How will GDPR affect the world of internet policy and systems of domain name registration?
Data protection - ICANN/WHOIS and the GDPR
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit organisation responsible for coordinating the maintenance and procedures of several databases related to the namespaces of the Internet. The WHOIS system is an open access service which publishes the name, address, company (if applicable) email address and telephone number of every domain name registrant. Having been created in 1982, it has always been seen as somewhat problematic in relation to the protection of individuals’ privacy.
In 2013, the initial report of ICANN’s Expert Working Group recommended that the present form of WHOIS should be abandoned and replaced with a system that keeps most registration information secret or “gated” from most internet users and only discloses information for permissible purposes. The list of permissible purposes includes domain name research, domain name sale and purchase, regulatory enforcement, personal data protection, legal actions and abuse mitigation.
The GDPR will impact all parties that contract with ICANN, including registrars, registries, data escrow companies and even ICANN itself. ICANN is both a data processor and data controller as it determines the requirements for data collection for domain registration and how the data is dealt with.
Why is this important?
WHOIS is a tool used by many companies and individuals to determine the owners of different domains; a practice increasingly more important as the value of domains increase. It is an effective tool in domain name regulation and legal disputes revolving around similar domain names including those taking unfair advantage of strong brands. But at its core WHOIS is all about personal data and the GDPR threatens its existence, at least in its current form.
ICANN is currently in the process of “reinventing WHOIS” and working on an “ICANN WHOIS beta” although this has yet to publicly progress. It seems that they are looking to replace the WHOIS system with a Registration Directory Service (RDS). The RDS would involve public 27 access to some registration data which would have purpose-based disclosure and then gated access to more sensitive data. This would require the requestor to be accredited and have a Requestor ID.
ICANN has stated that the GDPR could affect its ability to maintain a single global WHOIS system, with two large generic top-level domains withdrawing public access to registrant information already. Changing WHOIS to either a “need-to-know” or RDS basis will change the approach currently used regarding data storage and publication. It’s a classic tug of war over how strictly WHOIS should be regulated. On the one hand, judicial authorities and intellectual property practitioners are striving to have better access to data in order to act against infringements and cybercrimes, on the other privacy and data protection groups want a strict approach over the access and storage of data to protect the privacy of the web.
It’s hard to tell but hopefully we can expect potentially tiered (or gated) access to certain elements of WHOIS – for example, full data availability for law enforcement, lawyers and those with intellectual property interests, but not full access for the public. In the meantime, it’s possible that we’ll see more registrars turn off their WHOIS data access in the run up to the GDPR; registrars are already on record threatening to do so.