ICANN’s Whois service faces GDPR compliance challenges

The European Union’s General Data Protection Regulation went into effect on May 25.  Daniel Solove speaks for many when he described it as the most comprehensive and nuanced data protection regime in the world, providing for “individual rights such as the right to access one’s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability.”

However, the interpretation of GDPR by European data protection officials in the case of the Whois data bases has generated a genuine conflict with other important public values, including protecting the public from fraudsters, criminals, thieves and hackers.  As Associate Deputy Attorney General Sujit Raman recently said “if European data protection authorities interpret the GDPR such that public access to the WHOIS database is restricted or eliminated, public safety will suffer—including in Europe.”

The Whois service protects the public

The Internet Corporation for Assigned Names and Numbers (ICANN) maintains contracts with the registrars who hand out domain names like www.ibm.com to website operators to ensure that names and addresses are unique, allowing for a single, interoperable Internet.

ICANN requires registrars to collect personal contact information from domain name registrants and make it publicly available through their Whois service. This information includes name, postal address, email address, and telephone number. Law enforcement officials, cybersecurity researchers, regulators, copyright and trademark owners, other businesses, and consumers freely consult these directories to protect themselves and the public from harms that might be committed by rogue website operators. 

At least, they did until now. In May 2018, to avoid the legal risk of violating GDPR, which can bring fines of up to 4% of global revenue, ICANN modified its contracts with registrars. They must continue to collect personal contact information as before, but they do not have to publish this information. They can make it available only to those who can establish a need to know.

Public access to the Whois service creates legal risk

ICANN’s own 2017 legal analysis raised the question whether collecting and publishing Whois personal information can be justified under Article 6 of the GDPR which requires a legal basis through consent, fulfillment of a contract, or legitimate interest.

In a 2017 letter to ICANN, the council of European data protection authorities (once called the Article 29 Working Party and now renamed the European Data Protection Board) said there was no legal basis for public access to the Whois data bases.

In the past, registrars made consent to publication a condition of receiving a domain name, since otherwise rogue website operators would simply refuse to have their identities made public.  But data protection authorities said this conditionality undermined consent as a legal basis for publication, saying “since this consent is a requirement for obtaining a domain name, it is not freely given.”

The data protection authorities also ruled that contracts couldn’t justify publication of the information, since registrants are not parties to the contracts between ICANN and the registrars that require publication.

Finally, the data protection authorities said that the legitimate third-party purposes served by the Whois service could be accomplished only by “layered access” which would give access solely to people who could prove a need to know. Complete public access, they said, violated Article 5’s minimization rule.

In a further legal analysis ICANN’s outside counsel argued that layered access would not be “a realistic requirement to place on registrars.”  But if the data protection authorities were right in their interpretation of GDPR, ICANN and offending registrars could face fines of up to 4% of revenue.

To avoid legal risk, ICANN reduced access to the Whois service

ICANN could, of course, challenge any complaint from data protection authorities in court.  But European case law creates too much legal risk. On the one hand, the European Court of Justice’s March 2017 Manni judgment upheld public access to company registries. On the other hand, the Court’s 2014 right to be forgotten decision restricted public access to certain search results.

Despite its reservations, to avoid this legal risk, ICANN developed a temporary specification for an interim compliance system that adopted the layered access approach. It continues to require registrars to collect personal information and instructs them to provide an automated way to reach domain name holders, without revealing personal information like name or email address. Instead, it requires each registrar to determine in each individual case whether a party requesting access to personal information has a legitimate interest and whether that interest overrides the privacy interests of the registrant.

Needed access to Whois information under this interim system will be uncertain, subject to the idiosyncratic judgments of individual registrars. But European regulators rejected U.S. requests for a moratorium on enforcement until a better uniform system of compliance could be worked out.

On May 30, U.S. Secretary of Commerce Wilbur Ross weighed in, saying that difficulties in accessing Whois information “could stop law enforcement from ascertaining who is behind websites that propagate terrorist information, sponsor malicious botnets or steal IP addresses.”

The ICANN community is now working on developing a uniform access model

The uniform system would provide predictable access to non-public information to those with the requisite credentials and legitimate purpose.  But there are serious challenges that could take up to a year to resolve.

In the end, a workable accommodation will be reached to satisfy important public interests in law enforcement, intellectual property protection, cybersecurity, and consumer protection while still allowing practical compliance with Europe’s new data protection rules.  But, inevitably, the resulting system will be a clunky workaround.

This case raises larger questions about GDPR itself.  Does it implicitly assume that data collection and analysis are intrinsically suspect activities, which can be allowed only in unusual circumstances that are exceptions from the general rule? If so, there has to be a better way to focus resources to protect people from real harms.