April 23, 2018
What will the GDPR mean for WHOIS?
What will the GDPR mean for WHOIS?

With Europe’s General Data Protection Regulation (“GDPR”) coming into effect on the 25 May 2018, the future of WHOIS is looking a little clearer (and barer) in view of ICANN’s recently published Proposed Interim Model for GDPR Compliance (“Model”). The effects of the GDPR are wide ranging. However, in terms of how this impacts WHOIS, the GDPR affects how registries and registrars list the personal information of domain name registrants in publicly accessible WHOIS directories.

WHOIS has long been a point of contention between ICANN and European registrars, as the requirement by ICANN to list the personal information of domain name registrants in publicly accessible WHOIS directories does not comply with EU data protection law.

However, the GDPR, which brings a new set of penalties for companies that do not adequately protect the personal data of users in Europe, has forced the discussion around the future of WHOIS.

The Model, also known as the ‘Calzone Model’ (a reference to the pizza analogy used by ICANN’S CEO during a recent webinar), proposes a number of changes to the accessibility of WHOIS information.

Whilst registries and registrars will still be required to collect the same amount of information as they were previously, only very limited information will be made available on WHOIS. ICANN has provided a sample of how WHOIS would look in the event that this Model is implemented.

As can be expected with such wholesale reforms, there are a number of changes that have garnered significant attention from brand owners and Intellectual Property professionals. In particular:

  • The Model will be available to registrars and registries that are not formally governed by GDPR requirements (for example because they are not within the EEA) and the Model effectively changes the entire global WHOIS system as a result of EU regulation.

  • Whilst GDPR only relates to personal data of natural persons, the Model applies to legal persons too. The justification is that it would put a burden on registrars to determine whether information relates to an individual or a legal entity, and that in some circumstances the WHOIS for a legal entity contains information relating to a natural person (e.g. the email address of an individual).

  • The WHOIS record must now include an anonymised email address that can be used to contact the registrant. Exactly how this will be put in place is yet to be seen. It is not clear whether each domain name registration will have a unique anonymised email address or whether each registrant will have only one anonymised email address for all domain name registrations. This could have a significant impact on the effectiveness of reverse WHOIS searches.

  • The Model imposes an accreditation programme for parties to enable them to obtain full (or at least more complete) WHOIS information. Exactly how this will work, and who will be authorised for accreditation is yet to be seen. The Governmental Advisory Committee (GAC) at ICANN is being tasked with working on the accreditation programme and developing a ‘Code of Conduct’ which requestors of information must adhere to.

The impact of the Model is far reaching and is likely to change how online infringement issues are tackled. Whatever happens, questions remain over the long term future of WHOIS. Whilst this Model addresses the issue in the short term for the purposes of compliance with GDPR ahead of the May deadline, a long-term solution is still needed.

Online Brand Enforcement /  Domains

Found this article interesting today?
Send us your thoughts: