Yesterday I took part in a round-table discussion with the head of ICANN Göran Marby and officials from my country (Bulgaria).
One of the topics that I intended to raise, but was raised by others before me anyway, was the WHOIS protocol in the context of the new European data protection regulation — GDPR.
The WHOIS protocol has been a mess for a long time, and attempts to replace it with a more machine readable alternatives have failed (RDAP sounds good in theory, but try actually getting a query working). And WHOIS is important — it tells you who owns the particular domain.
That is important in many cases, including research and identification of fake news — often fake news sites are registered by the same owner or group of owners. But fake news is just one thing —it is generally a good idea for users to be able to know who owns a particular domain, in case they are going to buy something from it, or do business with it. It is similar to a commercial register, where data about each company must be public so that any potential partners (and customers) know who they are dealing with. I won’t go into the “anonymizing registrars” discussion, though I acknowledge it’s sometimes a good idea to be able to have an anonymous domain (ICANN has a policy about that).
However, it seems that GDPR (EU general data protection regulation) is causing some confusion regarding the practice of making the WHOIS data public. The Register has a nice overview of the current state of affairs. It links to a memorandum by ICANN that outlines the legal implications.
I am not a legal professional, but as part of my previous role I drafted legislation and had to participate in solving some issues that had both technical and legal aspects. So I will take the liberty to question the conclusions the ICANN memo.
What it says is something along the lines of “it’s complicated, there’s no good solution that allows us to keep the existing entirely public WHOIS service”.
And that’s bad. WHOIS must be public, so let’s see what did the memo miss.
GDPR is indeed a new regulation that changes some aspects of data protection. The argument boils down to whether it will be legally permitted to collect and publish the personal data of domain owners. And these are two separate questions — are you allowed to collect it, and are you allowed to publish it.
The memo iterates the three options for processing data — “consent” (the domain owner has given their explicit consent for their data te be published), “performance of a contract” (does the contract between the registrar and the domain owner (registrant) entail the collection and publishing of the data), or “legitimate interest”, which is very broad and you can never be sure if a court will rule in your favour (in case a regulator decides to impose a huge fine for infringing the regulation).
What the memo misses is the option (suggested to me by a lawyer) to make the contract have two objectives: “providing a domain name” and “publishing domain owner information”. And since we are in the “contract” hypothesis, this sounds like a good option. ICANN can propose a standard contract (as it has done in the past) to include the publication of data.
Note that “right to be forgotten” and other rights do not apply in the contract case — you cannot ask a bank to “forget” your mortgage, you can’t ask your mobile operator to “forget” your phone number. And you shouldn’t be able to ask a registrar to forget your personal details.
Is a contract enough to make your data public, though? I don’t know, but there’s one important aspect that seems to be missing from the memor and the discussion in general — that GDPR is not the only piece of legislation applicable in this case. The ePrivacy directive (and in the near future — a new regulation replacing it) supplements GDPR. The ePrivacy directive regulates the public directories of contacts, and we can view the WHOIS database as a public directory (it is debatable whether the domain name registration is a communication service per the directive, though). One may argue that the ePrivacy directive (actually, the respective member states’ laws) is the applicable legislation, in addition to GDPR, when the question of making the data public is concerned.
GDPR is not about data being public or private, it just regulates how it is handled. Making it public can be legitimate, according to both pieces of legislation.
How it is used after that — whether for direct marketing, or spam, is another matter. In fact, GDPR has Article 14 which specifies what should be done if data is not obtained from the data subject. You can obtain data from public sources and process it. You have obligations of informing the data subject about that, and limitations apply, but that is no longer a duty of the registrar — it’s the duty of whoever collects the publicly available data.
I agree it sounds complicated. And many registrars will be unsure what the right answer is, so, to be on the safe side, they will probably withhold the WHOIS data from the public. Even if ICANN updates the memo and instructs on a standard contract and explores the ePrivacy directive, registrars may still be willing to stay safe, given the huge fines of GDPR.
There are many GDPR-related myths and “we are not allowed to publish WHOIS data” might be yet another one. Regardless of whether it’s true or not, companies will not be willing to risk it.
So the European Commission should act to clear the confusion. Local regulators must be made aware that WHOIS data can be public, so that they don’t try to impose fines on registrars. Whether the Commission can do that via an implementing act, a decision, or a recommendation by the GDPR board, is a procedural matter, but leaving the matter unclear has a damaging potential. Registrars are already starting to not publish WHOIS data.
When the Commission clarifies the issue, whether that would be via the “contract” option, or by asserting that a WHOIS database is indeed a legitimate purpose, both registrars and regulators will know that this is not an issue. Otherwise, ICANN and registrars will be cautious, and we’ll hear the answer that I got yesterday — “we have to obey the law”. Regardless of whether this is what the law says, or it is what it is incorrectly perceived to say.