TEL: +44 (0) 20 7421 8250   EMAIL: info@comlaude.com

ICANN Publishes Proposed Interim WHOIS Model for GDPR Compliance

8 March 2018

As you may be aware, the EU’s General Data Protection Regulation (GDPR) and its implications for the future of gTLD WHOIS has dominated discussion in the ICANN arena for the past 12 months. The main issues concern the conflict between the GDPR’s controls on the collection, publication and distribution of personally identifiable information (either of persons in the European Economic Area (EEA), or by EEA-based registries and registrars) and ICANN’s requirement for gTLD registries and registrars (“Contracted Parties”) to collect and publish WHOIS details, including the name and contact details of Registrants as well as Administrative, Technical and Billing contacts for each gTLD domain name registration.

With enforcement of the new regulation coming into effect on the 25 May 2018, and the incredibly harsh penalties associated with violations of the GDPR, the Contracted Parties are being forced to risk breaching the requirements of their respective contracts with ICANN in order to comply with the new regulations. Consequently, there has been a great deal of pressure on ICANN to resolve this conflict as soon as possible so that Contracted Parties can comply with the GDPR, without running afoul of their contractual WHOIS obligations to ICANN.

After considerable community discussion - including expert legal advice, guidance from EU data protection authorities, and an opportunity for the community to submit suggested GDPR-compliant WHOIS models for consideration – ICANN published their proposed interim WHOIS model for GDPR compliance last week. It is being described as an interim model in anticipation of further policy work to establish a more sustainable alternative model driven by the consensus policy process. However, any such policy work will likely take some time.

ICANN’s interim model, which they are calling the “calzone model” (a light-hearted reference to a previous pizza analogy used by ICANN’s CEO Goran Marby during a recent webinar), proposes that Contracted Parties be required to continue to collect all Registrant, Administrative, Technical and Billing Contact information. However, they will be permitted to mask many of the associated data fields, which might contain personal information, in the public WHOIS for gTLDs[1]. To accompany this, the model proposes tiered/layered access to the rest of the WHOIS information, whereby accredited users would be permitted access to the full (non-masked) set of WHOIS details.

Unless a registrant opts in (provides consent) to have their personal details published in the WHOIS[2], a public WHOIS lookup by a non-accredited user would mask certain details which are visible in the public WHOIS today, namely

  • Registrant ID, name (if an individual), street, city, post code, phone, fax, and email;
  • Admin contact full details;
  • Technical contact full details.

With regard to the email addresses for the Registrant, Admin, and Technical contacts, although it can be masked, the WHOIS record must include a method for a user to contact the registrant, meaning that although users cannot identify the registrant email addresses (even if an anonymised address such as “admin@” is being used) there is a means for communicating with them. The method to implement this is still an open question.

Although the GDPR’s restrictions around processing and publication of personal data only applies to natural persons, the calzone model permits Contracted Parties not to distinguish between legal and natural persons, but rather to mask the data for all WHOIS records. The rationale for this is that the registration data for legal persons may include personal data of natural persons. Also, it may be difficult in practice for Contracted Parties to check millions of registration records and distinguish between the registrations of legal and natural persons.

Similarly, the model permits Contracted Parties to apply the same approach across records globally and not just to the data of registrants within the EEA. The justification for this allowance is that it could be practically difficult to only apply the model to data collection linked to the EEA since some records which, on their face, appear to be non-European may in fact relate to European nationals; it might put Contracted Parties not in the EEA at a competitive disadvantage; and other jurisdictions have similar rules to the GDPR so Contracted Parties need the flexibility to apply the model on a wider basis.

Although there is no formal public comment period since there has been a great deal of community engagement throughout the development of the ICANN interim model, ICANN is requesting further feedback from the community on this model either in advance of or during the ICANN 61 meeting in San Juan, which runs from 10 to 15 March. In particular, there will be a cross-community session from 10:30 - 12:00 local time (14.30 – 16.00 UTC) on Mon, 12 March. The schedule includes links to join as a remote participant, and the session will also be recorded and transcribed for those not able to join in real time.Primarily, ICANN will want the open questions to be addressed, as it seems unlikely that significant reworkings will be made to the model now.

Why is this important for brand owners

  • It will no longer be possible to view full thick WHOIS information for gTLDs via the public WHOIS. Specifically, email, address, and city information for each of the contacts will not generally be available on a public lookup unless each contact has consented to their personal data being published.
  • A brand owner, or their legal representative, would need to be accredited to view full thick WHOIS information.
  • It is not yet clear who will qualify for accreditation, or how the accreditation process will work, although “IP owners” are one of the groups envisioned for accreditation.
  • The Governmental Advisory Committee (GAC) at ICANN are being tasked with leading the work on who would be authorised for accreditation and for developing a “Code of Conduct” that would bind requestors of information as to what they can do with the data. Therefore, you may wish to provide input to your national GAC representative. We can assist you in identifying and making contact with your GAC representative if you do not know them.
  • It seems highly unlikely that a comprehensive accreditation procedure can be designed and implemented before the overall model is adopted. Therefore, some kind of “interim interim” method for accrediting users would be required. Some in the community have suggested users could self-certify, but many of the Contracted Parties, some European governments and ICANN seem against such a solution. They question whether a self-certification model complies with the stringent requirements of the GDPR. This particular question is looks set to be one of the main discussion points in San Juan.
  • In addition, it is likely that bulk access to WHOIS information may no longer be available even to accredited parties and that all access to the WHOIS database will be on a query by query basis. This will make it much more difficult for brand owners to do searches with third party providers (such as Domain Tools) of WHOIS information for infringement, or for patterns of abusive or bad-faith registrations (a tactic used frequently when deciding whether or not to bring a UDPR or URS action).
  • This outcome will be viewed by many brand owners as dissatisfactory, since ready access to all of the WHOIS data and the ability to cross-refer across records in order to build-up patterns of infringing activity is extremely important for timely enforcement. These brand owner concerns have been well-aired during the development of the interim model, but there needs to be a legal basis for making this personal data available. Demonstrating the legal basis for allowing brand owner access to the data via the accreditation process (and prior to its finalisation) will be key.

[1] This model doesn’t apply to ccTLDs who are not subject to ICANN’s contractual oversight. We are likely to see a range of implementations by ccTLD operators, and some (likely non-European) ccTLDs may not take any steps to comply with the GDPR at all.

[2] Under the Calzone model, registrars must provide a mechanism for registrants to opt-in to publication of their full contact details in the public WHOIS.