Summary: If WHOIS database, ICANN’s domain name registration system, is to come into compliance with the GDPR, it may cause a host of concerns regarding the security of the internet.
- Concerns surround around the compliance obligation of ICANN’s WHOIS database.
- Conflict arises as some of the data collected by WHOIS database comes under the purview of GDPR
- WHOIS database is accessed by several law enforcement agencies that put it in a spot to comply with EU regulation.
Article excerpts from my forthcoming book – 99 Articles on the GDPR
The GDPR has many organizations scrambling to prepare for the May 25th, 2018 deadline. However, one organization that has had conflicts with the GDPR simply based on its business model is ICANN’s domain name registration system, the WHOIS database. It’s an ongoing issue that has had many proposals put forth but little resolution to date. Today, the White House has gotten involved as an impasse would lead to a less secure internet and leave many interested parties in a lurch.
There are public and private interests at work when dealing with the GDPR and WHOIS. The database’s collection of contact information is often used by law enforcement to forensics purposes and intellectual property rights owners to protect their trademarks. However, the current conflict between the European privacy legislation and the global WHOIS service for domain names arises because some of the contact information can be considered personal data under the GDPR. Specifically, ICANN has stated that a registrar or registry must publish WHOIS information to comply with the organization’s rules. Now the GDPR makes it a violation of European regulation if that same information comes into the public domain.
WHOIS is essential for law enforcement, consumer protection agencies, brand and intellectual property advocates, lawyers, and cybersecurity experts looking to protect citizens. It’s about knowing and managing the correct data on the internet. If forced to hide some of the contact, bad actors may have the ability to hide their true identity while carrying out malicious acts.
While there have been a several models set forth, a solution seems to be months behind schedule. There are estimates that ICANN will not fall into compliance until 2019, which is well after the May 25th, 2018 deadline. However, there are specific domain registrars such as .fr in the EU that have taken compliance into their own hands. For the time being, it’s essential that ICANN balance the need to continue to create trust on the internet while also coming into compliance with the GDPR. If this cannot be achieved, the GDPR may end up being a basis for unlawfulness, much different than its set forth goal.