On May 25, 2018, the European General Data Protection Regulation (GDPR) came into effect, meaning that European data protection authorities (DPAs) can begin enforcing the regulation against non-compliant parties.

In preparation, the ICANN Board passed a Temporary Specification for gTLD Registration Data—essentially a temporary policy amendment to its registrar and registry contracts to facilitate GDPR compliance while also preserving certain aspects of the WHOIS system of domain name registration data. Unfortunately, the Temporary Specification permits registrars and registries to significantly reduce publicly-accessible WHOIS data, and does not include a mandatory minimum uniform mechanism for access to non-public WHOIS data for legitimate purposes (such as law enforcement, cybersecurity, or intellectual property rights protection).

The Temporary Specification merely states the following in connection with access to non-public data:

Contracted parties must provide reasonable access to personal data in registration data to third parties (1) on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registrant; or (2) where the Article 29 Working Party/European Data Protection Board, court order of a relevant court of competent jurisdiction concerning the GDPR, applicable legislation or regulation has provided guidance that the provision of specified non-public elements of Registration Data to a specified class of third party for a specified purpose is lawful.

See ICANN, Temporary Specification for gTLD Registration Data, Appendix A, Section 4 (May 25, 2018) (the “Temporary Specification”).

Reported Challenges

In light of the limited DPA or jurisprudential guidance concerning the legitimacy of providing any non-public WHOIS data to any class of third party, third parties are dependent on ad hoc determinations as to whether their legitimate interests are outweighed by privacy rights in any given case. While certain contracted parties appear to be providing limited guidance as to what information they require in order to respond favorably to a data access request (of course with no guarantee of success), the vast majority have not provided any such guidance, and all decisions are made on a case-by-case basis with no transparent or predictable criteria.

This problem is not limited to registration authorities based in Europe. It is already being observed throughout the world, including in the United States. In at least one case, a California-based registrar declined a data access request related to a specific intellectual property rights enforcement effort, stating that it “would provide no WHOIS data” at all while failing to provide any rationale for its decision. According to anecdotal reports, the same registrar also has refused to provide a mechanism for contacting their registrants in connection with legitimate purposes, including domain name acquisition inquiries, even though the Temporary Specification requires either an anonymized registrant email address or web form to facilitate registrant contact. See Temporary Specification, Appendix A, Section 2.5.1 (“Registrar MUST provide an email address or a web form to facilitate email communication with the relevant contact, but MUST NOT identify the contact email address or the contact itself.”).

Further complexity has been added to this problem through an unclear and disparate delineation between registration data that is masked because of a proxy registration service, versus registration data made non-public in response to GDPR. Certain registrars have traditionally treated the former category of data as sacrosanct short of a subpoena or court order. To that end, another registrar reportedly declined to provide registrant contact information in response to a request precipitated by a phishing attack perpetrated using the relevant domain name. It is unclear on what basis the registrar declined to provide critical registration data in light of a well-founded and immediate need. Ironically, consumers are more exposed to theft of their personally identifiable information through domain-based phishing attacks that are now taking much longer to resolve.

Furthermore, it appears that some contracted parties are not even complying with the Temporary Specification, even where it mandates that certain registration data be provided in certain specific contexts. For example, anecdotal reports have already been made about a certain EU-based registrar that was asked by a UDRP provider to confirm the underlying registration data in connection with a UDRP proceeding, where the registrar refused to provide the full data, despite the applicable requirements in the UDRP (an ICANN Consensus Policy), UDRP Rules, and Temporary Specification and other relevant and binding provisions in the registrar’s accreditation agreement with ICANN. See, e.g., Temporary Specification, Appendix E, Section 1.1 (“The Registrar MUST provide the UDRP provider with the full Registration Data for each of the specified domain names, upon the UDRP provider notifying the Registrar of the existence of a complaint, or participate in another mechanism to provide the full Registration Data to the Provider as specified by ICANN.”).

At a higher level, at least one major global company has already estimated that its ability to effectively enforce their trademark rights against infringing domain names may drop by 24% in the wake of the GDPR effective date and adoption of ICANN’s Temporary Specification.

Conclusion and Next Steps

Although it remains early days, the impact of GDPR on the WHOIS system is already being felt by legitimate parties who rely on WHOIS data to protect Internet users from harmful activity. Anecdotal reports are already starting to pour in identifying specific challenges presented by the current fragmented and unpredictable state of WHOIS services.

This is clearly unacceptable. ICANN has been entrusted with the oversight of the domain name system, and, specifically, preserving the security and stability of the Internet. By not including an accreditation model for legitimate purposes, ICANN has destabilized the industry and contributed to the ensuing chaos. ICANN must step in without further delay to lay down a harmonized framework for credentialed access to non-public WHOIS data for specific pre-determined legitimate purposes. ICANN must also bring the full contractual compliance weight, mediation, arbitration and even litigation to bear in order to enforce not only the Temporary Specification, but also the same harmonized framework. In the meantime, businesses, brand owners, cybersecurity professionals, law enforcement and government agents, and others who rely on WHOIS to conduct their vital anti-abuse and consumer protection activities in the public interest should continue to document the harms and challenges caused by the current state of the broken WHOIS system.