By Sophie Hey, Policy Advisor at Valideus
Since GDPR came into force and Whois “went dark”, the question of what Whois would look like going forward has been asked. This question was partially answered in May this year when the ICANN Board adopted 27 of the 29 recommendations from Phase 1 of the Expedited Policy Development Process for gTLD Registration Data (EPDP). The policy recommendations set out how registration data should be collected and processed by registries and registrars. The ongoing Phase 2 of the EPDP builds on the Phase 1 recommendations and is focused on developing policy recommendations for the circumstances in which registration data can be disclosed to third parties.
In the background of this policy work is the transition from the Whois protocol to the Registration Data Access Protocol (RDAP). It appears that ICANN is trying to move away from the Whois terminology, by renaming their tool for searching domain name registration data to “Lookup”. This makes sense, since the Whois protocol will eventually be retired. In Phase 2 the language surrounding domain name registration data has shifted: access to data is now disclosure of data; the unified access model (UAM) is now a system for standardized access to non-public registration data (SSAD). In essence, the language reflects a changing approach to the management of registration data.
As the Phase 2 EPDP team prepares for a face-to-face meeting in Los Angeles in early September, a “Draft Zero” report has been prepared to form a baseline for discussions. While Draft Zero does not reflect agreed-upon positions in the EPDP team, it does reflect views that, to date, appear to be broadly shared by the team.
Draft Zero does what IP practitioners and others relying on registrant data have been crying out for since GDPR first came into force: a list of requirements in one place that registries and registrars need from a requestor in order to properly consider the request for data. This includes the requestor identifying themselves, a statement confirming they will not misuse the data requested (this is anticipated to be streamlined into an acceptable use policy), identification of the legitimate interest or interests for requesting the data, and the user group they belong to, i.e. the reason they have legitimate interests.
The current text on responses to requests leaves open the question of who will be responding. The key takeaway from this section is that the disclosing party is likely to be required to log data requests. The purpose of this appears to be to facilitate the monitoring of requests to ensure that there is no abuse of the system from high-volume automated queries and requests that are not legitimate.
As it is currently set out in Draft Zero, where data disclosures are made, the disclosing party will not be permitted to disclose any non-public registration data that was not specifically requested. However, it is expected that they will provide the public registration data alongside the non-public registration data. Further, the disclosing party will only be able to disclose current registration data, not historical registration data.
With discussions on the timeliness and predictability of responses, it is not surprising that the question of automated responses has been raised. Registries and registrars are understandably nervous about the liability implications of adopting an automated process for managing registration data requests. The EPDP’s Policy Principle 7 notes these concerns by stating that automated processing of SSAD requests is desirable, to the extent that it has been established that it will not negatively affect the rights of the data subject. In other words, any automated responses must be compliant with GDPR and other data privacy laws. At this stage the EPDP Phase 2 team could recommend that automating responses to registration data requests is an option that registries and registrars may adopt if they choose to do so. It is unlikely that the EPDP Phase 2 team will mandate or prevent automation completely.
An initial report on Phase 2 is likely to be available for public comment in early December 2019.
Download the paper to see how brand enforcement is still possible under GDPR