Wednesday 26th September 2018

Future of WHOIS data still unclear as ICANN announces temporary solution to GDPR

ICANN has announced restrictions on what personal data can be made available in the public WHOIS. It has also expressed concerns that the WHOIS could become "fragmented" owed to the GDPR.
Jason Smith
by on 24th May 2018

ICANN, the organization tasked with managing the internet’s domain name space, has announced a “temporary specification” to bring the WHOIS into compliance with the EU’s new regulation.

ICANN’s new rules determine what information should and should not be made available through the WHOIS, a public database of domain registrants.

Over the past year, ICANN has struggled to align the data demands of the WHOIS with the regulatory demands of the EU’s GDPR. An announcement from ICANN on 12th April 2018 stated, “Unless there is a moratorium, we may no longer be able to…maintain WHOIS”.

The organization has previously asked the EU to afford it an additional year to deal with the privacy implications of the WHOIS, which the EU rejected.

Its new rules are an attempt to prevent what it refers to as the “fragmentation” of the WHOIS. In particular, the specification calls to retain Registrant, Administrative and Contact information and for “most personal data [to be subject]…to layered/tiered access”.

It also states that users with a “legitimate and proportionate purpose for accessing…non-public personal data” will be able to request access to the data through registrars and registries and users will be able to contact domain owners through “anonymized email or web forms”.

As GDPR comes into force on 25th May, ICANN has created a situation where its contracted parties have very little time to implement its rules.

The new policy is also supposed to apply to all domain registrations irrespective where the owner or user is based, however, according to a report by Domain Wire, GoDaddy, the world’s largest domain registrar, will only redact personal data on EU residents.

In other words, its domain privacy service — which can be a very lucrative revenue stream for domain registrars — will no longer be offered to EU registrants but it will be offered to all other registrants.

Meanwhile, and according to a report from Circle ID, Tucows, the world’s second largest domain registrar, will allow third-parties to access their non-public WHOIS data on registrants, however it’s not yet clear how this will work in practice.

A report on Domain Wire also states that Google, which is a registry and registrar, has started placing significant limitations on the data available on its registrants. The only data it currently provides related to the registrant is his or her state and country.