When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS? The GDPR restricts how personal data about natural persons residing in the European Union can be collected, used and transferred, and it defines “personal data” very broadly.
Today, anyone can use WHOIS to look up the name, mailing address, phone and fax numbers, and email address for the registered owners or assignees of domain names or IP address blocks. Those details are personal data to the extent that they can be connected to an individual. WHOIS data is used by intellectual property owners and attorneys, security researchers, journalists, consumers and consumer protection agencies, and law enforcement authorities, among others.
On March 26, ICANN (the Internet Corporation for Assigned Names and Numbers) asked the European data protection authorities (“Article 29 Working Party”) for guidance on how to reconcile WHOIS information with the GDPR. Specifically, ICANN asked whether the Working Party would: (a) allow ICANN to implement an interim compliance model with tiered access to data and an accreditation program and (b) provide a moratorium on enforcement of the GDPR against WHOIS until a more permanent solution could be implemented.
On April 11, the Article 29 Working Party notified ICANN that, paraphrasing Captain Barbossa, it was disinclined to acquiesce to this request (i.e., no), at least with respect to blessing the interim compliance model. The response didn’t directly address the request for a moratorium. Separately, the Article 29 Working Party invited ICANN to meet for further discussions on April 23, barely a month before the GDPR goes into effect.
It’s hard to imagine how ICANN and the registrars who maintain the data can meet the GDPR requirements by May 25 without taking down WHOIS or at a bare minimum scrubbing all registration information with physical addresses in the EU. (This is not fool-proof, as an EU resident may be the site administrator for a domain for a business located outside the EU.) The registrars, as data controllers, will be liable for up to four percent of their annual revenue for disclosing personal data in violation of the GDPR.
A number of registries have already announced that they will mask or stop providing personal data of domain owners to the WHOIS database, including GoDaddy in the U.S., FRLRegistry in the Netherlands, DENIC in Germany, and Nominet in the U.K.
Ironically, some of the biggest losers in this scenario are EU residents who want to contact website owners to request that their personal data be corrected or deleted. Without access to WHOIS information, these individuals will have to hope that website owners provide accurate contact information (and actually respond to requests) on their websites.
Iris Rigter on IPWatchdog suggests several possible workarounds for identifying domain ownership without access to WHOIS information, including:
- Doing a reverse domain check based on IP address information,
- Searching the Wayback Machine on archive.org, and
- Taking legal action against the domain registry organization.
To learn more about how Tripwire can help with GDPR compliance, click here.