The impact of GDPR on ICANN, DNS and WHOIS

Posted on 26 Aug 2018, by Dr. Mark Gatt

It appeared to be a near impossible task for ICANN (the Internet Corporation for Assigned Names and Numbers) to come up with the required framework needed to make DNS (Domain name System) and WHOIS (a master database showing each website and domain name owner) compliant with the GDPR requirements in time with the 25th May deadline.

Although ICANN did publish the “Temporary Specification for gTLD Registration Data”, it remains to be seen if this framework will be sufficient to withstand the challenges posed by this new regulation and thus will most likely not pass through the working party set up by ICANN.

Initial Steps Taken by ICANN

At first ICANN had sought to obtain a grace period of 1 year in order to be able to adopt and implement an effective and compliant framework of registration, however such grace period was not granted and therefore an alternative approach had to be taken. ICANN argued that unless a moratorium was granted, it would be virtually impossible to maintain the WHOIS system.

There was fear that this would lead to a fragmented system which would defeat the whole purpose and ethos of the WHOIS framework that is having a centralised system of registration which provides transparency as to who owns which domain name. Non-compliance with the requirements imposed by the new regulation may result in Domain registration companies being liable to fines going up to €20 million or 4% of their annual global turnover, which ever fine is higher.

Prior to the GDPR coming into force, many domain name registration companies used to charge a premium price in order for registrants to hide their personal details when being registered. However due to the requirements imposed by the GDPR, such service will become redundant and will be a huge blow to such an important revenue stream for domain name registration companies.

While data privacy is indeed important and not to be taken lightly, it is important to weigh this against a greater need of transparency and the proper functioning of a system which goes beyond than being simply a dataset or database. WHOIS is essential for security researchers, investigators, site administrators and to the layman on the street. Crippling such a system, although with noble intentions in mind, could have serious repercussions going forward which will be felt in various fields such as domain name dispute resolutions, issues relating to intellectual property infringement, cybercrime detection and prevention and other issues of a civil and criminal. It is important to recognise the public service nature of WHOIS and the importance of such system to be maintained.

Temporary measures taken by ICANN

The temporary model proposed by ICANN indicates that they will provide reasonable access to data to third parties provided they show a legitimate interest. However ICANN have failed to highlight the criteria required to satisfy the test of legitimate interest and what data shall be provided in accordance with the level of legitimate interest proven.

We must strive to find a balance between the right of privacy of individuals with the right of transparency in the interest of society in general. WHOIS cannot end up protecting the identity of cybercriminals who register hundreds of domain names either to later sell to their rightful owners or to be used in calculated cyber-attacks, or to hamper investigations and therefore the proper course of justice.

The European Data Protection Board (EDPB) has recently provided ICANN with a number of guidelines which can be useful with regards to access to non-public registration data. It remains to be seen how these guidelines will be implemented, if at all and their overall impact on the WHOIS system in general.

For any further information please contact Dr Mark Gatt, Associate of Michael Kyprianou (Malta) Ltd by email at mark@kyprianou.com.mt or by phone at +356 20161010 .