How Whois could survive new EU privacy law
Reports of the death of Whois may have been greatly exaggerated.
Lawyers for ICANN reckon the current public system “could continue to exist in some form” after new European Union privacy laws kick in next May, according to advice published (hurriedly, judging by the typos towards the end) shortly before Christmas.
Hamilton, the Swedish law firm hired by ICANN to probe the impact of the General Data Protection Regulation, seems to be mellowing on its recommendation that Whois access be permanently “layered” according to who wants to access registration records.
Now, it’s saying that layered Whois access could merely be a “temporary solution” to protect the industry from fines and litigation until ICANN negotiates a permanent peace treaty with EU privacy regulators that would have less impact on current Whois users.
This opinion came in the third of three memorandums from Hamilton, published by ICANN last week. You can read it here (pdf).
With the first two memos strongly hinting that layered access would be the most appropriate way forward, the third points out the huge, possibly insurmountable burden this would place on registrars, registries, law enforcement agencies, the courts, IP lawyers, and others.
It instead suggests that layered access be temporary, with ICANN taking the lead in arranging a longer-term understanding with the EU.
The latest Hamilton memo seems to have taken on board comments from registries and registrars, intellectual property lawyers and domain investors, none of which are particularly enthusiastic about GDPR and the lack of clarity surrounding its impacts.
GDPR is an EU-wide law that gives much stronger protection to the personal data of private citizens.
Companies that process such data are kept on a much tighter leash and could face millions of euros of fines if they use the data for purposes their customers have not consented to or without a good enough reason.
It’s not a specifically intended to regulate Whois — indeed, its conflict with longstanding practice and ICANN rules seems to have been an afterthought — but Whois is the place the domain industry is most likely to find itself breaking the law.
It seems to be generally agreed that the current system of open, public access to all fields in all Whois records in all gTLDs would not be compliant with GDPR without some significant changes.
It also seems to be generally agreed that the data can be hugely useful for purposes such as police investigations, trademark enforcement and the domain secondary market.
The idea that layered access — where different sets of folks get access to different sets of data based on their legitimate needs — might be a solution has therefore gained some support.
Hamilton notes:
Given the limited time remaining until the GDPR enters into effect, we believe that the best chance of continuing to provide the Whois services and still be compliant with the GDPR will be to implement an interim solution based on an layered access model that would ensure continued processing of Whois data for some limited purposes.
The problem with this solution, as Hamilton now notes, is that it could be hugely impractical.
such a model would require the registrars to perform an assessment of interests in accordance with Article 6.1(f) GDPR on an individual case-by-case basis each time a request for access is made. This would put a significant organizational and administrative pressure on the registrars and also require them to obtain and maintain the competence required to make such assessments in order to deliver the requested data in a reasonably timely manner. In our opinion, public access to (limited) Whois data would therefore be of preference and necessary to fulfill the above purposes in a practical and efficient way.
And, Hamilton says, a scenario in which all cops had access to all Whois data would not necessarily be GDPR-compliant. Police may have to right to access the data, but they’d have to request it on a case-by-case basis.
Registrars — or even the courts — would have to make the decision as to whether each request was legit.
It would get even more complex for registrars when the Whois requester was an IP lawyer, as they’d have to check whether it was appropriate to disclose the personal data to both the lawyer and her client, the memo says.
For registrars, the largely nominal cost of providing a Whois service today would suddenly rocket as each Whois lookup would require human intervention.
Having introduced the concept of layered access and then shot it to pieces, Hamilton finally recommends that ICANN start talks with data protection authorities in the EU in order to find a solution where Whois services can continue to be provided in a form available to the general public in the future”.
ICANN should start an “informal dialogue” with the Article 29 Working Party, the EU privacy watchdog made up of data protection authorities from each member state, and initiate formal consultations with one or more of these DPAs individually, the memo recommends.
The WP29 could prove a tough chat, given that the group has a long history of calling for layered access, and its views, even if changed, would not be binding anyway.
So Hamilton says ICANN, in conjunction with its registries and registrars, should carry out a formal data protection impact assessment (DPIA) and submit it to a relevant DPA in a EU country where it has a corporate presence, such as Belgium.
That way, at least ICANN has a chance of retaining Whois in a vaguely recognizable form while protecting the industry from crippling extra costs.
In short, the industry is still going to have to make some changes to Whois in the first half of 2018, some of which may make Whois access troublesome for many current users, but those changes may not last forever.
ICANN CEO Goran Marby said in a blog post:
We’ve made it a high priority to find a path forward to ensure compliance with the GDPR while maintaining WHOIS to the greatest extent possible. Now, it is time to identify potential models that address both GDPR and ICANN compliance obligations.
We’ll need to move quickly, while taking measured steps to develop proposed compliance models. Based on the analysis from Hamilton, it appears likely that we will need to incorporate the advice about using a layered access model as a way forward.
He wants the industry to submit compliance models by January 10 for publication January 15, with ICANN hoping to “settle on a compliance model by the end of January”.
If you find this post or this blog useful or interestjng, please support Domain Incite, the independent source of news, analysis and opinion for the domain name industry and ICANN community.
A more accurate headline would be: WHOIS debate is starting to look like the Brexit negotiations.
Here in the Netherlands the whois only shows an email address for private people, and a name and email for businesses.
Only registrars, lawyers and police can see all information under normal circumstances.
And for complaints you 1. contact the writer of the content 2. the person who maintains the website 3. the domain owner via the whois 4. the registrar 5. the registry. In that order. Which gives enough oppertunities to file a complaint or take legal action.
This system works just fine. The only reason why Icann needs to show everything is because it doesnt do anything to take complaints about spam and universally illegal content seriously. So they just throw everyones information on the street and hope the wild west regulates itself.
To be clear, Goran was asking for comments on layering whois by Jan 10. Complete compliance models would have to consider far more than just layered whois and he appears to suggest that those should still be supplied via the original process outlined here:https://www.icann.org/resources/pages/gdpr-proposed-models-guidelines-2017-12-08-en
It is my impression that layered whois is the one detail nearly everyone assumes will be part of the solution.