The protection of personal information has become increasingly important in recent years. Concepts such as big data, data mining and profiling have taken a prominent place in today’s digital environment. The internet’s naming system forms an important part of this environment and personal data in relation to domain names is collected, disclosed, retrieved and transferred on a daily basis. The main share of the processing activity revolves around the WHOIS public directories, a series of databases managed by registrars and registries containing information related to registered domain names. This information includes the identification and contact information of registrants, such as names, email addresses, phone numbers, physical addresses, and administrative and technical contacts. The protection of this personal data has been a major point of interest recently.
The European Union’s (EU) General Data Protection Regulation 2016/679 (GDPR) occupies the centre of the data protection debate. It is scheduled to come into effect on 25 May 2018. Over the course of the last year, companies and organisations have struggled to bring their activities into compliance with the GDPR. At the time of writing, this deadline is approaching fast and efforts to improve the protection of personal data have greatly accelerated. Because of the extensive territorial reach of the GDPR, compliance efforts are not limited to European entities, but also concern many organisations and companies based in other countries, such as registrars, registries and the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for coordinating and administering the Internet’s Domain Name System.
The EU General Data Protection Regulation
In order to enhance and harmonise the protection of personal data, the EU adopted the GDPR on 27 April 2016. The Regulation prescribes specific rules that entities must comply with when processing personal data. While processing is understood in the broadest sense, meaning literally any operation performed on the data, personal data only entails information relating to an identified or identifiable natural person. As a result, information on companies, organisations or other legal entities is excluded from the scope of the Regulation. Processing activities can include, among others, the collection, storage and consultation of contact information (such as names and email addresses) for communication and verification purposes; the collection and disclosure of payment information for the conclusion of a contract; and the transfer of employee information to a parent company.
The territorial reach of the GDPR is extensive. It applies not only to entities established in the European Economic Area (EEA) processing personal data in the context of that establishment, but also to persons, companies or organisations established in other countries processing data of EU citizens in order to offer them goods or services, or to monitor their behaviour within the EU. The adoption of these twofold criteria to determine the territorial scope means that the offering of domain name registration services to EU citizens by a registrar or registry established outside the EU is an activity for which the GDPR may apply. The fact that services are merely accessible to EU citizens is not sufficient. A provider must target EU citizens through its website or otherwise. Targeting may be established through a combination of a variety of factors, such as language preferences, currency, telephone numbers and use of EU ccTLDs. The question of targeting is therefore determined on a case-by-case basis.
The GDPR differentiates between data controllers, who decide on the purpose and means of the processing, and data processors, who only process data for and on the instruction of the data controller. While the data processor has several obligations related to security, the processing contract, technical and organisational measures etc, the controller remains ultimately responsible for the processing activity. In the context of domain name registration, it can be determined that registrars and registries, as well as ICANN, each process personal registrant information for their own purposes, as the parties have a different impact over distinct parts of the processing. Because registrars and registries often require or use additional information apart from their contractual obligations towards ICANN, the different parties in the domain name registration chain may be considered joint controllers. As a result, the GDPR requires that an arrangement within the existing contractual framework must be adopted, setting out the respective roles and obligations of ICANN and the contracting parties in relation to the processing.
For the processing activity to be legitimate, it must comply with six principles laid down in article 5 of the GDPR.
First, the processing must be lawful and fair, meaning that a legitimate basis is required and that the data subject must be properly informed in a transparent way. A legitimate basis for processing can either be the data subject’s consent; the necessity to perform or enter into a contract; the necessity to comply with a legal obligation; the necessity to perform a task carried out in the public interest or to exercise official authority; the necessity to protect the vital interest of the data subject or of another person; or to fulfil a legitimate interest of the data controller which outweighs the data protection interests and rights of the data subject. While this last motivation does not provide for a ‘last resort’ justification, it can be applied in cases where, for example, the processing is carried out for a wider public interest, in line with the legitimate expectations of the data subject and with sufficient safeguards to protect his or her interests.
Second, the processing activity must also be conducted for specific legitimate purposes and cannot be further performed in a manner incompatible with these purposes. Accordingly, a registrar cannot process the contact data of its registrants for direct marketing purposes if the initial purpose was limited to technical or administrative communication related to the registered domain names.
Third, in accordance with the principle of data minimisation, processing must be relevant and limited to what is necessary for the specified purposes. This means that for the purpose of email communication, for example, a controller should not request and collect phone numbers or physical addresses if no telephone or written communication was necessary and specified.
Fourth, due account must be taken of the accuracy of the personal data and that, where necessary, it is kept up to date. As a result of this accuracy principle, personal data which is inaccurate should be erased or rectified without delay. While the inaccuracy of registration information has always been a debated issue, registrars are generally required to verify certain data fields, such as the registrant’s email address or phone number, and they should respond promptly to rectification requests.
Fifth, the retention period of the personal data must be limited to what is necessary for the specific purposes. This principle of storage limitation prevents certain data from being kept indefinitely after the purposes for which it was processed have long been fulfilled. For example, it would not be justified to indefinitely retain personal data linked to a certain domain name after the registrant had sold the domain name or failed to renew its registration.
Lastly, sufficient technical and organisational measures must be adopted to ensure appropriate security of the personal data. In this way, the integrity and confidentiality of the data must be ensured by protecting it against, among others, unauthorised or unlawful processing and accidental loss or destruction. The escrowing of registrant data is an example of the protection of personal data against accidental loss or destruction.
The introduction of the GDPR also imposes other new and extensive obligations in relation to accountability, security, obtaining consent, organisation, record keeping, international transfers, etc. Additionally, the rights of individual data subjects are strengthened through the enhancement of the right to information, to access and to rectification, and through the introduction of the right to be forgotten, data portability and the restriction of processing.
As a result, entities both inside and outside the EU, including registries, registrars and ICANN, must carefully evaluate whether their data processing activities are caught by the strict requirements of the GDPR and adapt their processing operations, documents, procedures and policies accordingly.
Domain name registration and WHOIS
When a person registers a domain name, a multitude of personal information is processed by several entities for different purposes. Registrars directly offer services to individuals wishing to register a domain name. They process the personal data of their customers by collecting, storing, using and disclosing identification, payment and contact information for the conclusion of the registration contract, follow-up services, complaint forms, abuse filings, e-mail communication etc. This ‘thick’ registration data is then transferred to the registries who process this data in relation to the registration of domain names in their top-level domains (TLDs). Registries further process personal data through their monitoring activities, query logs, online forms, email communication and complaint procedures. Registration data is also transferred to escrow agencies for disaster recovery purposes.
Through their contractual obligations with ICANN, registrars and registries of generic TLDs (gTLDs) are required to maintain accurate registration directory services, also known as WHOIS. When registering a domain name, a registrant must provide identification and contact information including its name, email address, physical address, phone number, and administrative and technical contacts. This personal information, together with other information regarding the registration of the domain name, is currently made publicly available unless the registrant opts to use privacy or proxy services. As a result, anyone can use the WHOIS protocol to search the gTLD databases and identify the domain name registrant. While this system may serve a variety of legitimate purposes for internet users, businesses, law enforcement and consumer protection agencies, unrestricted public access to WHOIS data appears difficult to reconcile with several principles of the GDPR, especially with the principles of purpose limitation and data minimisation. By comparison, registries of country code TLDs (ccTLDs), such as .uk or .be, implement local policy regarding the request and display of registration information. They could, for example, decide that only limited personal information is collected or that only the information of legal persons is fully displayed. While the registries of ccTLDs can also fall under the scope of the GDPR, they are not subject to ICANN’s WHOIS policy, which is placed at the centre of the data protection debate.
Although ICANN must make the necessary efforts to bring WHOIS in compliance with the GDPR, it must be careful not to unduly restrict access for purposes of legitimate public interest. The use of domain names and related websites and email addresses for hacking, spam, phishing, the sale of contraband and counterfeit goods, intellectual property (IP) infringements, money laundering and other cybercrimes and infringements is endless.
WHOIS data provides stakeholders, such as law enforcement and consumer protection agencies, cybersecurity teams and IP rights holders, with the ability to investigate and address infringements, reach out to unauthorised parties directly, file a complaint to recover or disable an infringing domain name, report the activity to regulatory agencies etc. For example, internet users may use the public registration directories to verify whether an online retailer is legitimate or to find a point of contact to address urgent questions. As a result, the public availability of registration data ensures the accountability of registrants towards internet users, which is often in their own interest.
Expedient access to accurate WHOIS information is of vital importance to IP rights holders in their continual struggle against online infringers. In order to address cybersquatting or other abusive domain name registrations, trademark owners depend on WHOIS data to identify the malignant registrant, address his or her lack of interest and rights in the domain name and prove bad faith. Information related to the registrant’s previous conduct online, such as the registration of other infringing domain names or involvement in the sale of counterfeit products, may also prove useful to further demonstrate bad faith. Identification information is also necessary to address the correct respondent in UDRP or URS complaints. In local anti-cybersquatting proceedings, WHOIS information is, for instance, used to determine who has jurisdiction and what law is applicable. Before proceedings are initiated, the contact information is also necessary to have the option to settle the dispute amicably, negotiate an agreement or send cease-and-desist letters.
The legitimate interests behind unrestricted public access to identification and contact information of registrants is difficult to ignore. It must also be noted that WHOIS queries are often used as a primary option to address a certain concern expediently, without having to wait on a response by a registrar or registry. Requiring the presentation of a disclosure form or subpoena before disclosing any personal data of the registrant could not only place an impossible burden on registrars, registries and ICANN, but could also result in increased damages and cyberflight due to slow reactions. Still, it remains important to reconcile these legitimate interests with the fundamental rights and interests of the individual registrants, especially with regard to the protection of their personal data. As such, ICANN has committed to ‘ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible’.
Incompatibility of a public WHOIS with the GDPR
The unlimited publication of personal data of individual registrants raises concerns regarding several aspects of the GDPR, such as accountability, transparency, the rights of data subjects and the arrangement between joint-controllers.
The debate particularly revolves around compliance with the data processing principles and the legitimate bases for the processing. Registrars, registries and ICANN principally process the data for administration purposes, such as invoicing, support and technical assistance in relation to registering and maintaining the domain names. As a result, registrars can rely on the processing being necessary for the performance of the registration contract. However, registries and ICANN cannot rely on this ground as they do not directly enter into a contract with the registrant. Nevertheless, they could certainly rely on the fact that the processing is necessary for legitimate interest purposes. After all, registrants are informed of the registrar’s responsibility to ICANN and the registries, and they can legitimately expect that the further processing is necessary to register and maintain their domain names. The same can be argued for the use of WHOIS data by escrow agencies for recovery purposes. The problem, however, is that these administrative purposes do not warrant the public disclosure of the personal data outside of these parties.
Above, we mentioned several additional purposes related to a public WHOIS that serve the interest of a variety of third parties. These purposes entail, among others, the use of public WHOIS data by law enforcement agencies to investigate and respond to crime, fraud, counterfeiting, illegal sales and other infringements; the use of public WHOIS data by consumer protection agencies to tackle scams and other forms of consumer deception online; and the use of public WHOIS data by IP rights holders to investigate IP infringements and identify the registrant to, for example, file a UDRP or URS complaint.
The unlimited public disclosure of personal information for these additional purposes seems even more difficult to reconcile with the principles of the GDPR. Although ICANN requires that the consent of the registrant is obtained for the publication of personal data in WHOIS directories, this consent must still be valid. Under the GDPR, consent is only valid if it is freely given, specific, informed and unambiguous and can be freely withdrawn.
Additionally, consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite it not being necessary for such performance. As a result, it can be argued that the registrant’s consent for publishing his or her personal registration data is a requirement to register the domain name and is thus not freely given. However, if registrants are given the option to freely opt in and allow their personal data to be publicly available without this being necessary to obtain the domain name, this would be a valid ground for public disclosure of the personal registration data.
More importantly, ICANN and the other parties could potentially rely on the legitimate interest ground of the GDPR which provides that ‘processing is lawful when necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’. As mentioned above, this ground does not provide for a last resort justification, but must be balanced against the impact on and the legitimate expectations of the data subject. The fact that the processing is in the public interest and sufficient safeguards are implemented could tip the balance in favour of the controller. Although the publication of WHOIS data for purposes of law enforcement, consumer protection and IP enforcement could all be considered in the public interest, the unlimited disclosure of this personal data to the general public allows it to be used for completely different purposes, which may or may not be legitimate. This lack of control and foreseeability indicates that maintaining an unlimited publicly accessible WHOIS is not possible under the GDPR.
Therefore, ICANN has recognised that a layered model of access to the WHOIS is necessary in combination with limited public access to certain data. Such a system is often already used by registries in various ccTLDs. In the .eu ccTLD, for example, only the language and email address of natural persons is displayed in the public WHOIS to protect their personal data. The disclosure of additional information must be requested by means of a data disclosure form. With regard to gTLDs, ICANN and the community first suggested different interim WHOIS models for compliance with the GDPR. After having consulted legal experts, European data protection authorities, the Article 29 Working Party, the EU Commission and community stakeholders, ICANN eventually put forward a final interim WHOIS model. This model must serve as a quick preliminary measure of compliance with the GDPR until a more thought-out and substantiated system can be implemented. Positions on the proposed interim WHOIS model are divided, with no stakeholder groups generally being satisfied. ICANN has justified the model accordingly as ‘distributing misery evenly’.
Efforts to achieve compliance: the interim WHOIS model
Under the proposed interim WHOIS model, all existing personal data of registrants will still be collected. This means that, in order to register a domain name, registrants will still have to provide their full name, organisation (if applicable), phone number, physical address, email address, and administrative and technical contact information. This full data set will also still be transferred to the applicable registry and data escrow agent.
However, the new interim model proposes to restrict the accessibility of personal registrant data to a layered or tiered access system based on the accreditation of interested parties. In this way, limited registrant data will be kept publicly available, with only accredited parties having access to the full data set. Apart from information on the specific domain name and the registrar, non-accredited users performing a public WHOIS query will only be able to view the registrant’s organisation (if applicable) and his or country, state or province for jurisdiction purposes. Additionally, ICANN has also proposed to implement the inclusion of an anonymised email address or web form to ensure that non-accredited parties can reach out to the registrant while preserving anonymity. Registrants will still be able to opt in to the publication of additional personal information, such as their name or contact information, if they so choose. While the implementation of gated access to personal data may be necessary to comply with the principles of the GDPR, such as data minimisation and purpose limitation, the omission of certain important identification and contact information from the public WHOIS records may prove detrimental to interested parties who fail to get accredited under ICANN’s proposed accreditation system.
Another controversial aspect of the interim WHOIS model is its scope of application. While the GDPR only applies to the data of natural persons, the interim model will apply without making a distinction between natural persons and legal entities. It is also permitted for registrars and registries to apply the model globally, without a connection to the EEA or EU citizens. Although such an approach could be understandable from a practical and technical perspective, the over-extension of the interim model’s scope of application is not in accordance with ICANN’s commitment to ‘ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible’. EURid, the registry of the .eu ccTLD, does, for example, make a clear distinction between natural and legal persons based on self-certification by the registrant.
In the proposed interim model, access to non-public WHOIS data will be reserved to specific third parties approved under a formal accreditation programme administered by ICANN. It is still uncertain who will eventually be eligible for accreditation, but ICANN has specifically mentioned national law enforcement authorities and IP lawyers. Private accredited users will need to comply with pre-determined codes of conduct, which would establish standardised criteria, limitations and responsibilities for granting access to non-public WHOIS data. The eventual determination of eligible user groups, accreditation bodies and codes of conduct will surely result in confusion and discrimination. Which international bodies will be considered to represent, for example, consumer protection agencies? What is understood as being an IP lawyer? For this, registration at a national or regional bar could be considered as a necessary criterion. However, this means that certain persons, such as trademark attorneys and consultants, would not be eligible for accreditation. Also, ICANN specifically mentions ‘licensed attorneys representing IP rights holders’ and not IP rights holders themselves. Does that mean that the rights holders themselves cannot be accredited and must depend on their lawyers to obtain the identity of the infringer? The precise implementation of this accreditation programme will be crucial for the preservation of the legitimate purposes of WHOIS information, under which ICANN has specifically included the support of a framework which addresses ‘issues involving domain name registrations, including but not limited to: consumer protection, investigation of cybercrime, DNS abuse, and intellectual property protection’.
While ICANN is working hard to determine the specifications and practicalities necessary for the interim WHOIS and accreditation model before the coming into effect of the GDPR on 25 May 2018, the practical implementation of these new measures will depend on the steps taken by registrars and registries. The practical implementation could take many more months and might not see the light before 2019. What does this mean for parties that are dependent on WHOIS information to perform essential tasks, such as law enforcement, consumer protection agencies and IP rights holders? Will ICANN allow the continuity of the existing public WHOIS model until the new interim model is fully implemented or will a temporary but catastrophic blackout of WHOIS information occur? It might make sense to adopt an ‘interim interim’ or ‘tentative interim’ model, based on self-certification or data disclosure requests. It is certain that the total omission of WHOIS information should be avoided at all costs, as this endeavour is not only closely followed by the contracted parties, law enforcement agents and IP rights holders, but also by cybersquatters, spammers and other abusive parties, who will surely take advantage of any weaknesses in the system.
Although the WHOIS compliance model will only be an interim one, it remains important that ICANN focuses on preserving most of the existing WHOIS system while at the same time complying with the GDPR. The ‘interim’ model may be in place for a long time and will likely form the basis of a more permanent one. In its efforts to reach compliance, it is therefore important to not unduly broaden the scope of the GDPR, without taking account of the wider public interests behind WHOIS. For IP rights holders, the upcoming changes to the WHOIS system could very well mean that they must adopt a new strategy to enforce their IP online. Brand owners may become dependent on accreditation bodies. Without accreditation, it will no longer be possible to obtain the identity and contact information of possible infringers. Also, accredited or not, bulk access to WHOIS information risks becoming impossible. This would mean that reverse WHOIS queries or other general searches to monitor infringements or discover patterns of conduct will no longer be possible. As a result, IP rights holders will be limited to single query searches, which could have a significant impact on efficiency. Unless an authenticating body is authorised to process bulk searches in an anonymised fashion, it will be virtually impossible to identify repeat infringers and patterns of illegitimate conduct. Access to and use of personal data obtained by an accredited entity will not be unrestricted. Accredited parties will have to comply with specific codes of conduct, and compliance will be monitored by the relevant accreditation body. All of this could result in the proliferation of cybersquatting and other online infringements, as the ability of IP rights holders (and other interested third parties, such as law enforcement and consumer protection agencies) to tackle infringements and abuse online will be seriously hampered.
At the moment, much depends on the speed and effectiveness of implementation and on the permanent compliance model that ICANN will eventually choose to implement. Other, even more restrictive, WHOIS models are even put forward. A working group within ICANN has, for example, suggested abolishing the existing decentralised WHOIS model and adopting a central ‘one stop shop’ model which is closed by default and accessible only to authenticated requestors who are held accountable for appropriate use of the information. Surely, such a model will completely incapacitate many of the legitimate uses of WHOIS information. Thus, the last word has not yet been said on this subject.