How will GDPR affect the world of internet policy and systems of domain name registration?

Data protection - ICANN/WHOIS and the GDPR

The background

The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit  organisation responsible for coordinating the maintenance and procedures of several  databases related to the namespaces of the Internet. The WHOIS system is an open access  service which publishes the name, address, company (if applicable) email address and  telephone number of every domain name registrant. Having been created in 1982, it has  always been seen as somewhat problematic in relation to the protection of individuals’ privacy.

In 2013, the initial report of ICANN’s Expert Working Group recommended that the present  form of WHOIS should be abandoned and replaced with a system that keeps most registration  information secret or “gated” from most internet users and only discloses information for  permissible purposes. The list of permissible purposes includes domain name research,  domain name sale and purchase, regulatory enforcement, personal data protection, legal  actions and abuse mitigation. 

The development

The GDPR will impact all parties that contract with ICANN, including registrars, registries, data  escrow companies and even ICANN itself. ICANN is both a data processor and data  controller as it determines the requirements for data collection for domain registration and how  the data is dealt with. 

Why is this important?

WHOIS is a tool used by many companies and individuals to determine the owners of different  domains; a practice increasingly more important as the value of domains increase. It is an  effective tool in domain name regulation and legal disputes revolving around similar domain  names including those taking unfair advantage of strong brands. But at its core WHOIS is all  about personal data and the GDPR threatens its existence, at least in its current form. 

ICANN is currently in the process of “reinventing WHOIS” and working on an “ICANN WHOIS  beta” although this has yet to publicly progress. It seems that they are looking to replace the  WHOIS system with a Registration Directory Service (RDS). The RDS would involve public  27  access to some registration data which would have purpose-based disclosure and then gated  access to more sensitive data. This would require the requestor to be accredited and have a  Requestor ID. 

ICANN has stated that the GDPR could affect its ability to maintain a single global WHOIS  system, with two large generic top-level domains withdrawing public access to registrant  information already. Changing WHOIS to either a “need-to-know” or RDS basis will change  the approach currently used regarding data storage and publication. It’s a classic tug of war  over how strictly WHOIS should be regulated. On the one hand, judicial authorities and  intellectual property practitioners are striving to have better access to data in order to act  against infringements and cybercrimes, on the other privacy and data protection groups want  a strict approach over the access and storage of data to protect the privacy of the web. 

What next?

It’s hard to tell but hopefully we can expect potentially tiered (or gated) access to certain  elements of WHOIS – for example, full data availability for law enforcement, lawyers and those  with intellectual property interests, but not full access for the public. In the meantime, it’s  possible that we’ll see more registrars turn off their WHOIS data access in the run up to the  GDPR; registrars are already on record threatening to do so.