GDPR (General Data Protection Regulation), was born out of a data protection reform effort by the European Commission to provide protection for a person’s ability to control his personal information. GDPR includes a set of rules to protect the sale of personal data by internet based companies like Facebook and Google and imposes fines on companies who do not obtain users permission before selling their data.
GDPR compliance applies to both European Union organizations as well as organizations that offer goods or services to people in the EU. This means that almost every major corporation must be compliant, including ICANN, The International Corporation for Assigned Names and Numbers. For years, third parties have used ICANN’s WHOIS data to spam domain registrants.
ICANN and the WHOIS Database
ICANN is non-profit organization founded in 1998 to coordinate the internet’s domain name system (DNS). Domain names are sold by domain registries under contract with ICANN. Under ICANN’s requirements, registrars collect domain registrant information and publish the information in the WHOIS database. WHOIS is not a centralized database. It is data managed by the registrars to answer the question “who is” the registrant of a domain.
According to ICANN, domain name ownership under GDPR continues to require domain registrants to provide accurate contact information and to maintain the accuracy of that information. The information is intended to provide protection of intellectual property rights and serve stakeholders such as law enforcement and others in enforcement of trademarks or other rights. Domain name ownership under GDPR means that registrars publishing the personal information of the domain owners may run in conflict of GDPR regulations.
The Future of WHOIS Database
When GDPR was implemented on May 25, 2018, ICANN had taken no actions to change its requirements for domain registry services other than pointing to the requirement of the registry services themselves to control the data. So when EPAG, a German domain registrar, refused to comply with its ICANN contract in collecting the required domain registration information due to GDPR compliance. ICANN filed a request for an injunction against EPAG. The German court denied ICANN’s request, and a German appellate court upheld the ruling. According to the court, ICANN failed to demonstrate that “interim relief was necessary in order to avert irreparable harm.”
For organizations like EPAG, complying with WHOIS data collection may put them at risk of substantial fines for failing to protect personal data. Under GDPR, organizations may be sued for failure to control how personal information is used. As a result, some of the protections intended by ICANN cannot be delivered through enforcement of WHOIS data collection and the future of WHOIS database is unclear.
A long term model for WHOIS may still be in the works. ICANN continues to move forward with its strategic planning and invites the public to become involved. The organization recently published its strategic plan for fiscal years 2021 through 2025. This plan is open for public comment through February 11, 2019.