICANN has not yet been able to agree on a WHOIS model that complies with GDPR, from 25 May registries and registrars are likely to each implement their own short-term solution for WHOIS. This will mean inconsistent WHOIS outputs from registry to registry and registrar to registrar. Without an accreditation system in place, it is unclear to what extent registries and registrars will provide full WHOIS data to IP professionals who request it (or what requirements they will ask for in exchange for access to the data). Some have suggested that they might even make a charge for the provision of data.
If you operate your own .brand TLD registry, such as .Gucci or .Ferrero, the impact should be minimal as long as you ensure that you only use corporate contact details in your registry WHOIS.
As the owner of a domain name portfolio (a domain registrant) you are not liable under the GDPR. However, your registrar may be liable if they are based in the EEA or if any of your contact details are from the EEA. Make sure that your registrar is acting now to replace any personal information in your WHOIS records with corporate data.
Whilst we might speculate what WHOIS will be like in 18 months’ time, we can be sure that in the short-term it is going to be fragmented and inconsistent. Brand owners need free access to accurate registrant information in a timely and predictable fashion in order to enforce against abusive registrations and to manage their own portfolios.
WHOIS under the proposed ICANN model
By Ashley Roberts, Senior Manager, Valideus and Nick Wood, Managing Director, Com Laude and Valideus. Nick is a member of the MARQUES Council and Cyberspace Team