Nobody missed it, the entry into force of the General Data Protection Regulation (GDPR) has changed the way personal data is processed.
Domain name registrars have not been spared, as they too must comply with the RGPD, notably by anonymizing their WHOIS directory.
Theanonymization of WHOIS directories raises as yet unaddressed issues between privacy advocates and intellectual property rights holders and law enforcement officials.
It therefore seems legitimate to ask whether it would not be possible to reconcile privacy and respect for intellectual property rights or WHOIS and RGPD.
“The Internet has become less secure due to an overly conservative interpretation of the RGPD by the ICANN community” (Gregory Mounier, Head of Internet Awareness and Governance at Europol).
The RGPD in brief
The GDPR calls for transparency and accountability of actors involved in personal data processing in order to safeguard the privacy of EU citizens.
To do this, and as the British supervisory authority reminded us in 2019 by publicly declaring its intention to sanction the company British Airways with a fine of £183.39M, the GDPR comes with penalties that can be very heavy in case of misconduct.
WHOIS in brief
WHOIS is a public database created by the Internet Corporation for Assigned Names and Numbers(ICANN) in the 1970s (Evans, Claire L. (2018). P.116. Broad Band: The Untold Story of the Women Who Made the Internet. New York: Portfolio/Penguin). This database lists the names and contact details of the holders of the domain names, as well as the administrative and technical contacts for these domain names and the registrars concerned.
As a result, WHOIS is a valuable resource in the event of a domain name or website dispute, but also in the event of a domain name takeover attempt.
Until recently, domain name registrars had to accept ICANN ‘s policy of publishing registrant information on WHOIS in order to be accredited to offer domain name registrations for sale.
ICANN’s rapid appropriation of the RGPD
As a result of a public consultation with registrars, two ICANN Board resolutions were published on May 17, 2018, 8 days before the RGPD came into effect, resulting in the adoption of a ” Temporary Specification for gTLD Registration Data ” to anticipate the implementation of the RGPD.
This Specification allows to transmit to registrars the position of the ICANN vis-à-vis the RGPD and thus indicate the rules to be followed, especially for the strictest registrars who have simply decided to delete their WHOIS registry and no longer collect personal data (see https://www.icann.org/en/system/files/correspondence/sprey-to-Marby-9oct17-en.pdf).
This temporary specification requires registrars established within the European Economic Area (EEA) or offering registration services to domain name established in the EEA or using subcontractors established within the EEA of ” censor ” personal data about domain name holders in WHOIS, unless those individuals have consented to the publication of their data in WHOIS.
However,ICANN is not changing the requirement for registrars to collect this personal data, only its public disclosure on WHOIS is affected by the censorship requirement.
ICANN VS EPAG Domainservices Gmbh
On the same day that the RGPD the registry office EPAG Domainservices Gmbh decided to apply it even more strictly than the one done by the ICANN in the Temporary Specification, by refusing to collect and make available to the Temporary Specification the technical and administrative contact data of domain names.
This position is a clear violation of ICANN ‘s policy as stated in the Temporary Specification, which is why ICANN has decided to take urgent action against the registrar.
This action is also carried out in order to obtain a judicial interpretation of the impact of the RGPD on WHOIS and thus clarify ICANN’s policy.
The German court(Bonn Regional Court, May 25, 2018, No. 10 O 171/18) is hearing the case. However, he dismisses the arguments made by the ICANN and refuses to order the registrar to process the personal data of administrative and technical contacts on the grounds that ICANN does not sufficiently demonstrate that the processing of such data is necessary and therefore complies with the minimization principle imposed by the GDPR.
The German court’s reasoning does not suit ICANN, which is appealing, asking the German court to refer a question to the Court of Justice of the European Union (CJEU) for a preliminary ruling on the scope of application of the RGPD to WHOIS registries.
The German Court of Appeal (Cologne Court of Appeal, August1, 2018, No. 19 W 32/18), however, decides to reject the appeal as well as the preliminary question, considering that the interpretation of the GDPR ” was not important for this decision.”
This little legal saga is a double failure for ICANN since :
1) Registrars may now legally no longer process personal data relating to technical and administrative contacts of;
2) The CJEU will not be able to rule on the interpretation to be adopted of the RGPD applied to WHOIS.
An interpretation of the GDPR by the EDPB
Following the ruling of the German Regional Court, the ICANN decides to request the assistance and interpretation of the European Data Protection Board (EDPB) which, by letter July 5, 2018 follows the German judge and considers that the provision of personal data for technical and administrative contacts should only be optional and based on the consent of the people involved.
With this letter, the EDPB also confirms that the personal data of the domain name holder should not be disclosed publicly, but only to those who have an interest in seeing it.
If public authorities can still access the personal data holders, including the domain names after having made a request to the registrars access to this data has become particularly complicated for others whose interest in accessing this data is not yet recognized, such as intellectual property rights suffering from acts of counterfeit.
This difficulty has been well understood by ICANN, which has been trying for some time to adopt a policy of hierarchical access to WHOIS personal data in order to reconcile the interests of the players involved and the RGPD.
Towards hierarchical access to WHOIS data
Dedicated in the Temporary Specification,ICANN would indeed like to allow prioritized access to personal data in WHOIS in order to bring them into compliance with the RGPD while maintaining a minimum of practical interest.
This would make it possible to disclose the personal data of domain name holders only to actors with an interest in consulting this data, but also to be able to control this disclosure of data by tracing the various accesses.
While public authorities have little difficulty accessing this data upon request, private actors will have to demonstrate their interest in accessing the data.
The system wanted byICANN seems to be very close to the one implemented for several years by ICANN with the ” Restricted Distribution ” of the personal data of domain name holders.
This system allows the censorship of personal data present on the public WHOIS, but gives the possibility to any person justifying a particular interest to consult these data.
What if the law required the disclosure of WHOIS data?
As mentioned in the introduction, the implementation of the RGPD has changed many actors and practices.
However, the collection and disclosure of personal data on trademark registers by intellectual property offices has not been impacted by the GDPR even though a lot of personal data is processed by them.
The reason being simply that these data processing operations are imposed by legal provisions that disregard the application of many of the binding rules of the GDPR.
It would therefore be possible to imagine a European law or regulation imposing the processing of these personal data and thus directly answering the question of the reconciliation of WHOIS and the RGPD since the latter would be set aside.
What if WHOIS were deleted?
To answer this question, it should be remembered that WHOIS is initially used to identify domain name holders.
However, the registration of personal data in the WHOIS is not subject to any relevant verification of its veracity.
As a result, a large number of WHOIS are filled in with false data or usurped data, allowing counterfeiters to hide themselves with ease and complicating the work of intellectual property rights holders and law enforcement.
This is not a new finding, as the U.S. administration had already made a similar finding in 2002.
In an attempt to remedy this problem,ICANN is imposing a procedure for reporting WHOIS with incomplete and inaccurate data to registrars, which may result in the deletion of the domain name if the holder cannot be reached.
However, this verification procedure is not automatic and prior to the registration of a domain name.
The implementation of a systematic and prior control of WHOIS data would necessarily lead to a decrease in illegal websites, but also to a decrease in the number of domain name registrations with registrars and therefore necessarily in their turnover.
What’s the point of trying to access WHOIS data if it’s not relevant?
It could be argued that without verification of WHOIS data prior to registration of a domain name, access to WHOIS data is really only a secondary issue since the registry loses all interest.
A simple observation can be made: the deletion of the WHOIS, whose survival in its current state is aberrant, would allow it to be reconciled with the RGPD.
Furthermore, the very survival of the domain name system(DNS) as we know it today may be challenged by technological developments.
Indeed, the massive use of search engines and the automated referencing of results according to their presumed relevance makes us seriously question the interest of domain names.
These no longer allow the Internet user to judge the identity of a website by himself since the search engines now do it for him.
While Google is working on deleting URLs, deleting domain names could be the next step.
Thus, in addition to the deletion of the current WHOIS, it could be interesting to start thinking about the implementation of a registry listing the verified personal data of the website owners, in compliance with the RGPD obligations.
