ICANN grapples with new GDPR threat to WHOIS

The Internet Corporation for Assigned Names and Numbers (ICANN) has published three interim models to enable WHOIS to comply with the EU General Data Protection Regulation (GDPR). At the time of writing, it is assessing feedback for the models, which could have a significant impact on rights holders’ access to accurate and reliable WHOIS data.

The regulation is due to come into force on May 25 2018 and requires explicit consent to be obtained for the collection and use (including publication) of personal data related to EU citizens. Reflecting concerns from both registries and registrars over their ability to meet the requirements of both ICANN and the regulation, the former recently announced that it would defer enforcement actions relating to the handling of registration data. It is also seeking to identify models which will allow compliance with regard to the WHOIS service, which allows access to domain name registrant details.

The first model would allow for the display of so-called ‘thick’ registration data, with the exception of the registrant’s phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to this information, third parties would be required to self-certify their legitimate interests for accessing it. The second model would allow the display of ‘thin’ registration data, as well as the technical and administrative contacts’ email addresses. Registries and registrars would be required to provide access to non-public information only for a defined set of third-party requestors certified under a formal accreditation or certification programme. The third approach would allow for the display of thin registration data and any other non-personal registration data. To access non-public information, a requestor would need to provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction.

Whichever model is adopted, questions remain over the longer-term compliance landscape. While ICANN is rushing to put in place an interim model, a long-term solution is still required. Rights holders are hopeful that this will not prevent their access to registrant information or significantly increase the administrative burden required to identify owners of infringing sites.

Counsel comment

There is growing concern about how ICANN will comply with the GDPR, whose enforcement sanctions come into force in May. A key question for rights holders is: how will ICANN comply with the regulation without unduly restricting global internet users’ access to the public WHOIS database? For nearly 20 years, internet users, businesses, law enforcement and consumer protection agencies have relied on WHOIS as a necessary resource. However, if it restricts access to such data, the regulation could seriously hamper the ability of brand owners to enforce their rights and protect consumers from infringement and online fraud.

Brian Winterfeldt, Winterfeldt IP Group