GDPR v. WHOIS: Why Can’t ICANN Just Tell Me Who Owns That Domain Name Anymore?
The organization tasked with managing the Internet’s domain names is struggling to come to terms with Europe’s new data privacy law. On June 18, 2018, the Internet Corporation for Assigned Names and Numbers (“ICANN”) published for discussion the draft Framework Elements for a Unified Access Model for Continued Access to Full WHOIS Data. The Framework hopes to answer the question of how ICANN and its contracting parties can legally provide third parties with access to non-public data about the people and businesses behind registered domain names. That access, provided via ICANN’s WHOIS platform, is vital for intellectual property rights holders and trademark lawyers, not to mention law enforcement cybercrime investigations and countless others. The rub, however, is that the European Union’s General Data Protection Regulation imposes a number of limitations on data collection and access.
ICANN’s Framework hopes to navigate those limitations. The Framework proposes a tiered-access model, wherein prospective users must apply for accreditation from government bodies before gaining access to full WHOIS data, which includes personal, private data. The Framework leaves open for discussion whether accreditation should permit total access to WHOIS data, or whether the credentialed user should be given access to limited data fields pertaining to the user’s stated purpose. The Framework makes additional proposals towards responsible data management, such as requiring credentialed users and registrants to agree to specific codes of conduct that would limit data use based on their role.
Still, ICANN’s Framework faces an uphill battle. The Framework includes several tough-to-swallow proposals, and seeks cooperation from entities who have already expressed reluctance to participate. For example, ICANN wants registrars—those entities who manage the reservation of domain names for ICANN—to log every single WHOIS search and make those logs available to ICANN. The Framework also contemplates fees for accreditation and, thereafter, additional fees for access to private data. And ICANN wants members of the European Economic Area’s Governmental Advisory Committee to assist in the accreditation process. That Committee however, already stated in March that it “does not envision an operational role in designing and implementing the proposed accreditation programs.”
Questions about ICANN’s Framework proposal are not the only challenges facing the organization’s WHOIS platform. On May 25, 2018, the day GDPR took effect, ICANN filed a legal action against one of its registrars in Germany. ICANN insisted the registrar was required to collect full, or “thick,” WHOIS data and transfer that data to a specified registry database. The registrar, however, argued that most of the data was unnecessarily duplicative and therefore the registrar would be violating GDPR’s requirement that it collect and process as little personal data as necessary. The German court rejected ICANN’s request for an order requiring the registrar to collect and transfer that data, although ICANN has several opportunities to appeal that decision.
ICANN faces pressure to manage the Internet’s domain names in a manner that allows businesses to defend their websites and law enforcement to investigate cybercrimes. It also must comply with the GDPR and responsibly manage the personal, private data with which it is entrusted. The proposed Framework works towards meeting those dual objectives, but must overcome several hurdles along the way.