With the EU General Data Protection Regulation (GDPR) coming into force on May 25, 2018, there are many questions surrounding the management and processing of data by EU citizens.
One of the questions that the domain community has been discussing over the time is how ICANN will apply changes to the WHOIS service to comply with the GDPR.
What is GDPR?
The European Union’s General Data Protection Regulation (GDPR) has been developed to create data privacy laws across Europe to serve the protection of all EU citizens. This provision will replace the Data Protection Directive 95/46/EC and there are significant differences, such as:
- Greater authority: The General Data Protection Act applies to any company that treats the personal data of anyone in the European Union regardless of the location of the company.
- Fine level: Organizations, including control and processing companies, that do not comply with the GDPR may be subject to a maximum fine of up to 4% of global annual revenues or €20 million (whichever is greater).
- Consensus: Consensus must be requested in a clear, easily accessible way – and must be capable of being distinguished from other issues. In addition, withdrawal of consensus should be as easy as providing.
- Infringement Notification: Infringement notifications will be required – and must be completed within 72 business hours of the organization that first identified the violation.
- Privacy: The GDPR requires data protection to be included from the beginning of the system design, not in the supplementary form.
Currently, domain name providers are required to obtain full personal or business information when registering a domain. These data must be public and accessible through the WHOIS service.
The GDPR, by regulating the use and availability of personal information collected from domain name registrars, may affect access to WHOIS data at least in the short term. ICANN has received legal comments suggesting that the current model provides adequate registration and contact information will not be consistent with the GDPR.
ICANN is developing a temporary “tiered access” model to ensure compliance. Many personal information will not be widely publicized, while some third parties (such as law enforcers) will be allowed full access to the WHOIS. ICANN temporary model version was released on March 8, 2018 and can be viewed here.
Although there is only one more month of GDPR, there are still many important issues related to WHOIS data in the future, such as:
- When the information is limited by GDPR, how can you identify and contact the registrar?
- The current ICANN model proposes an “anonymous” email address, which can be used to contact the subscriber, but this will make finding other domains of the same subscriber more difficult.
In addition to difficulties in identifying WHOIS data in compliance with the GDPR, it is difficult for ICANN to deploy its interim model ahead of May 25. It is still unclear to ICANN to provide specific solutions for the registrar to follow.
In a recent effort, ICANN has contacted GDPR to seek guidance. Coupontree will continue to update with new information.