The European Union\u2019s General Data Protection Regulation went into effect on May 25.\u00a0 Daniel Solove speaks for many when he described it as the most comprehensive and nuanced data protection regime in the world, providing for \u201cindividual rights such as the right to access one\u2019s data, the right to request restrictions on data use, the right to be forgotten, and the right to data portability.\u201d\nHowever, the interpretation of GDPR by European data protection officials in the case of the Whois data bases has generated a genuine conflict with other important public values, including protecting the public from fraudsters, criminals, thieves and hackers. \u00a0As Associate Deputy Attorney General Sujit Raman recently said \u201cif European data protection authorities interpret the GDPR such that public access to the WHOIS database is restricted or eliminated, public safety will suffer\u2014including in Europe.\u201d\nThe Whois service protects the public\nThe Internet Corporation for Assigned Names and Numbers (ICANN) maintains contracts with the registrars who hand out domain names like www.ibm.com to website operators to ensure that names and addresses are unique, allowing for a single, interoperable Internet.\nICANN requires registrars to collect personal contact information from domain name registrants and make it publicly available through their Whois service. This information includes name, postal address, email address, and telephone number. Law enforcement officials, cybersecurity researchers, regulators, copyright and trademark owners, other businesses, and consumers freely consult these directories to protect themselves and the public from harms that might be committed by rogue website operators.\u00a0\nAt least, they did until now. In May 2018, to avoid the legal risk of violating GDPR, which can bring fines of up to 4% of global revenue, ICANN modified its contracts with registrars. They must continue to collect personal contact information as before, but they do not have to publish this information. They can make it available only to those who can establish a need to know.\nPublic access to the Whois service creates legal risk\nICANN\u2019s own 2017 legal analysis raised the question whether collecting and publishing Whois personal information can be justified under Article 6 of the GDPR which requires a legal basis through consent, fulfillment of a contract, or legitimate interest.\nIn a 2017 letter to ICANN, the council of European data protection authorities (once called the Article 29 Working Party and now renamed the European Data Protection Board) said there was no legal basis for public access to the Whois data bases.\nIn the past, registrars made consent to publication a condition of receiving a domain name, since otherwise rogue website operators would simply refuse to have their identities made public.\u00a0 But data protection authorities said this conditionality undermined consent as a legal basis for publication, saying \u201csince this consent is a requirement for obtaining a domain name, it is not freely given.\u201d\nThe data protection authorities also ruled that contracts couldn\u2019t justify publication of the information, since registrants are not parties to the contracts between ICANN and the registrars that require publication.\nFinally, the data protection authorities said that the legitimate third-party purposes served by the Whois service could be accomplished only by \u201clayered access\u201d which would give access solely to people who could prove a need to know. Complete public access, they said, violated Article 5\u2019s minimization rule.\nIn a further legal analysis ICANN\u2019s outside counsel argued that layered access would not be \u201ca realistic requirement to place on registrars.\u201d \u00a0But if the data protection authorities were right in their interpretation of GDPR, ICANN and offending registrars could face fines of up to 4% of revenue.\nTo avoid legal risk, ICANN reduced access to the Whois service\nICANN could, of course, challenge any complaint from data protection authorities in court.\u00a0 But European case law creates too much legal risk. On the one hand, the European Court of Justice\u2019s March 2017 Manni judgment upheld public access to company registries. On the other hand, the Court\u2019s 2014 right to be forgotten decision restricted public access to certain search results.\nDespite its reservations, to avoid this legal risk, ICANN developed a temporary specification for an interim compliance system that adopted the layered access approach. It continues to require registrars to collect personal information and instructs them to provide an automated way to reach domain name holders, without revealing personal information like name or email address. Instead, it requires each registrar to determine in each individual case whether a party requesting access to personal information has a legitimate interest and whether that interest overrides the privacy interests of the registrant.\nNeeded access to Whois information under this interim system will be uncertain, subject to the idiosyncratic judgments of individual registrars. But European regulators rejected U.S. requests for a moratorium on enforcement until a better uniform system of compliance could be worked out.\nOn May 30, U.S. Secretary of Commerce Wilbur Ross weighed in, saying that difficulties in accessing Whois information \u201ccould stop law enforcement from ascertaining who is behind websites that propagate terrorist information, sponsor malicious botnets or steal IP addresses.\u201d\nThe ICANN community is now working on developing a uniform access model\nThe uniform system would provide predictable access to non-public information to those with the requisite credentials and legitimate purpose.\u00a0 But there are serious challenges that could take up to a year to resolve.\nIn the end, a workable accommodation will be reached to satisfy important public interests in law enforcement, intellectual property protection, cybersecurity, and consumer protection while still allowing practical compliance with Europe\u2019s new data protection rules.\u00a0 But, inevitably, the resulting system will be a clunky workaround.\nThis case raises larger questions about GDPR itself.\u00a0 Does it implicitly assume that data collection and analysis are intrinsically suspect activities, which can be allowed only in unusual circumstances that are exceptions from the general rule? If so, there has to be a better way to focus resources to protect people from real harms.