Amsterdam refuses to publish Whois records as GDPR row escalates
Two Dutch geo-gTLDs are refusing to provide public access to Whois records in what could be a sign of things to come for the whole industry under new European privacy law.
Both .amsterdam and .frl appear to be automatically applying privacy to registrant data and say they will only provide full Whois access to vetted individuals such as law enforcement officials.
ICANN has evidently slapped a breach notice on both registries, which are now complaining that the Whois provisions in their Registry Agreements are “null and void” under Dutch and European Union law.
FRLregistry and dotAmsterdam, based in the Netherlands, are the registries concerned. They’re basically under the same management and affiliated with the local registrar Mijndomein.
dotAmsterdam operates under the authority of the city government. .frl is an abbreviation of Friesland, a Dutch province.
Both companies’ official registry sites, which are virtually identical, do not offer links to Whois search. Instead, they offer a statement about their Whois privacy policy.
That policy states that Dutch and EU law “forbids that names, addresses, telephone numbers or e-mail addresses of Dutch private persons can be accessed and used freely over the internet by any person or organization”.
It goes on to state that any “private person” that registers a domain will have their private contact information replaced with a “privacy protected” message in Whois.
Legal entities such as companies do not count as “private persons”.
Under the standard ICANN Registry Agreement, all new gTLDs are obliged to provide public Whois access under section 2.5. According to correspondence from the lawyer for both .frl and .amsterdam, published by ICANN, the two registries have been told they are in breach.
It seems the breach notices have not yet escalated to the point at which ICANN publishes them on its web site. At least, they have not been published yet for some reason.
But the registries have lawyered up already, regardless.
A letter from Jetse Sprey of Versteeg Wigman Sprey to ICANN says that the registries are free to ignore section 2.5 of their RAs because it’s not compliant with the Dutch Data Protection Act and, perhaps more significantly, the EU General Data Protection Regulation.
The GDPR is perhaps the most pressing issue for ICANN at the moment.
It’s an EU law due to come into effect in May next year. It has the potential to completely rewrite the rules of Whois access for the entire industry, sidestepping the almost two decades of largely fruitless ICANN community discussions on the topic.
It covers any company that processes private data on EU citizens; breaching it can incur fines of up to €20 million or 4% of revenue, whichever is higher.
One of its key controversies is the idea that citizens should have the right to “consent” to their personal data being processed and that this consent cannot be “bundled” with access to the product or service on offer.
According to Sprey, because the Registry Agreement does not give registrants a way to register a domain without giving their consent to their Whois details being published, it violates the GDPR. Therefore, his clients are allowed to ignore that part of the RA.
These two gTLDs are the first I’m aware of to openly challenge ICANN so directly, but GDPR is a fiercely hot topic in the industry right now.
During a recent webinar, ICANN CEO Goran Marby expressed frustration that GDPR seems to have come about — under the watch of previous CEOs — without any input from the ICANN community, consideration in the EU legislative process of how it would affect Whois, or even any discussion within ICANN’s own Governmental Advisory Committee.
“We are seeing an increasing potential risk that the incoming GDPR regulation will mean a limited WHOIS system,” he said October 4. “We appreciate that for registers and registers, this regulation would impact how you will do your business going forward.”
ICANN has engaged EU legal experts and has reached out to data commissioners in the 28 EU member states for guidance, but Marby pointed out that full clarity on how GDPR affects the domain industry could be years away.
It seems possible there would have to be test cases, which could take five years or more, in affected EU states, he suggested.
ICANN is also engaging with the community in its attempt to figure out what to do about GDPR. One project has seen it attempt to gather Whois use cases from interested parties. Long-running community working groups are also looking at the issue.
But the domain industry has accused ICANN the organization of not doing enough fast enough.
Paul Diaz and Graeme Bunton, chairs of the Registries Stakeholder Group and Registrars Stakeholder Group respectively, have recently escalated the complaints over ICANN’s perceived inaction.
They told Marby in a letter that they need to have a solution in place in the next 60 days in order to give them time to implement it before the May 2018 GDPR deadline.
Complaining that ICANN is moving too slowly, the October 13 letter states:
The simple fact is that the requirements under GDPR and the requirements in our contracts with ICANN to collect, retain, display, and transfer personal data stand in conflict with each other.
…
GDPR presents a clear and present contractual compliance problem that must be resolved, regardless of whether new policy should be developed or existing policy adjusted. We simply cannot afford to wait any longer to start tackling this problem head-on.
For registries and registrars, the lack of clarity and the risk of breach notices are not the only problem. Many registrars make a bunch of cash out of privacy services; that may no longer be as viable a business if privacy for individuals is baked into the rules.
Other interests, such as the Intellectual Property Constituency (in favor of its own members’ continued access to Whois) and non-commercial users (in favor of a fundamental right to privacy) are also complaining that their voices are not being heard clearly enough.
The GDPR issue is likely to be one of the liveliest sources of discussion at ICANN 60, the public meeting that kicks off in Abu Dhabi this weekend.
UPDATE: This post was updated October 25 to add a sentence clarifying that companies are not “private persons”.
GDPR is already in effect. The May 2018 is just when sanctions begin.
May 25th is the enforcement/implementation date, so I’m not sure I understand the value of the distinction?
That could make a difference for new implementations done after GDPR was approved, even before its sanctions are in effect. Time to adapt is something that only existing process can argue.
Meanwhile, the PPSAI IRT drafted a fast track accreditation process for currently contracted parties (registries included) to streamline the accreditation process to become an ICANN accredited Privacy Provider…….
Whois is dead. Bring on RDAP.
RDAP doesn’t solve this issue either. It’s policy here, not the technical implementation.
And the whois is also already violating the current privacy laws in many European countries as these laws are all based upon the EU Privacy Directive dating back to 1995. That is why many European ccTLD’s publish limited information in their whois. Given the high sanctions that are possible under the GDPR even these ccTLD’s are reviewing their policies to make sure that they will comply in May 2018.
I don’t understand why ICANN and contracted parties, in this case the two Dutch registries, simply don’t follow their own published modus operandi?
https://www.icann.org/resources/pages/whois-privacy-conflicts-procedure-2008-01-17-en
I would assume that this step has in fact been taken and the breach notice is a formality which will not bear any teeth. It is reasonable to suggest that the Dutch may be the “first” to go through this process which should set the precedent for all under GDPR rules.
How can these names be transferred? All admin and registrant email addresses appear to be privacyprotect@sidn.nl now. How does the owner’s email verification work now if privacy cannot be disabled?
Yeah time to kill public whois. IDK why ICANN insists on it.
Three letters: G – A – C
Registrars can use the Registrar WHOIS for transfers, not available to the public.
@Richard
Amsterdam and FRL can’t use the whois privacy conflicts procedure as they until now have not received a formal notice from the Dutch authorities that they violate Dutch law. A rather strange rule under this procedure as it is evident that everyone is obliged to work according to the law at all times and not only after being notified and probably fined by the authorities.