Open Whois must die, Europe privacy chiefs tell ICANN
Unfettered public access to full Whois records is illegal and has to got to go, an influential European Union advisory body has told ICANN.
The Article 29 Working Party on Data Protection, WP29, wrote to ICANN yesterday to say that “that the original purposes of the WHOIS directories can be achieved via layered access” and that the current system “does not appear to meet the criteria” of EU law.
WP29 is made up of representatives of the data protection agencies in each EU member state. It’s named after Article 29 of the EU’s 1995 Data Protection Directive.
This directive is parent legislation of the incoming General Data Protection Regulation, which from May 2018 will see companies fined potentially millions of euros if they fail to protect the privacy of EU citizens’ data.
But WP29 said that there are questions about the legality of full public Whois under even the 1995 directive, claiming to have been warning ICANN about this since 2003:
WP29 wishes to stress that the unlimited publication of personal data of individual domain name holders raises serious concerns regarding the lawfulness of such practice under the current European Data Protection directive (95/46/EC), especially regarding the necessity to have a legitimate purpose and a legal ground for such processing.
Under the directive and GDPR, companies are not allowed to make consent to the publication of private data a precondition of a service, which is currently the case with domain registration, according to WP29.
Registrars cannot even claim the publication is contractually mandated, because registrants are not party to the Registrar Accreditation Agreement, the letter (pdf) says.
WP29 adds that law enforcement should still be able to get access to Whois data, but that a “layered” access control approach should be used to prevent full disclosure to anyone with a web browser.
ICANN recently put a freeze on its contract compliance activities surrounding Whois, asking registries and registrars to supply the organization with the framework and legal advice they’re using to become compliant with GDPR.
Registries and registrars are naturally impatient — after a GDPR-compatible workaround is agreed upon, they’ll still need to invest time and resources into actually implementing it.
But ICANN recently told contracted parties that it hopes to lay out a path forward before school breaks up for Christmas December 22.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
For those interested in the topic, eco Internet Industry Association has drafted the GDPR Domain Industry Playbook analyzing the impact of GDPR on personal data in the gTLD world. That covers not only Whois, but also what data can be collected in the first place and what the data flows between Resellers (if any), Registrars, Registries, Escrow Agents, the EBERO and ICANN could look like. We will hold a public consultation and present our findings on Monday Dec. 11, 2017 in Brussels. Details can be found here https://web.eco.de/event/gdpr-domain-industry-playbook-public-consultation/
Remote participation will be possible.