Home / Blogs

GDPR and WHOIS - We've Heard from the Article 29 Working Party, Now What?

Matt Serlin

Well, here we are on Friday the 13th and I couldn't think of a better way to spend the day than providing an update on GDPR, WHOIS and ICANN. There's lots to cover, so let's dive right in.

As we have been talking about for a number of months now, the EU's new General Data Privacy Regulation (GDPR) will become enforceable on May 25th. The ICANN community has been struggling with how GDPR will impact the WHOIS system.

This week, ICANN engaged with the Article 29 working party (an advisory board made up of representatives of each of the data protection authorities of each EU member state) to obtain guidance on whether its proposed model is GDPR-compliant. The community was eagerly awaiting this feedback and it was provided to ICANN.

The feedback received was, in some ways, predictable. The working party applauded ICANN for proposing an interim model which included an accreditation program for access to non-public WHOIS information; however, the group indicated the purposes for collection of personal data was not sufficiently detailed, and it urged "ICANN to revisit its current definition of "purposes" in light of these requirements." It also stressed to ICANN the need to link each specific purpose of the collection of data to a relevant legal basis.

The group also raised concerns with how the access to non-public WHOIS information would be granted and what data elements would be available to those parties. Again, the notion of specific legal basis for access to this data was highlighted, in addition to points about unauthorized access and the overall security of that data.

For those who were hoping for some sort of enforcement moratorium or forbearance of GDPR relative to registrars and registries, there was no such mention of that in the communication to ICANN. In the eyes of the Article 29 working party, the enforcement date of May 25th will not be changing. To underscore the scrutiny this subject is getting, the US Commerce Secretary has sent a letter to the European Commission asking for help, "in securing temporary forbearance from GDPR enforcement on the process of WHOIS information."

So where does this leave us? At this point, that IS the million-dollar question, and I'd like to make the following observations:

  • While May 25th may be the date of enforcement, that clearly will not mark the end date of this. In its response back to the working party, ICANN boldly stated, "...we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource." No one is quite sure what legal action, in this case, would even look like, but that was a rather stunning statement for ICANN to make. And with high-level government officials now getting involved, who knows where this will lead?
  • The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.
  • In addition to the global WHOIS system becoming fragmented, I believe that the ICANN community itself will become increasingly fragmented. The contracted parties (registrars and registries) are on the hook for severe penalties for violation of GDPR. They are being conservative in their approach, which is understandable. The main users of WHOIS (namely the Intellectual Property Constituency and the Business Constituency) have proposed an accreditation model for access to non-public WHOIS information to ensure access for purposes such as cybersecurity, intellectual property, and law enforcement, but there has been push-back on that proposal as it was developed by two specific groups within the community and is being done outside of the standard process for policy development.

With an enforcement date of May 25th, it's clear that uncertainty is the only certainty and that events are going to unfold at a rapid pace. As always, we'll continue to monitor this topic closely, and we'll provide updates as they become available.

By Matt Serlin, SVP, Client Services and Operations at Brandsight
SHARE THIS POST

If you are pressed for time ...

... this is for you. More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Vinton Cerf, Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Share your comments

To post comments, please login or create an account.

Related

Topics

Cybersecurity

Sponsored byVerisign

IP Addressing

Sponsored byAvenue4 LLC

DNS Security

Sponsored byAfilias

New TLDs

Sponsored byAfilias

Domain Names

Sponsored byVerisign