Apr 14, 2018 - by Matt Serlin

GDPR and WHOIS – We’ve Heard from the Article 29 Working Party, Now What?

Well, here we are on Friday the 13th and I couldn’t think of a better way to spend the day than providing an update on GDPR, WHOIS and ICANN. There’s lots to cover, so let’s dive right in.

As we have been talking about for a number of months now, the EU’s new General Data Privacy Regulation (GDPR) will become enforceable on May 25th. The ICANN community has been struggling with how GDPR will impact the WHOIS system.

This week, ICANN engaged with the Article 29 working party (an advisory board made up of representatives of each of the data protection authorities of each EU member state) to obtain guidance on whether its proposed model is GDPR-compliant. The community was eagerly awaiting this feedback and it was provided to ICANN.

The feedback received was, in some ways, predictable. The working party applauded ICANN for proposing an interim model which included an accreditation program for access to non-public WHOIS information; however, the group indicated the purposes for collection of personal data was not sufficiently detailed and it urged “ICANN to revisit its current definition of “purposes” in light of these requirements.” It also stressed to ICANN the need to link each specific purpose of the collection of data to a relevant legal basis.

The group also raised concerns with how the access to non-public WHOIS information would be granted and what data elements would be available to those parties. Again, the notion of specific legal basis for access to this data was highlighted, in addition to points about unauthorized access and the overall security of that data.

For those who were hoping for some sort of enforcement moratorium or forbearance of GDPR relative to registrars and registries, there was no such mention of that in the communication to ICANN. In the eyes of the Article 29 working party, the enforcement date of May 25th will not be changing. To underscore the scrutiny this subject is getting, the US Commerce Secretary has sent a letter to the European Commission asking for help, “in securing temporary forbearance from GDPR enforcement on the process of WHOIS information.”

So where does this leave us? At this point, that IS the million-dollar question, and I’d like to make the following observations:

  • While May 25th may be the date of enforcement, that clearly will not mark the end date of this. In its response back to the working party, ICANN boldly stated, “…we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource.” No one is quite sure what legal action in this case would even look like, but that was a rather stunning statement for ICANN to make. And with high-level government officials now getting involved, who knows where this will lead?
  • The WHOIS system, as it has been known for two decades, will cease to exist. Unfettered access to registration information for gTLDs is simply not going to be possible going forward after May 25th. Yes, there are still questions as to what the final model ICANN puts forth will be, but it will certainly drastically change how WHOIS will function.
  • In addition to the global WHOIS system becoming fragmented, I believe that the ICANN community itself will become increasingly fragmented. The contracted parties (registrars and registries) are on the hook for severe penalties for violation of GDPR. They are being conservative in their approach, which is understandable. The main users of WHOIS (namely the Intellectual Property Constituency and the Business Constituency) have proposed an accreditation model for access to non-public WHOIS information to ensure access for purposes such as cybersecurity, intellectual property and law enforcement, but there has been push-back on that proposal as it was developed by two specific groups within the community and is being done outside of the standard process for policy development.

With an enforcement date of May 25th, it’s clear that uncertainty is the only certainty and that events are going to unfold at a rapid pace. As always, we’ll continue to monitor this topic closely, and we’ll provide updates as they become available.

Tags: TAG1, TAG2, TAG3, TAG4

  • Nov 28, 2018 - by Matt Serlin
    The EPDP Initial Report: Forward Progress Yet Much Work Remains

    Here in the United States, we recently celebrated Thanksgiving and with that, we now enter the last weeks of 2018. I’ve spent much of this past year involved in ICANN’s Expedited Policy Development Process (EPDP) for gTLD Registration Data and I’m happy to say our group has reached a historic milestone. Just last week, the group published its initial report for public comment (https://www.icann.org/public-comments/EPDP-gtld-registration-data-specs-initial-2018-11-21-en). I’d be remiss if I didn’t take this opportunity to thank the entire group for their good faith efforts in issuing this initial report.

    Read full post
  • Nov 8, 2018 - by Elisa Cooper
    Evaluating Corporate Registrars? What You May Be Overlooking.

    Maybe there is something in the air, but it seems like an increasing number of corporate legal departments are starting to reevaluate whether their current registrar is still the best option for them. Many have used the same registrar for over a decade, or have ended up as a client of a legacy provider when their registrar was acquired. Regardless of whether companies are looking for better service, support, expertise or technology, evaluating other options every few years can be a worthwhile endeavor.

    Read full post

  • Matt Serlin

    With a focus on security, service and support, Matt Serlin joined Brandsight in 2017 to lead all domain operations, including client services and domain name provisioning. Matt has over 15 years of direct domain name experience most recently with MarkMonitor where he was instrumental in building the industry’s first dedicated client services team, which has become the de facto standard for all corporate registrars.

    Recent posts from Matt Serlin

    Request a demo.

    See for yourself the power of Brandsight.

    Schedule a demo
    Brandsight web application