ICANN suspends WHOIS enforcement in response to GDPR fears

The Internet Corporation for Assigned Names and Numbers (ICANN) has announced that it is deferring enforcement actions over non-compliance with contractual obligations relating to the handling of registration data. The move is designed to ease registry and registrar concern over the ability to meet both ICANN and General Data Protection Regulation (GDPR) requirements.

The GDPR becomes enforceable on May 25 2018 and requires that explicit consent be obtained for the collection and use (including publication) of personal data relating to EU citizens. The regime could have a significant impact on future WHOIS data access. At its recent Abu Dhabi meeting, ICANN acknowledged: “At this point… we don’t know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available.”

In October 2017 it emerged that two Dutch geographical top-level domains (TLDs) – ‘.amsterdam’ and ‘.frl’ – were refusing to provide public access to WHOIS information, arguing that the provisions in their registry agreements were “null and void” under Dutch and EU law. A recent member study conducted by the Council of European National Top-Level Domain Registries (the association of European country-code TLD (ccTLD) registries) has also revealed that almost half (46.4%) of responding ccTLD registries signalled an intent to hide certain data fields.

Reflecting these concerns, ICANN announced that it would defer taking action against any registry or registrar for non-compliance with contractual obligations in relation to the handling of registration data, provided that detail on the new model is shared. While ICANN has clarified that “Contractual Compliance would not defer enforcement if, for example, a contracted party submitted a model under which it abandoned its WHOIS obligations” in their entirety, it does give the green light to different approaches to WHOIS data being adopted while ICANN attempts to find “a path forward to ensure compliance with the GDPR while maintaining WHOIS to the greatest extent possible is a high priority”.

In a bid to do so, ICANN has commissioned legal analysis from European law firm Hamilton to assess how WHOIS will be affected by GDPR. It is forwarding community inputs to the firm in advance of the delivery of its next phase of advice and potential models for compliance.

Counsel comment

As brand, consumer and IP advocates, we are concerned about the action by the ICANN organisation to temporarily suspend the obligations of contracted parties to collect and publish accurate WHOIS data. We believe that it is premature to assume that GDPR is at odds with these principles, and that this response from ICANN is reactionary to concerns that the community has expressed without fully understanding all the issues and options. Brand owners [really] need to be aware of how ICANN is treating this issue, and stay involved in order to protect access to website ownership data. Reasonable and balanced access to registration data is of vital importance to brand owners, an essential first step to finding, and enforcing against, bad actors that target companies and, most importantly, consumers.

Brian Winterfeldt, Winterfeldt IP Group