Whois Clearing House: the ideal way to reconcile Whois and GDPR
Conflict between the Whois and the GDPR was the big issue discussed at ICANN 60 in Abu Dhabi (28 October – 4 November).
ICANN requires universal access to the Whois
Under their contracts with ICANN, registries and registrars are required to operate a Whois service that anyone can use. Any internet user has to be able to find out who a domain name's registrant is by looking in the Whois. The registrant's address, phone number and e-mail have to be available as well. All generic TLDs are expected to have Whois services that meet ICANN's rules. Country-code TLDs such as .nl don't operate under ICANN contracts and can therefore do things differently if they want.
Universal access to personal data goes against EU law
On the eve of the ICANN meeting, the Dutch Data Protection Authority (DPA) published a letter to the registry for Friesland's domain .frl, clearly setting out the legal situation. The DPA confirmed what has been recognised in Europe for a long time: unrestricted internet access to a Whois that contains all sorts of personal data relating to registrants is contrary to the EU's existing privacy rules and the new regulation that comes into force next year (the GDPR).
ICANN accepts that the Whois has to change
Following circulation of the DPA's letter, there has finally been a change of outlook within ICANN. European registries and registrars had long been pressing for a solution that would allow them to operate within local law. However, various predominantly US stakeholders had successfully frustrated all attempts at change. Now, however, the big US registries and registrars, and crucially even ICANN itself, are facing the risk of huge fines. The DPA's letter served to confirm that risk. As a result, ICANN has finally accepted that there is a problem, which can only be resolved by changing the Whois.
Ball is now in the ICANN community's court
Now the pressing question is just what form a solution should take. An answer has to come from the community itself. And that is likely to involve years of discussion. Fortunately, ICANN has already announced a system, under which registries and registrars will be allowed to depart from their contractual obligations in the meantime. The system's introduction has the added advantage of removing the onus to find a solution from the European players. It is now up to those who have traditionally favoured an open Whois to build consensus within ICANN as to the best way forward.
Solution must strike a balance between GDPR requirements and need for access
A more permanent solution will have to strike an appropriate balance between the requirements of the GDPR and the reasonable interest that many parties have in maintaining access to domain name registration data. Those parties include law enforcement agencies and stakeholders seeking to protect trademarks and IP rights, as well as internet security service providers and possibly others. While all such parties share an interest in data accessibility, they don't necessarily require access to the same data. Access could reasonably be tailored on the basis of need.
Whois Clearing House could be the answer
In my view, that points towards the creation of a Whois Clearing House: a central, ICANN-supervised body whose role would be the global regulation of access to registration data. The Clearing House would be responsible for the accreditation of parties seeking access, and for providing a technical system that ensures that each user receives only the information that they're authorised to view. A protocol capable of forming the basis for such a system already exists: RDAP. The real challenge would be defining a policy on the granting of access rights (who has access to what data). However, ICANN does have a body with the expertise required: the Registration Data Service (RDS). Working within the GDPR parameters, the RDS could certainly do the job.
SIDN is ready to help!
What's more, through its subsidiary Connectis, SIDN has a proven identity broker at its disposal, plus knowledge of and experience with RDAP. As a result, we are ideally qualified to facilitate the processing of Whois queries on the basis of whatever rules are ultimately agreed. But, let's not get ahead of ourselves. First we need that policy.