The EU General Data Protection Regulation will soon take effect and with it, a lot of curiosity for how enforcement will play out. While it's anyone’s guess as to how regulators across Europe will begin verifying compliance, there is growing anxiety in one specific area: particularly among those who rely on an open WHOIS database.
For the last 20 years, an open WHOIS system has served as the phone book of the internet, ascribing domain names to their corresponding data points, specifically, names and contact information of those domain owners. And for nearly just as long, there's existed a polarizing debate: While some argue public access to domain registrant information online allows for a safer internet, there is an equally forceful voice arguing that greater privacy protections have been needed to protect personally identifiable information.
Given the GDPR's loom, the Internet Corporation for Assigned Names and Numbers, the organization in charge of managing the internet’s Domain Name System, has been involved in an overhaul of WHOIS.
Just last week, ICANN’s board of directors elected to use its authority to enact an emergency temporary specification and adopted a previously proposed so-called "Calzone model," with only minor adjustments. Under the new requirements, the WHOIS database will no longer publicly publish all registrant information and instead, only limited public information will be made available.
NeuStar Deputy General Counsel and Chief Privacy Officer Becky Burr, CIPP/US, who is also an ICANN board member but not speaking on their behalf, said, “What the temporary specification achieved was maintaining across the board access to that information, even if it’s not publicly available in that form. Over time, we hope we will get clarification from the data protection authorities about what kind of uses are considered legitimate and proportionate which will allow us to remove some open questions and things will smooth out. The DPAs have made it clear that the open, public WHOIS system does not meet the specification of the GDPR. The new process will remove personal data from the open WHOIS search, making it accessible to those with a legitimate and proportionate interest on a case-by-case basis.”
For those who rely on an open WHOIS database, particularly those in the intellectual property community, the thought of losing the publicly available registrant information presents real concern.
Paul McGrady, partner at Winston & Strawn, said, “Those entries weren’t always accurate and there was a lot of work being done in the ICANN community to make those entries more accurate, but at least there was a requirement to have the phone book entry, which we call the WHOIS record: Who is the owner of that domain?”
An open database of registrar and registrant information proved critical for trademark protection. Limiting WHOIS in any capacity raises real concern for members of the intellectual property community.
McGrady said, “The basic information about who you’re doing business with is very important for consumer protection. ICANN is way behind on creating an accreditation program to access that underlying WHOIS information and as a result, I think that will slow down enforcement, embolden infringers, counterfeiters and criminals. I think it will be a field day for people interested in nefarious activities until ICANN can get it figured out. They are so behind, that they may not be able to get it done, we may have to go to our individual legislators to get a solution passed.”
For nearly its whole existence, ICANN has had various groups working to develop a policy on privacy. Starting with a back and forth over how to comply with the European Data Protection Directive when it came about in the 1990s, nothing materialized in terms of limitations on what was publicly available through WHOIS. Now, the GDPR’s fines for noncompliance carries incentive and effectively changes the discussion from compromise to compliance.
While those in the intellectual property community may be lamenting the restrictions to the WHOIS database, Stephanie Perrin, president of Digital Discretion and member of ICANN Expert Working Group, said, “They’ve had plenty of time. Substantively, the requirements under the Data Protection Directive are quite similar, so there is really no excuse for not paying attention until now.”
Perrin said, “This is not a new issue, the fight over WHOIS has gone on at ICANN for the past 18 years,” adding, “It’s always been an argument between civil liberties groups who want privacy, the registers who want a limitation on cost and the intellectual property constituency who want protection for trademarks and copyright enforcement.”
Perrin added, “What is new is that now there are enhanced powers under the European law, and that does expose ICANN and its contracted parties to greater risk — somebody might complain and demand enforcement.”
When asked why it took so long for a WHOIS solution to materialize, Perrin said, "I think it's brinkmanship. I think the business community thought ICANN would continue to back them and tell the registrars to take their chances because that’s what has happened in the past."
While ICANN’s board only approved the measure days before the GDPR takes effect, Burr said, “Once it was clear that the WHOIS provisions of the contract couldn’t be reconciled with GDPR, as it was coming to be understood, then the contracted parties had to comply with applicable law. Some stakeholders took the position that contractors should have taken more risk with regards to GDPR compliance than those who face the risk thought was appropriate.”
Without the threat of fines, there had been very little incentive to compromise on this issue.
Lori Schulman, senior director of internet policy at INTA, said, “The one thing I’ve learned 100 percent is how little communication there probably is between trademark counsel and privacy professionals within their organization." She added, “We are learning on the trademark side that it is important to reach out to privacy professionals and talk to each other. There are some key issues of overlap.”
Despite the ongoing dialogue of privacy concerns over the past decade, Schulman said, “I think this issue, although we knew it was coming, caught us off guard in terms of how critical it was to be in contact with the DPAs. I think we needed to get on this a while ago, but in our world, we are used to working with intellectual property offices, with the commission, with the ICANN, and so this whole area of DPA is new territory. It’s been a learning experience, because they look at things very differently.”
While ICANN had been working with the DPAs to get answers and clarification, Burr explained it was very hard to reconcile the conflicting advice of the Governmental Advisory Committee, which ICANN is obligated to take into consideration, and the DPAs.
Burr said, “We were getting conflicting signals. ICANN was trying hard for clarification from the Article 29 Working Party. ICANN received some clarification, but not all of the clarification it needed, and so things were really pushed to the last minute. For the most part, the expectation is that come morning on May 26 people will be in compliance with Calzone.”
Schulman called this a “critical flexion point" for trademark and brand enforcement generally. “To the effect that the DPAs may or may not start enforcing against ICANN and against registries, we will still need to build awareness more generally that there are legitimate proportionate purposes for accessing what would otherwise be nonpublished information, like an email address.”
“The data commissioners have been writing to ICANN since 2000. It's a long history of ICANN not paying attention, but now there is a mad scramble to comply with GDPR, and they have been seeking the opinions of the DPAs,” Perrin said. “You can’t point back to the historical WHOIS and say it’s always been this way. We have grown up beyond WHOIS and we’re certainly not trying to stop legitimate public safety investigations and legitimate intellectual property investigation issues. We have mechanisms to make this work better — let’s not have the default of a wide-open WHOIS."
This article was updated on May 30 to reflect that Becky Burr is an ICANN board member.
If you want to comment on this post, you need to login.