GDPR v. WHOIS: Why Can’t ICANN Just Tell Me Who Owns That Domain Name Anymore?

Dorsey & Whitney LLP

The organization tasked with managing the Internet’s domain names is struggling to come to terms with Europe’s new data privacy law.  On June 18, 2018, the Internet Corporation for Assigned Names and Numbers (“ICANN”) published for discussion the draft Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data.  The Framework hopes to answer the question of how ICANN and its contracting parties can legally provide third parties with access to non-public data about the people and businesses behind registered domain names.  That access, provided via ICANN’s WHOIS platform, is vital for intellectual property rights holders and trademark lawyers, not to mention law enforcement cybercrime investigations and countless others.  The rub, however, is that the European Union’s General Data Protection Regulation imposes a number of limitations on data collection and access.

ICANN’s Framework hopes to navigate those limitations.  The Framework proposes a tiered-access model, wherein prospective users must apply for accreditation from government bodies before gaining access to full WHOIS data, which includes personal, private data. The Framework leaves open for discussion whether accreditation should permit total access to WHOIS data, or whether the credentialed user should be given access to limited data fields pertaining to the user’s stated purpose.  The Framework makes additional proposals towards responsible data management, such as requiring credentialed users and registrants to agree to specific codes of conduct that would limit data use based on their role.

Still, ICANN’s Framework faces an uphill battle.  The Framework includes several tough-to-swallow proposals, and seeks cooperation from entities who have already expressed reluctance to participate.  For example, ICANN wants registrars—those entities who manage the reservation of domain names for ICANN—to log every single WHOIS search and make those logs available to ICANN.  The Framework also contemplates fees for accreditation and, thereafter, additional fees for access to private data.  And ICANN wants members of the European Economic Area’s Governmental Advisory Committee to assist in the accreditation process.  That Committee however, already stated in March that it “does not envision an operational role in designing and implementing the proposed accreditation programs.”

Questions about ICANN’s Framework proposal are not the only challenges facing the organization’s WHOIS platform.  On May 25, 2018, the day GDPR took effect, ICANN filed a legal action against one of its registrars in Germany.  ICANN insisted the registrar was required to collect full, or “thick,” WHOIS data and transfer that data to a specified registry database.  The registrar, however, argued that most of the data was unnecessarily duplicative and therefore the registrar would be violating GDPR’s requirement that it collect and process as little personal data as necessary.  The German court rejected ICANN’s request for an order requiring the registrar to collect and transfer that data, although ICANN has several opportunities to appeal that decision.

ICANN faces pressure to manage the Internet’s domain names in a manner that allows businesses to defend their websites and law enforcement to investigate cybercrimes.   It also must comply with the GDPR and responsibly manage the personal, private data with which it is entrusted.  The proposed Framework works towards meeting those dual objectives, but must overcome several hurdles along the way.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Dorsey & Whitney LLP | Attorney Advertising

Written by:

Dorsey & Whitney LLP

Dorsey & Whitney LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.