The internet's main source of details on domain ownership is under threat as the deadline for compliance with the General Data Protection Regulation edges closer.
This could result in the demise of the Whois system or at the very least a scaling back of what is a useful source of information. Regardless of the outcome, this situation provides a useful reminder of the considerations businesses should now be taking into account when processing personal data.
Detail of Issue
As the 25 May 2018 adoption date for the EU General Data Protection Regulation (GDPR) approaches, another large data processor has felt the impact of the new regulation which creates obligations on data processors and further obligations on data controllers alike. The Whois system has recently been at the centre of a heated debate involving the GDPR and its own compliance with what is required come 25 May 2018.
Whois is a directory system administered by the Internet Corporation for Assigned Names and Numbers (ICANN) and contains the contact information of those who register domain names (collectively known as 'Whois data'). Issues have started to escalate recently as the owners of the .amsterdam and .frl registries collectively rejected the legal requirements of ICANN on the grounds the Whois contractual clauses conflict with the position under the GDPR and as such they are not enforceable. This will result in the relevant Whois data not being provided which strikes at the fundamental basis of the system.
This latest refusal to comply with ICANN's position highlights the growing issue of clashes between ICANN, European regulations and the companies who sell the domain names. For the companies who sell the domain names there is reluctance to verify that information provided is accurate, especially given their use in legal proceedings and further reform which increases the importance of the accuracy of the data will do little in the way to encourage their use of the Whois system.
A further sign of the difficult situation Whois faces is shown in the legal advice which was obtained and subsequently disclosed by ICANN. This advice details further challenges ICANN will face from the GDPR and paints a negative picture of the future of the Whois system.
An alternative system, called the Registration Data Access Protocol (RDAP) system, is currently being trialled as a potential replacement for the Whois system. The RDAP system works by restricting the data displayed dependent on who the user is – this would allow full access for law enforcement bodies but only allow restricted access for normal web users. This would allow for the necessary compliance and regulatory obligations whilst being compliant under the GDPR. The RDAP system is still in its relative infancy compared to Whois but could provide a solution for the problem the latter is facing.
Practical impact and considerations
For processing to be lawful under the GDPR, there are six processing conditions, of which at least one must be met in order to be compliant. As a business handling personal data, reliance on consent as a single lawful processing condition is risky as consent may be withdrawn at any time by the data subject. In this instance a business would have to rely on an alternative processing condition as continuing to use that data will be unlawful and could result in a fine from the Information Commissioners Office which can reach 20 million Euros or 4% of global turnover in for the most serious breaches. Due to the potential financial and reputational risk of breaching the GDPR it is advisable that a further processing condition is also used, for example, this may be the requirement to process data as required by a regulator such as the Financial Conduct Authority.