When the European Union General Data Protection Regulation (GDPR) comes into force on May 25, 2018, what will happen to currently-available domain registration data in WHOIS? The GDPR restricts how personal data about natural persons residing in the European Union can be collected, used and transferred, and it defines “personal data” very broadly.

Today, anyone can use WHOIS to look up the name, mailing address, phone and fax numbers, and email address for the registered owners or assignees of domain names or IP address blocks. Those details are personal data to the extent that they can be connected to an individual. WHOIS data is used by intellectual property owners and attorneys, security researchers, journalists, consumers and consumer protection agencies, and law enforcement authorities, among others.

On March 26, ICANN (the Internet Corporation for Assigned Names and Numbers) asked the European data protection authorities (“Article 29 Working Party”) for guidance on how to reconcile WHOIS information with the GDPR. Specifically, ICANN asked whether the Working Party would: (a) allow ICANN to implement an interim compliance model with tiered access to data and an accreditation program and (b) provide a moratorium on enforcement of the GDPR against WHOIS until a more permanent solution could be implemented.

On April 11, the Article 29 Working Party notified ICANN that, paraphrasing Captain Barbossa, it was disinclined to acquiesce to this request (i.e., no), at least with respect to blessing the interim compliance model. The response didn’t directly address the request for a moratorium. Separately, the Article 29 Working Party invited ICANN to meet for further discussions on April 23, barely a month before the GDPR goes into effect.

It’s hard to imagine how ICANN and the registrars who maintain the data can meet the GDPR requirements by May 25 without (Read more...)