Summary: Following the General Data Protection Regulation (GDPR) becoming fully applicable on 25 May 2018, the Internet Corporation for Assigned Names and Numbers (ICANN) has taken the decision to require domain name registries to remove public access to the contact names and details of domain name registrants, in order to protect the personal data and privacy of those registrants under the GDPR.
ICANN’s previous requirement for full public disclosure of a registrant’s details does not harmoniously coexist with GDPR, and nearly all contact details have now been removed from publically available WHOIS records. WHOIS is a database that is much like a millennial version of the ‘Yellow Pages’ and provided publicly available contact information with regards to the owner of a domain name, overseen and maintained by ICANN. The requirement to conceal this data post- GDPR has had immediate consequences for domain name registration companies and has had a knock-on effect for brand owners who seek to enforce their rights in respect of online IP infringement involving registered domain names.
Aside from the inconvenient and restrictive nature of limiting data previously freely provided by the WHOIS service, the ability to register domains anonymously has also raised issues in relation to security on the internet. Security professionals who rely on WHOIS to query ownership about a domain, IP address or subnet have been detrimentally affected by the masking of this information which has hampered their efforts in the fight against cybercrime. Intellectual property lawyers have also expressed concerns that they can no longer find out who should be approached where there is an infringement of intellectual property rights online. Although some registrars have put in place a method for interested parties to lodge a bona fide access request to obtain a registrant’s details, it is unclear how much information will be released and in what instances a court order will be required.
An interim model has been put in place by ICANN so that the WHOIS service can still function, albeit in a very limited form.
The Initial "Cookbook"
In March 2018, ICANN proposed an interim model for compliance with the GDPR called “the Cookbook”. The Cookbook provided a unified plan and approach for how ICANN and the domain name registration industry could continue to operate in accordance with the GDPR. In order to comply with the GDPR, the plan required a shift from the previous requirement for registries and registrars to provide open, publicly available WHOIS services to an approach requiring a layered or tiered access model for WHOIS. Prior to more concrete regulations and models coming into place, the Cookbook suggested masking all contact information, thereby completely concealing who is responsible for managing or controlling the domains.
The Temporary Specification
The “Temporary Specification for gTLD Registration Data” was brought in by ICANN to implement the interim model suggested by the Cookbook and came into force on the enactment of the GDPR. In practice this means that very restricted WHOIS data is still made publicly available. Such data provides some limited information as to the name of the registrar, status of registration and the creation and expiry date of the domain name. Under this model the restricted WHOIS data can be made available in response to requests as an ‘emergency measure’.
A Unified Access Model for Continued Access to Full WHOIS Data
On 18 June 2018, ICANN released a working draft document to facilitate discussions about a potential unified approach to allow continued access to full WHOIS data for users with a legitimate interest. Under the proposed model, only a defined set of users, determined by governments within the EEA, would be granted reasonable access by registrars to personal data on the basis of a legitimate interest, except where such interests are overridden by the fundamental rights and freedoms of those data subjects. User groups which may be eligible to claim this exception might include intellectual property rights holders, law enforcement authorities or a member of an appropriate legal trade body, such as the Law Society. Although ICANN has estimated that this might not be operational until December 2018, it demonstrates a move towards more open access to WHOIS than is currently in place.
Practical Steps in Obtaining Data
For those rights holders seeking to obtain the full registrant contact information regarding a registered domain name, there are some limited options available. Once implemented in December 2018, the unified access model, detailed above, will provide an option to request access to the relevant information on the basis of having a legitimate and proportionate interest in the data. However, this will be limited to those who can (a) prove that they are within an ‘eligible user group’ and (b) show they have a legitimate interest in obtaining the data.
A more immediate option is to contact the registrant directly on an individual request basis via the anonymised email provided by the domain name registrar. WHOIS results still provide the name of the applicable registrar organisation that may be contacted to request consent from the registrant (the registered domain name holder) to release their details to the interested party. A less reliable but comprehensive alternative is to seek out archived WHOIS searches in order to obtain historic contact details for registrants prior to the implementation of GDPR. However, this information will have a very short shelf-life and will grow stale over time, until a more effective solution is put in place.
The Future of WHOIS
Earlier this year, ICANN filed an injunction against German domain name registrar ‘EPAG’ to compel it to continue collection of all registrant data required under its agreement with ICANN. An underlying objective of ICANN filing the injunction was also to obtain a clear statement from the court specifying what information may be disclosed by a WHOIS search in compliance with the GDPR. The court refused to issue the injunction, and the ruling has since been appealed to the Higher Regional Court of Cologne. Practitioners and businessowners alike are hopeful that the upcoming judgment will provide some long-awaited guidance concerning what registrant data may be permissible for domain name registrars to disclose in the GDPR era. Until then, and until the unified access model has been implemented, we shall continue to ponder the fate of the previously ubiquitous WHOIS service.