October 23, 2019

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

GDPR And The Future of WHOIS Data

With the European Union’s General Data Protection Regulation (“GDPR”) set to go into effect on May 25, 2018, many questions remain as to what entities that control and process data from EU citizens must do to comply. One such issue is the ongoing effort by the Internet Corporation for Assigned Names and Numbers (“ICANN”) to ensure that the WHOIS service (an online database of identity and contact information for registrants of web domains) complies with GDPR.

Currently, domain name registrars are required to collect identity and contact information for individuals and entities (called “registrants”) that register domain names. Registries and registrars are required by their contracts with ICANN to make this information public through the WHOIS service, a searchable database that is frequently used by brand owners, lawyers, and cybersecurity researchers to identify and communicate with domain name owners who are believed to be involved in intellectual property infringement, malware distribution, and other bad acts.  WHOIS information can also be useful for consumers trying to identify websites that traffic in fake news or scammers who purvey non-genuine goods.

GDPR, by regulating the use and availability of the personal information collected by domain name registrars, will likely affect access to WHOIS data at least in the short term. ICANN has received legal opinions suggesting that the current model of full public availability of registrant identity and contact information would not comply with GDPR.  For example, while consent is a valid  legal ground for processing data under GDPR, the new requirements for consent (which this blog has reported on previously) mean that the consents included in the contracts between registrars and registrants are unlikely to comply with GDPR.

While the details are very much in flux, ICANN is developing an interim model to ensure compliance that would likely involve a “tiered-access” system, under which a great deal of personal information will be unavailable to the public, while certain third-parties (such as law enforcement or others able to show a “legitimate interest” under GDPR) who receive accreditation will be allowed access to full WHOIS. The current version of ICANN’s interim model for compliance with GDPR was published on March 8, 2018 and can be found here.

Despite less than 60 days until implementation of GDPR, ICANN’s interim model leaves open substantial questions concerning the future availability of WHOIS data, including the following:

  • The interim model would allow registrars to apply the new restrictions in GDPR “without regard to the location of the registrant,” thus potentially affecting the ability to identify and communicate with domain name registrants in the United States using United States-based registrars.
  • The current ICANN model proposes making public an “anonymized” email address, which could be used to contact the registrant, but would make it more difficult to search for other domain names owned by the same registrant (called a “reverse WHOIS” search). This ability is currently an important tool for brand owners and cybersecurity researchers.

Beyond the difficulties in identifying what WHOIS must look like to comply with GDPR, ICANN is highly unlikely to implement the type of accreditation system envisioned by its interim model before the May 25 deadline. It remains unclear to what extent ICANN could provide a workaround prior to the new model being ready, but the result could be an indefinite “blackout” of WHOIS data by registrars who fear the substantial fines under GDPR.

Most recently, ICANN reached out to European Data Protection Authorities by letterseeking guidance on ICANN’s current compliance efforts, and alluded to the possibility that the DPAs could “continue to provide support to companies along the path to compliance beyond the GDPR effective date if the company has an established plan of action.” As it stands, however, brand owners, lawyers, and anyone else who relies on access to WHOIS data should pay close attention to this rapidly evolving situation.

Copyright © by Ballard Spahr LLP

TRENDING LEGAL ANALYSIS


About this Author

Tyler Marandola Intellectual Property Lawyer Ballard Spahr
Attorney

Tyler Marandola is a member of the Intellectual Property Litigation Group. He prosecutes and defends cases involving patents, copyrights, trademarks, licensing, unfair competition, and other commercial disputes. Tyler has experience in the areas of pharmaceutical and medical device patent litigation, as well as experience in transactional work and patent counseling and licensing, including within the biotech, mechanical, and telecommunication fields.

215-864-8628
Philip Yannella, Ballard Spahr Law Firm, Philadelphia, Data Security Attorney
Partner

As Co-Practice Leader of Ballard’s Privacy and Data Security Group, and Practice Leader of the firm’s E-Discovery and Data Management Group, Philip N. Yannella provides clients with 360-degree advice on the transfer, storage, and use of digital information.

Mr. Yannella regularly advises clients on the Stored Communications Act (SCA), Computer Fraud and Abuse Act (CFAA), EU-US Privacy Shield, General Data Protection Regulation (GDPR), Defense of Trade Secrets Act, PCI-DSS, Telephone Consumer Protection Act (TCPA), New York Department of Financial Services Cybersecurity Regulations, ISO 27001 compliance, HIPAA Security Rules, and FTC enforcement activity, as well as eDiscovery issues—leveraging his experience serving as National Discovery Counsel for more than two dozen companies in nationwide litigation. He harnesses his deep knowledge of privacy, data security, and information governance laws to help multinational companies develop global information governance programs to comply with overlapping, and sometimes conflicting, laws. Mr. Yannella serves on the advisory board for the ACC Foundation’s Cybersecurity Survey, the largest survey of in-house counsel on cybersecurity issues.

215-864-8180