Those plans are likely to be drafted by the internet’s global domain name organisation, the Internet Corporation for Assigned Names and Numbers (ICANN), after the European Data Protection Board (EDPB) effectively said it needs to go back to the drawing board to make its rules around the collection and use of WHOIS data compliant with the General Data Protection Regulation (GDPR).
The WHOIS system
Information that serves to identify the people behind domain name registrations is published on the WHOIS system, a series of online databases. The data is useful for a range of purposes necessary for the operation of the internet, but is also used by law enforcement agencies and by IP owners seeking to enforce their IP rights.
The ICANN WHOIS database has proven to be an essential tool for trade mark and copyright owners when enforcing their rights online. It is often the first port of call when clients report that they have discovered a website offering counterfeit goods which infringe their trade mark rights, or sites which provide unauthorised access to their copyright protected works. The WHOIS database enables rights holders to quickly and effectively determine the identities of the persons behind these sites.
WHOIS data and the GDPR
Information identifying individual persons behind websites is personal data and subject to data protection laws. In the EU, the data protection regime was recently updated when the GDPR came into effect.
The new rules and stiffer sanctions regime now in operation have prompted many domain name registrars to take a conservative approach to the collection of information from those registering web addresses with them. The change in approach has not been welcomed by ICANN. It has sought guidance from EU data protection authorities on the issue.
The topic was also recently considered by a court in Germany after ICANN attempted to enforce the terms of its contractual agreement with a domain name registrar in the country over the type of information it should collect.
In that case, domain name registrar EPAG Domainservices successfully fought off a bid from ICANN to force it to collect the personal data of technical and administrative contacts of organisations that register domain names with it. The Regional Court of Bonn ruled that ICANN had failed to show that the collection of the contact information was necessary, as required by the GDPR. EPAG already collects the domain name holder's contact data. ICANN has said it will appeal the Bonn court's ruling.
The EDPB's letter
On 5 July, the EDPB responded to ICANN's call for more guidance on how the GDPR should be interpreted in relation to the WHOIS system. The EDPB is a body made up of representatives from national data protection authorities from across the EU as well as the European data protection supervisor.
The EDPB's letter to ICANN (8-page / 737KB PDF) sets out a clear position on a number of queries that had been raised by ICANN. The watchdog said:
ICANN needs to define its specified purposes and lawful basis for processing personal data and should not conflate this with the legitimate interests and purposes of third parties who may subsequently seek access to the data;
that there is no basis for ICANN to insist upon the provision of additional information on administrative and technical contacts from registrants;
that the fact that registrants may be legal persons does not take WHOIS outside the scope of GDPR where ICANN is processing personal data relating to individuals within those organisations, and therefore the personal data of such individuals should not be made publically available by default;
that ICANN is required to log access to personal data, but does not necessarily need to actively communicate (push) this log information to registrants or third parties;
that ICANN has failed to justify why it is necessary to retain personal data for two years post the expiry of the domain name registration, and;
that codes of conduct or certificates of accreditation are voluntary and cannot serve to delay or replace compliance with controller obligations.
The need for ICANN to move away from its model of unlimited publication of the contact details of domain name registrants has been on the cards for quite a while. The EDPB noted when commenting on its letter that its predecessor, the Article 29 Working Party, has been offering guidance to ICANN on how to bring the database into compliance with EU data protection law since 2003.
The enhanced protections afforded to data subjects by GDPR, including increased transparency obligations, have now brought this issue to a head and the EDPB letter is clear in its message that ICANN needs to go back to the drawing board to come up with a GDPR compliant solution.
The EDPB has confirmed in its letter to ICANN that personal data that is processed in the context of WHOIS may be made available to third parties who have a legitimate interest in accessing the data, provided those interests are not overridden by the interests or fundamental rights and freedoms of the data subject, and provided safeguards are put in place to ensure that disclosure is proportionate and limited to what is necessary.
The EDPB also confirmed that ICANN must keep a log of all persons accessing non-public personal data processed in the context of WHOIS. However, this will not necessarily mean that ICANN must actively notify the data subjects concerned that their information has been accessed, and by whom, although data access requests from registrants will have to be accommodated. This clarification will be welcomed by rights holders who wish to carry out a WHOIS search to find out who is behind an infringing site, without notifying the infringer before they have an opportunity to issue a letter before action.
ICANN still has work to do in order to come up with a solution that allows legitimate stakeholders to gain access to personal data concerning registrants but also contains appropriate safeguards, including measures to ensure a sufficient degree of GDPR compliance.
Rights holders may take comfort from the EDPB's confirmation that legitimate stakeholders may still gain access to WHOIS data, and that registrants will not necessarily have to be immediately informed when they do so. However, it is likely that any new model will involve more time, effort and expense for right holders seeking access to such information, which up to now has been freely and readily available to them.
Comment