The application of the European General Data Protection Regulation (GDPR) to the DNS is a hot topic within the ICANN community. However, since the implementation of the GDPR on May 25th, 2018, there has been little public data on: How many WHOIS data requests have been made at the registry level, and; How the registries are handling them.

To further the factual and evidence-based discussion within the ICANN community, we gathered quantitative data about WHOIS access post-GDPR, by surveying the geoTLD registries. As these registries operate under the authority of their respective governments, geoTLDs have a particular responsibility to the public interest of their target communities, including in respect of data protection.

Participants

39 geoTLD Registries from around the globe participated in the survey. 25 out of the 39 participants are geoTLD Registries within the European Union (EU); 14 are from the rest of the world. The participating geoTLD Registries represent over 600,000 domain registrations.

The survey was performed with SurveyMonkey.com. Answers were collected between 15 Aug and 04 Oct 2018.

Findings

The GDPR has been in effect for several months, but little information has been published on its operation at the registry and registrar level. Unfortunately, this has opened up space for speculation and even “alternative facts” being used to incorrectly influence ICANN, governments and other community members in their decision-making. This study aims to provide data-driven evidence of how GDPR is working in practice, in order to ground the debate at ICANN in facts, not hypotheticals.

Overall, our findings are that while EU-based geo TLD registries take GDPR seriously and have enacted measures to protect citizens’ personal data, the number of requests to access the data is vanishingly small, and these requests are being dealt with efficiently. This study of the geoTLD registries shows there is no evidence-based need for a universal access model, based on how GDPR is working in practice.

The survey results can be summarized as follows:

• All EU-based geoTLD registries have implemented operational measures to limit the publication of registrant data by the WHOIS, in-line with national legislation.
• Almost all EU-based geoTLD Registries have implemented measures to allow for access to unpublished registrant data by legitimate interests.
• Although the geoTLD registries account for over 600,000 registrations, less than 50 WHOIS data access requests have been received so far.
• The vast majority of requests was dealt with in a response time of 1 – 2 days. Only one request waited for 7 days.
• The majority of geoTLD registries have received no requests for WHOIS data access since 25 May 2018; 76% of EU geoTLDs received no access requests, and 79% of the non-EU geoTLDs received none.
• Of the geoTLDs that received access requests, most received fewer than ten requests. Four registries received fewer than 10 requests and two received more than 10 requests, but less than 20 each.
• A majority of EU-based geoTLD registries (60%) consulted with their local ccTLD to harmonise their WHOIS publication and access with the ccTLD practices, while non-EU geoTLD mostly (17%) have not.
• Across all requests, over 50% were legitimate. They came in equal parts from law enforcement, right holders, lawyers, registrants and other parties.

More Details

More details on the list of questions asked and answers received, with separate recognition of EU-based geoTLD Registries and the of participating geoTLDs Registries can be found here.

CENTR, the association of European country code top-level domain (ccTLD) registries has also issued a survey which can be found here.