Steeped deep in discussions around the European Union’s General Data Protection Regulation (GDPR) for the past several months, it has occurred to me that I’ve been answering the same question for over a decade: “What happens if WHOIS data is not accessible?” One of the answers has been and remains the same: People will likely sue and serve a lot of subpoenas.

This may seem extreme, and some will write this off as mere hyperbole, but the truth is that the need for WHOIS data to address domain name matters will not disappear. Without the WHOIS system to reference—including automated access for critical functions—there will be no starting point and nowhere else to turn but to the registries and registrars who would need to address requests on ad-hoc and non-standardized terms. Contracted parties concerned with the cost of doing business should take note!

Today WHOIS data is used to: resolve matters involving domain name use/misuse/ownership; conduct investigations into the myriad of criminal activities involving domain names; carry-out day-to-day business transactions such as the routine tasks associated with managing domain name portfolios; buying and selling domain names; and protecting brands and IP—just to name a few uses.

Creating barriers to WHOIS access for such uses would unnecessarily increase risks and disputes for domain name registrants and create enormous burdens on all stakeholders—not the least of which would include significantly increased registry and registrar compliance burdens with substantial additional expenditure of resources. Simply put, unless an automated system for obtaining or verifying registrant contact information is maintained, we are likely to force a situation where parties need to pursue unprecedented quantities of Doe suits and subpoenas, and enter into motion practice (e.g., motions to compel) to access registrant data.

This is simply unnecessary!

The GDPR offers bases for maintaining a system for obtaining or verifying registrant contact information, including within Art. 6(1)(b) (performance of a contract), Art. (6)(1)(e) (performance of a task carried out in the public interest), and Art. 6((1)f) (legitimate interests). Moreover, having anticipated the GDPR and debated for nearly two decades the privacy aspects and concerns raised by the WHOIS system, the ICANN community has already produced numerous detailed recommendations that go toward addressing many of the concerns under discussion today (e.g., Final Report from the Expert Working Group on gTLD Directory Services: A Next-Generation Registration Directory Service). The existing ICANN community work product should be leveraged to simplify the task of accommodating existing contractual obligations and the GDPR with a model or “Code of Conduct” that reconciles the two. A Code of Conduct (as allowed for and encouraged under Articles 40 and 41 of the GDPR) is an especially attractive and efficient means for associations or other bodies like ICANN representing controllers or processors to demonstrate compliance with the GDPR through binding and enforceable promises that can be developed, approved, and enforced in a uniform manner—reducing risk and creating market efficiencies for all involved through reliance on a uniform “code” that has European Commission approval.

I’m hopeful that before our community heads down a path that could result in a system with fewer benefits for all stakeholders, we recognize that the WHOIS system is an important tool maintained and used to serve the public interest and that we work together to preserve this system in a manner that reconciles existing contractual obligations and the GDPR for the benefit of all involved.