The EU General Data Protection Regulation (‘GDPR’) comes into effect on 25 May 2018. It will mean tighter controls on the collection, processing, storage and making available of personal data.
GDPR will have wide and varied impacts across many areas of law, but it will also have a significant impact on ‘whois’ information. There is still much uncertainty but it is highly likely that there will be substantially reduced ‘whois’ data available in the future.
What is ‘Whois’ information?
‘Whois’ information is widely available and mostly used to identify who owns a domain name and provide information on the registration. As it can include ‘personal data’ (an owner’s name, address and often a contact email address and/or telephone number), to comply with GDPR and in order to publish such data, domain Registries and Registrars need to have obtained specific ‘opt-in consent’ from the owner concerned.
In the past, this has not been routinely obtained and it seems unlikely that many domain owners will opt-in voluntarily. For many years, domain owners have chosen to ‘hide’ their details by using a privacy service (at additional cost) but now they will be able to maintain their anonymity for free. The concern for brand owners, who frequently use ‘whois’ information to identify the owner of a domain name which infringes their right or due diligence, is that GDPR means personal data will no longer be available. This will make it much more difficult to identify (and in some cases, contact) a domain owner.
As GDPR affects personal data, the impact should only affect domains registered by natural persons. Many Registries and Registrars are, however, taking a conservative approach in light of the uncertainty concerning their requirements under the law. Therefore the changes will probably have a much wider impact.
Registries and Registrars are also implementing the changes in different ways. The UK Registry, Nominet, has confirmed that the key changes it is implementing are:
- Registrant data will be redacted from the ‘whois’ from 22 May 2018, unless explicit consent has been given.
- Law enforcement agencies will nonetheless be able to access all registry data via an enhanced searchable ‘whois’ service available free of charge.
- Other interested parties requiring unpublished information will be able to request access to this data via our data disclosure policy, operating to a one working day turnaround.
- The registration policy for all .UK domains will be standardised – replacing the separate arrangements currently in operation for second and third-level domains.
- The UK Registrar Agreement will be updated, renamed the .UK Registry-Registrar Agreement, and will include a new data processing annex.
- The existing Privacy Services framework will cease to apply.
Commenting on the changes, Nominet COO Ellie Bradley said: “We have taken a conservative approach to publishing data, to ensure that we do not fall foul of the new legislation. While, as a result, we will be publishing less data on the ‘whois’ – we have comprehensive procedures already in place that ensure that we will continue to respond swiftly to requests for information to pursue legitimate interests.”
GDPR means that it is highly likely that there will be substantially reduced ‘whois’ data available in the future. It will have a significant impact on due diligence work and the ability to conduct reverse ‘whois’ searches (to identify groups of domains in the name of a specific owner).
Whilst there is still much uncertainty, there should still be a way to contact domain owners (and much technical data will still be available). Individual Registries and Registrars are likely to have ‘tiered access’ to request further/all data – this will be available for law enforcement authorities and arguably, subject to the circumstances, should be available for brand owners for IP protection and enforcement.
GDPR means that it is highly likely that there will be substantially reduced ‘whois’ data available in the future.