The protection of personal information has become increasingly important in recent years. Concepts such as big data, data mining and profiling have taken a prominent place in today’s digital environment. The internet’s naming system forms an important part of this environment and personal data in relation to domain names is collected, disclosed, retrieved and transferred on a daily basis. The main share of the processing activity revolves around the WHOIS directories, a series of databases managed by registrars and registry operators containing information related to registered domain names. This information includes personal identification and contact information of domain name holders (registrants), such as names, email addresses, phone numbers, physical addresses, and administrative and technical contacts. The WHOIS directories serve as a primary resource for a number of entities, such as law enforcement authorities, consumer protection organisations and intellectual property rights holders, to investigate and tackle crime and infringements online. However, the protection of personal information contained in WHOIS has been a major point of interest since the announcement of the European Union’s (EU) General Data Protection Regulation 2016/679 (GDPR).
The GDPR occupies the centre of the data protection debate. It came into effect on 25 May 2018. Over the course of the past two years, companies and organisations have struggled to bring their activities into compliance with the GDPR, with many still uncertain about the conformity of their operations. Because of the extensive territorial reach of the GDPR, compliance efforts are not limited to European entities, but also concern many organisations and companies based in other countries, such as registrars, registry operators and the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for coordinating and administering the internet’s Domain Name System.
In order to enhance and harmonise the protection of personal data, the EU adopted the GDPR on 27 April 2016. The Regulation prescribes specific rules that entities must comply with when processing personal data. While processing is understood in the broadest sense, meaning literally any operation performed on the data, personal data only entails information relating to an identified or identifiable natural person. As a result, information on companies, organisations or other legal entities is excluded from the scope of the Regulation. Processing activities can include, among others, the collection, storage and consultation of contact information (such as names and email addresses) for communication and verification purposes; the collection and disclosure of payment information for the conclusion of a contract; and the transfer of employee information to a parent company.
The territorial reach of the GDPR is extensive. It applies not only to entities established in the European Economic Area (EEA) processing personal data in the context of that establishment, but also to persons, companies or organisations established in other countries processing data of EU citizens in order to offer them goods or services, or to monitor their behaviour within the EU. The adoption of these twofold criteria to determine the territorial scope means that the offering of domain name registration services to EU citizens by a registrar or registry operator established outside the EU is an activity for which the GDPR may apply. The fact that services are merely accessible to EU citizens is not sufficient. A provider must target EU citizens through its website or otherwise. Targeting may be established through a combination of a variety of factors, such as language preferences, currency, telephone numbers and use of EU ccTLDs. The question of targeting is therefore determined on a case-by-case basis.
The GDPR differentiates between data controllers, who decide on the purpose and means of the processing, and data processors, who only process data for and on the instruction of the data controller. While the data processor has several obligations related to security, the processing contract, technical and organisational measures etc, the controller remains ultimately responsible for the processing activity. In the context of domain name registration, it can be determined that registrars and registry operators, as well as ICANN, each process personal registrant information for their own purposes, as the parties have a different impact over distinct parts of the processing. Because registrars and registry operators often require or use additional information apart from their contractual obligations towards ICANN, the different parties in the domain name registration chain may be considered joint controllers. As a result, the GDPR requires that an arrangement (joint controller agreement) within the existing contractual framework must be adopted, setting out the respective roles and obligations of ICANN and the contracting parties in relation to the processing.
For the processing activity to be legitimate, it must comply with six principles laid down in article 5 of the GDPR.
First, the processing must be lawful and fair, meaning that a legitimate basis is required and that the data subject must be properly informed in a transparent way. A legitimate basis for processing can either be the data subject’s consent; the necessity to perform or enter into a contract; the necessity to comply with a legal obligation; the necessity to perform a task carried out in the public interest or to exercise official authority; the necessity to protect the vital interest of the data subject or of another person; or to fulfil a legitimate interest of the data controller which outweighs the data protection interests and rights of the data subject. While this last motivation does not provide for a ‘last resort’ justification, it can be applied in cases where, for example, the processing is carried out for a wider public interest, in line with the legitimate expectations of the data subject and with sufficient safeguards to protect his or her interests.
Second, the processing activity must also be conducted for specific legitimate purposes and cannot be further performed in a manner incompatible with these purposes. Accordingly, a registrar cannot process the contact data of its registrants for direct marketing purposes if the initial purpose was limited to technical or administrative communication related to the registered domain names.
Third, in accordance with the principle of data minimisation, processing must be relevant and limited to what is necessary for the specified purposes. This means that for the purpose of email communication, for example, a controller should not request and collect phone numbers or physical addresses if no telephone or written communication was necessary and specified.
Fourth, due account must be taken of the accuracy of the personal data and that, where necessary, it is kept up to date. As a result of this accuracy principle, personal data that is inaccurate should be erased or rectified without delay. While the inaccuracy of registration information has always been a debated issue, registrars are generally required to verify certain data fields, such as the registrant’s email address or phone number, and they should respond promptly to rectification requests.
Fifth, the retention period of the personal data must be limited to what is necessary for the specific purposes. This principle of storage limitation prevents certain data from being kept indefinitely after the purposes for which it was processed have long been fulfilled. For example, it would not be justified to indefinitely retain personal data linked to a certain domain name after the registrant had sold the domain name or failed to renew its registration.
Lastly, sufficient technical and organisational measures must be adopted to ensure appropriate security of the personal data. In this way, the integrity and confidentiality of the data must be ensured by protecting it against, among others, unauthorised or unlawful processing and accidental loss or destruction. The escrowing of registrant data is an example of the protection of personal data against accidental loss or destruction.
The introduction of the GDPR also imposed other new and extensive obligations in relation to accountability, security, obtaining consent, organisation, record keeping, international transfers, etc. Additionally, the rights of individual data subjects were strengthened through the enhancement of the right to information, to access and to rectification, and through the introduction of the right to be forgotten, data portability and the restriction of processing.
As a result, entities both inside and outside the EU, including registry operators, registrars and ICANN, had to carefully evaluate whether their data processing activities were caught by the strict requirements of the GDPR and adapt their processing operations, documents, procedures and policies accordingly.
Domain name registration and WHOIS
When a person registers a domain name, a multitude of personal information is processed by several entities for different purposes. Registrars directly offer services to individuals wishing to register a domain name. They process the personal data of their customers by collecting, storing, using and disclosing identification, payment and contact information for the conclusion of the registration contract, follow-up services, complaint forms, abuse filings, email communication etc. This ‘thick’ registration data is then transferred to the registry operators who process this data in relation to the registration of domain names in their top-level domains (TLDs). Registry operators further process personal data through their monitoring activities, query logs, online forms, email communication and complaint procedures. Registration data is also transferred to escrow agencies for disaster recovery purposes.
Through their contractual obligations with ICANN, registrars and registry operators of generic TLDs (gTLDs) are required to maintain accurate registration directory services, also known as WHOIS. When registering a domain name, a registrant must provide identification and contact information including its name, email address, physical address, phone number, and administrative and technical contacts. Before the GDPR came into effect, this personal information, together with other information regarding the registration of the domain name, was made publicly available unless the registrant opted to use privacy or proxy services. As a result, anyone could use the WHOIS protocol to search the gTLD databases and identify the domain name registrant. While this open system served a variety of legitimate purposes for internet users, businesses, law enforcement and consumer protection agencies, unrestricted public access to WHOIS data appeared difficult to reconcile with several principles of the GDPR, especially with the principles of purpose limitation and data minimisation. By comparison, registry operators of country code TLDs (ccTLDs), such as .uk or .be, implemented local policy regarding the request and display of registration information in their own respective WHOIS databases. They could, for example, decide that only limited personal information would be collected or that only the information of legal persons would be fully displayed. While the registry operators of ccTLDs may also fall under the scope of the GDPR, they are not subject to ICANN’s general WHOIS policy, which is only applicable to gTLDs, such as .com, .org, .web, .law, .store, etc.
Although ICANN must make the necessary efforts to bring WHOIS in compliance with the GDPR, it must be careful not to unduly restrict access for purposes of legitimate public interest. The use of domain names and related websites and email addresses for hacking, spam, phishing, the sale of contraband and counterfeit goods, intellectual property (IP) infringements, money laundering and other cybercrimes and infringements is endless. WHOIS data provides stakeholders, such as law enforcement and consumer protection agencies, cybersecurity teams and IP rights holders, with the ability to investigate and address infringements, reach out to unauthorised parties directly, file a complaint to recover or disable an infringing domain name, report the activity to regulatory agencies etc. For example, internet users could use the public registration directories to verify whether an online retailer is legitimate or to find a point of contact to address urgent questions. As a result, the public availability of registration data ensures the accountability of registrants towards internet users, which is often in their own interest.
Expedient access to accurate WHOIS information is of vital importance to IP rights holders in their continual struggle against online infringers. In order to address cybersquatting or other abusive domain name registrations, trademark owners depend on WHOIS data to identify the malignant registrant, address his or her lack of interest and rights in the domain name and prove bad faith. Information related to the registrant’s previous conduct online, such as the registration of other infringing domain names or involvement in the sale of counterfeit products, may also prove useful to further demonstrate bad faith. Identification information is also necessary to address the correct respondent in UDRP or URS complaints. In local anti-cybersquatting proceedings, WHOIS information is, for instance, used to determine who has jurisdiction and what law is applicable. Before proceedings are initiated, the contact information is also necessary to have the option to settle the dispute amicably, negotiate an agreement or send cease-and-desist letters.
The legitimate interest behind public access to identification and contact information of registrants is difficult to ignore. It must also be noted that WHOIS queries are often used as a primary option to address a certain concern expediently, without having to wait on a response by a registrar or registry operator. Requiring the presentation of a disclosure form or subpoena before disclosing any personal data of the registrant could not only place an impossible burden on registrars, registry operators and ICANN, but could also result in increased damages and cyberflight due to slow reactions. Still, it remains important to reconcile these legitimate interests with the fundamental rights and interests of the individual registrants, especially with regard to the protection of their personal data. As such, ICANN has committed to ‘ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible’.
Incompatibility of a public WHOIS with the GDPR
The unlimited publication of personal data of individual registrants raises concerns regarding several aspects of the GDPR, such as accountability, transparency, the rights of data subjects and the arrangement between joint-controllers.
The debate particularly revolves around compliance with the data processing principles and the legitimate bases for the processing. Registrars, registry operators and ICANN principally process data for administration purposes, such as invoicing, support and technical assistance in relation to registering and maintaining domain names. As a result, registrars can rely on the processing being necessary for the performance of a registration contract. However, registry operators and ICANN cannot rely on this ground as they do not directly enter into a contract with the registrant. Nevertheless, they could certainly rely on the fact that the processing is necessary for legitimate interest purposes. After all, registrants are informed of the registrar’s responsibility to ICANN and the registry operators, and they can legitimately expect that the further processing is necessary to register and maintain their domain names. The same can be argued for the use of WHOIS data by escrow agencies for recovery purposes. The problem, however, is that these administrative purposes do not warrant the public disclosure of the personal data outside of these parties.
Above, we mentioned several additional purposes related to a public WHOIS that serve the interest of a variety of third parties. These purposes entail, among others, the use of public WHOIS data by law enforcement agencies to investigate and respond to crime, fraud, counterfeiting, illegal sales and other infringements; the use of public WHOIS data by consumer protection agencies to tackle scams and other forms of consumer deception online; and the use of public WHOIS data by IP rights holders to investigate IP infringements and identify the registrant to, for example, file a UDRP or URS complaint.
The unlimited public disclosure of personal information for these additional purposes seems difficult to reconcile with the principles of the GDPR. Although ICANN requires that the consent of the registrant is obtained for the publication of personal data in WHOIS directories, this consent must still be valid. Under the GDPR, consent is only valid if it is freely given, specific, informed and unambiguous and can be freely withdrawn. Additionally, consent is presumed not to be freely given if the performance of a contract, including the provision of a service, is dependent on the consent despite it not being necessary for such performance. As a result, it can be argued that the registrant’s consent for publishing his or her personal registration data is a requirement to register the domain name and is thus not freely given. However, if registrants are given the option to freely opt in and allow their personal data to be publicly available without this being necessary to obtain the domain name, this would be a valid ground for public disclosure of the personal registration data.
More importantly, ICANN and the other parties can potentially rely on the legitimate interest ground of the GDPR, which provides that ‘processing is lawful when necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data’. As mentioned above, this ground does not provide for a last resort justification, but must be balanced against the impact on and the legitimate expectations of the data subject. The fact that the processing is in the public interest and sufficient safeguards are implemented could tip the balance in favour of the controller. Although the publication of WHOIS data for purposes of law enforcement, consumer protection and IP enforcement could all be considered in the public interest, the unlimited disclosure of this personal data to the general public allows it to be used for completely different purposes, which may or may not be legitimate. This lack of control and foreseeability indicates that maintaining an unlimited publicly accessible WHOIS was not possible under the GDPR.
Therefore, before the GDPR came into effect on 25 May 2018, ICANN had recognised that a layered model of access to the WHOIS was necessary in combination with limited public access to certain data. Such a system was often already used by registry operators in various ccTLDs. In the .eu ccTLD, for example, only the language and email address of natural persons is displayed in the public WHOIS to protect their personal data. The disclosure of additional information must be requested by means of a data disclosure form. With regard to gTLDs, ICANN and the community first suggested different interim WHOIS models for compliance with the GDPR. After having consulted legal experts, European data protection authorities, the European Data Protection Board, the European Commission and community stakeholders, ICANN eventually put forward the ‘Temporary Specification for gTLD registration Data’ on 25 May 2018. The Temporary Specification sets out contractual obligations for registrars and registry operators for the collection, disclosure and publication of registrant data post-GDPR. It serves as a preliminary measure for compliance with the GDPR. It is meant to be in place for one year, after which a more permanent consensus system must be implemented. To achieve this, an Expedited Policy Development Process (EPDP) started on 25 May 2018, which aims to review the elements of the Temporary Specification and evaluate whether they are in conformity with the GDPR and the ICANN by-laws and whether additional actions are necessary to put in place a reasoned and balanced policy by 25 May 2019, including a uniform mechanism for access and accreditation.
Efforts to achieve compliance: the Temporary Specification and EPDP
Under the Temporary Specification, all previous personal data of registrants is still being collected. This means that, in order to register a domain name, registrants will still have to provide their full name, organisation (if applicable), phone number, physical address, email address, and administrative and technical contact information. This full data set will also still be transferred to the applicable registry operator and data escrow agent.
However, the Temporary Specification restricts the accessibility of personal registrant data available through public WHOIS queries. At the moment, internet users seeking information on a specific domain name holder are only able to view the registrant’s organisation (if applicable) and his or her country, state or province in public WHOIS.ICANN also requires that an anonymised email address or web form is displayed to ensure that interested third parties can reach out to the registrant through email forwarding, while preserving anonymity. However, attempts to contact the registrant through this mechanism have often proved to be unsuccessful as no processes are in place to ensure or track a response. Additionally, registrants are still able to consent to the publication of additional personal information, such as their name or contact information, if they so choose. While the redaction of personal data may be necessary to comply with the principles of the GDPR, such as data minimisation and purpose limitation, the omission of certain important identification and contact information from the public WHOIS records may prove detrimental to interested parties who fail to receive access to that information on the basis of their overriding legitimate interests. The Temporary Specification requires registrars to provide ‘reasonable access’ to the personal data of registrants to a third party, such as a law enforcement authority or intellectual property rights owner, except where the legitimate interests of that third party to receive the personal information are overridden by the registrant’s own privacy rights or interests. However, the lack of uniform criteria or a standardised process to provide such ‘reasonable access’ has already resulted in uncertainty and a fragmented treatment of access requests.
Another controversial aspect of the Temporary Specification is its scope of application. While the GDPR only applies to the data of natural persons, the Temporary Specification applies without making a distinction between natural persons and legal entities. It is also permitted for registrars and registry operators to apply the model globally, without a connection to the EEA or EU citizens. Although such an approach could be understandable from a practical and technical perspective, the over-extension of the Temporary Specification’s scope of application is not in accordance with ICANN’s commitment to ‘ensure compliance with the GDPR while maintaining the existing WHOIS system to the greatest extent possible’. EURid, the registry operator of the .eu ccTLD, does, for example, make a clear distinction between natural and legal persons based on self-certification by the registrant.
At the moment, the EPDP working group, which consists of 31 representatives from all stakeholder groups, is working on reviewing the Temporary Specification in order to develop recommendations and actions required to establish a permanent Consensus Policy on WHOIS and GDPR. The resulting policy will inevitably be a product of consensus, as it needs to reconcile the diverging views on both sides of the privacy and consumer/IP protection debate. For example, civil society representatives aim to protect the privacy of domain name holders to the furthest extent possible in order to preserve anonymity online; registrars and registry operators (contracted parties) want to limit their potential exposure to liability for non-compliance with the GDPR; other third parties, such as IP rights holders and law enforcement authorities, advocate for transparency and accountability online. On 21 November 2018, the EPDP working group published its initial report and opened it up for public comments. Although the report confirms consensus on different aspects of the Temporary Specification, it also shows divisive views on certain key elements. For example, contention remains on (i) whether or not a distinction should be made between natural persons and legal entities for the publication of registration data; (ii) whether there should be a differentiation based on geographic location in accordance with the territorial remit of the GDPR; and (iii) whether the organisation field should be kept publicly accessible considering the risk that this field might include personal information. Additionally, no further guidance or clarification is given on what constitutes ‘reasonable access’ to be provided by registrars to interested third parties. These important issues must first be resolved before a substantiated and balanced WHOIS model can be implemented on 25 May 2019.
Lastly, the EPDP also undertakes to develop a System for Accredited Access to Non-Public Registration Data (Unified Access Model). In the proposed access model, access to non-public WHOIS data will be reserved to specific third parties approved under a formal accreditation programme administered by either ICANN or an independent third party. It is still uncertain who will eventually be eligible for accreditation and under which requirements, but ICANN has specifically mentioned national law enforcement authorities and IP lawyers. Private accredited users will potentially need to comply with predetermined codes of conduct, which would establish standardised criteria, limitations and responsibilities for granting access to non-public WHOIS data. However, before the EPDP working group can further develop a Unified Access Model, a selection of important ‘gating’ questions in the Temporary Specification must be answered. These gating questions relate to the WHOIS data processing purposes, the collection of registration data, as well as the transfer and potential publication of this data. Seeing that no formal consensus was reached on important issues related to these questions in the working group’s initial report and considering the time pressure, it is doubtful that a Unified Access Model will be developed before the EPDP’s deadline on 25 May 2019. Without an alternative, this risks leaving law enforcement, consumer protection agencies, intellectual property owners and other interested third parties at the mercy of discretionary decisions by registrars to disclose important personal information of their registrants.
While the EPDP working group is working hard to determine the specifications and requirements necessary for a permanent WHOIS Consensus Policy and a potential Unified Access Model, the available information in the public WHOIS records remains severely restricted until at least 25 May 2019. What does this mean for third parties that are dependent on WHOIS information to perform essential tasks, such as law enforcement, consumer protection agencies and IP rights holders? For IP rights holders, the changes to the WHOIS system mean that they have to adopt a new strategy to enforce their IP online. They can no longer depend on readily available identity and contact information of potential infringers available in the WHOIS records associated with infringing websites. Also, bulk access to WHOIS information is no longer possible. This means that reverse WHOIS queries or other general searches to monitor infringements or discover patterns of conduct are no longer possible. As a result, IP rights holders must revert to more ‘old school’ tactics to investigate and tackle potential infringements. For example, they can investigate a website’s IP address to obtain information on its location or to request the disclosure of additional information based on the IP address from other intermediaries, such as the ISP. They can also examine historical repositories of WHOIS data, although their relevance diminishes with every passing day. Substantive information on a website, such as languages, currencies, hyperlinks and postal addresses, can provide further insight. One can also attempt to contact a registrant directly through the provided anonymised email address or try to obtain the disclosure of the infringing registrant’s identity through a request with the responsible registrar.
The redaction of WHOIS information in the Temporary Specification also has important consequences for domain name proceedings under the Uniform Domain-Name Dispute Resolution Policy (UDRP). Complainants wishing to initiate proceedings to obtain the transfer or cancellation of an infringing domain name now often lack sufficient information on the registrant around which to construct their complaint. Without the identity and contact information of the registrant, it becomes more difficult to prove elements such as (i) the lack of rights or legitimate interest in the domain name by the registrant; (ii) knowledge of the trademark rights by the registrant based on his or her location; or (iii) a pattern of bad-faith registrations by the registrant, etc. To alleviate at least part of these concerns, domain name dispute resolution providers, such as WIPO, allow for a ‘doe’ complaint to be submitted (ie, a complaint directed against an unknown respondent), which can be substantively or procedurally amended after the complainant has received the mandatory verification of the identity and contact information of the registrant by the responsible registrar. The complainant also has the option to retract its complaint if it appears that the registrant does have rights or a legitimate interest in the domain name or did not act in bad faith. WIPO allows for the refund of the unused panel fee after such retraction.
Whether IP rights holders will remain dependent on these restricted mechanisms principally depends on the successful completion of the EPDP and the implementation of a balanced WHOIS Consensus Policy. It is unlikely that personal information in the WHOIS records will once again become publicly available. As a consequence, IP rights holders are best served by an efficient and expedient Unified Access Model that facilitates the necessary access to important WHOIS information. To limit the negative consequences of a WHOIS blackout, such a system should be developed without delay. ICANN could potentially take a leading role in developing a centralised access model, without undermining the efforts already made in the EPDP. A centralised access model managed by ICANN would avoid the need to inconsistently obtain access to WHOIS information from each responsible registrar. Whatever the outcome, one thing is certain: the last word has not yet been said on this subject.