Why does all of the discussion around potential options for WHOIS in the era of the EU’s GDPR (General Data Protection Regulation) feel like déjà vu?

Is it because issues around WHOIS never really go away, and become a hot topic every few years?

Is it because no one is really happy with the current system? Privacy advocates would be delighted to do away with it altogether, while business and Intellectual Property professionals press for improvements to accuracy and availability, which I fully support.

Is it because the notion of tiered-access was first socialized back in 2013 by the Expert Working Group on gTLD Directory Services when they proposed “a new system in which gTLD registration data is collected, validated and disclosed for permissible purposes only, with some data elements being accessible only to authenticated requestors that are then held accountable for appropriate use.”

At that time, the idea of completely overhauling the existing WHOIS system seemed like a monumental task—one that would be complex and time-consuming. Case-in-point, Verisign’s move to Thick WHOIS which was directed by the ICANN Board of Directors in early 2014 is still in process.

Yet here we are, just eight months away from when the EU’s GDPR will take effect, and it seems as though no one really knows how it will impact WHOIS. For thin registries, will European registrars (or those with European registrants) simply stop making WHOIS info available, or will they provide limited WHOIS information? Or will privacy/proxy become the standard? Will ICANN require European registries (or those with registrants in the EU) to complete an RSEP (Registry Service Evaluation Process) so that they can comply with the new regulation? Will the requirements for making WHOIS available change for every registrar and registry, not just those in the EU? Will registrars and registries have enough time to implement these changes? What kind of guidance will ICANN provide? The list of questions I could pose could easily go on, and the more I think about it, the more concerned I become.

All that said, there is no question that the upcoming rollout of the GDPR represents the most significant change to privacy policy in decades, yet it’s increasingly clear that the impact to publicly available WHOIS data is up in the air with just eight months to go. Fortunately, there is some time left, and I am hopeful that the ICANN community can work together at the upcoming meeting in Abu Dhabi to quickly identify a path forward. We really have no other option - time waits for no one, not even ICANN.