WHO IS Infringing my Work? What the GDPR Means for the Domain Name Database

By now, you’ve probably seen a flood of emails and popups informing you about privacy policy updates. This is the result of the European Union’s (EU) General Data Protection Regulation (GDPR), new rules governing the collection, processing, and retention of individuals’ personal data, which went into effect on May 25th.

Those rules will impact access to the public WHOIS database, which includes data that identifies the owners of domain names and servers. Access to this data is a critical part of many creators’ and copyright owners’ enforcement efforts—it helps identify the owners of sites where infringement is taking place and can also help identify other domains and related sites associated with a domain. But if the data falls within the scope of the GDPR, it’s possible that its public disclosure may no longer be permitted under the GDPR.

ICANN is the non-profit organization that helps coordinate the internet’s Domain Name System. It oversees domain name registrars, the companies that sell and administer most domain names to site operators. As part of that oversight, ICANN requires registrars to make available and publicly accessible an up-to-date database of identity and contact information on domain name registrants—the WHOIS service. The continued availability and transparency of WHOIS data serves a strong public interest; the data is regularly used by members of the law enforcement, journalism, intellectual property, and security communities.

With GDPR now in effect, ICANN faces the issue of how its registrars will comply with both the EU rules and its WHOIS requirements. Beginning late last year, ICANN began the process of developing a compliance model. The Copyright Alliance has been following this process closely and wrote to ICANN in January in support of comments by the Intellectual Property Constituency as it developed an interim compliance model.

On May 17, the ICANN board approved a temporary specification for gTLD registration data. Under the temporary specification, registrars will still be required to collect registration data and technical information in connection with a domain name registration. However, access to this data will be restricted to layered/tiered access, where only users with a legitimate purpose can request access to non-public data through the registrars. For now, ICANN is leaving it up to registrars to determine which requests are permissible under the law. And alternatively, unless domain name registrants opt-in to make their data public, users will only be able to contact them through an anonymized email or web form provided by the registrar.

Unfortunately, the board’s temporary specification falls short of the requests and advice provided by the intellectual property community and the Governmental Advisory Committee, and it goes beyond what the GDPR requires. For example, the temporary specification would not make the domain name registrant’s email address public, it does not distinguish between legal and natural persons (the GDPR only applies to individuals, not organizations), and it does not distinguish between registrants living in or out of European countries where GDPR applies. In addition, the temporary specification creates a good deal of uncertainty regarding access to non-public data for legitimate purposes.

Summary of Temporary Specification

Under the temporary specification, the following data will no longer be available from public WHOIS:

* Domain Name Registrant and technical/admin contact name (registrant organization will remain available)

* Registrant address (State/Province and country will remain available)

* Registrant and technical/admin contact email address

* Registrant and technical/admin fax and/or phone numbers

To enable WHOIS users to contact domain name registrants and technical/admin contacts:

* Registries must direct users to the registrar for a method to contact the registrant.

* Registrars must create an anonymized email or web form to enable users to contact the registrant and technical/admin contacts.

Registrars and registries are required to provide reasonable access to non-public data to third parties with legitimate interest, except when those interest are overridden by the interests or fundamental rights and freedoms of data subjects.

Although the GDPR only applies to the personal data of individuals within the EU, ICANN is permitting registrars to apply the temporary specification globally where it is commercially reasonable to do so.

Registrars and registries will begin implementing the temporary specification over the next several weeks. The Copyright Alliance will continue to monitor developments in this space on behalf of creators and copyright owners.

Photo Credit: Tashatuvango/iStock/thinkstock