GDPR and WHOIS - We've Heard from the Article 29 Working Party, Now What?

By Matt Serlin
Matt Serlin

Well, here we are on Friday the 13th and I couldn't think of a better way to spend the day than providing an update on GDPR, WHOIS and ICANN. There's lots to cover, so let's dive right in.

As we have been talking about for a number of months now, the EU's new General Data Privacy Regulation (GDPR) will become enforceable on May 25th. The ICANN community has been struggling with how GDPR will impact the WHOIS system.

This week, ICANN engaged with the Article 29 working party (an advisory board made up of representatives of each of the data protection authorities of each EU member state) to obtain guidance on whether its proposed model is GDPR-compliant. The community was eagerly awaiting this feedback and it was provided to ICANN.

The feedback received was, in some ways, predictable. The working party applauded ICANN for proposing an interim model which included an accreditation program for access to non-public WHOIS information; however, the group indicated the purposes for collection of personal data was not sufficiently detailed, and it urged "ICANN to revisit its current definition of "purposes" in light of these requirements." It also stressed to ICANN the need to link each specific purpose of the collection of data to a relevant legal basis.

The group also raised concerns with how the access to non-public WHOIS information would be granted and what data elements would be available to those parties. Again, the notion of specific legal basis for access to this data was highlighted, in addition to points about unauthorized access and the overall security of that data.

For those who were hoping for some sort of enforcement moratorium or forbearance of GDPR relative to registrars and registries, there was no such mention of that in the communication to ICANN. In the eyes of the Article 29 working party, the enforcement date of May 25th will not be changing. To underscore the scrutiny this subject is getting, the US Commerce Secretary has sent a letter to the European Commission asking for help, "in securing temporary forbearance from GDPR enforcement on the process of WHOIS information."

So where does this leave us? At this point, that IS the million-dollar question, and I'd like to make the following observations:

With an enforcement date of May 25th, it's clear that uncertainty is the only certainty and that events are going to unfold at a rapid pace. As always, we'll continue to monitor this topic closely, and we'll provide updates as they become available.

By Matt Serlin, SVP, Client Services and Operations at Brandsight

Related topics: DNS, Domain Names, ICANN, Policy & Regulation, Privacy, Whois