Disclosing WHOIS data and GDPR
The Whois is a directory that includes both technical and contact information about domain names. It’s the responsibility of both domain registries (who manage particular top-level domains, like Verisign who is the registry for .com) and domain registrars (like Gandi).
Querying this directory lets you find information about the various contacts assigned to a domain name, especially the owner (sometimes called “holder”), an “administrative” contact, a “technical” contact, and a billing contact. Together, these four contacts comprise the Domain Contacts.
Historically the information contained in the Whois, which includes names, email addresses, phone numbers, an physical addresses, was all publicly available, but it was often the case that owners of domain names could subscribe to additional services to protect their identity in the Whois. With the implementation of the EU’s General Data Protection Regulation (GDPR), these identity protection services have become nearly obsolete.
The different types of data published in the Whois at the time GDPR was implemented
The data that registrars and registries published by default in the Whois varied based on two broad categories of top-level domain:
- Country code top-level domains (ccTLDs) have their own rules about what information needs to be published;
- Generic top-level domains (gTLDs), which are managed by ICANN, had to publish the name, address, phone number, and email address of each domain contact
Here, we’ll be interested in the impact that regulatory changes have had on gTLDs.
In essence, the enforcement of GDPR starting May 25, 2018 called the idea of public access to domain contact data into question. As registries and registrars have been compelled to comply with GDPR, ICANN has in turn adjusted the obligations they impose on them, making masking of domain contact data the default.
However, these obligations are general and leave it to Registries and Registrars to define the mechanism they use to disclose these data for themselves. As a result, there’s no uniform and homogenous disclosure method across all regulatory bodies.
And so the debate rages on between privacy advocates, who welcome the lack of routine disclosure, and those who seek access legitimately, who argue they are protecting the public interest in order to protect intellectual property rights for example.
Gandi’s position: reconciling transparency with protecting privacy
For years before GDPR went into effect, Gandi had already offered a free service to protect customer data, in order to protect them from harassment and spam. Gandi simply substituted our own contact information in place of our customers’, at no additional cost.
GDPR’s enforcement has only validated our approach. However, the owner of a domain name can opt to reveal their Whois data publicly.
By setting up an opt-in, Gandi can guarantee that personal data is only visible in the Whois by explicit consent of the person in question.
This data disclosure procedure is based on both a respect for privacy and the protection of the personal data of our customers as well as a respect for the rights of third parties.
The data disclosure procedure
Gandi has additionally set up a data disclosure procedure to preserve a balance between the interests of applicants for the disclosure of data and the protection of personal data.
In this policy, there are a couple of distinctions we make:
- With regards to the owner of a domain name, whose identity is the subject of a request: there’s no issue revealing the identity of domain owners who are legal entities—like corporations, non-profits, and other organizations. However, there are stricter rules governing what personal data about natural persons we can transmit, in accordance with GDPR
- With regards to the requestor: we verify the identity of anyone requesting personal data in order to verify the legitimacy of the request. We also distinguish between so-called “trusted” third parties, such as the authorities in countries in the European Economic Area, whose legitimate interest in obtaining this information can be presumed, and “traditional” third parties, such as a party to a dispute, who must base their request on applicable legal texts, especially the GDPR itself
Therefore, we subject all communication of our customers’ personal data to a strict procedure. To assess the relevance of the request, we rigorously study the legitimate interest of the requestor, following a specific procedure.
For more information, please read our procedure as well as the complete terms and conditions for the disclosure of Domain Contact data.
We should also note that ICANN is currently developing a new version of the Whois, called the Registration Data Access Protocol (or RDAP for short) that will allow access to certain data to certain categories of authenticated requesters. We will of course keep you informed as soon as we know more about this new tool.
Expert opinion — Oriana Labruyère
In response to the GDPR, ICANN adopted a Temporary Specification for gTLD Registration Data on May 17, 2018.
According to this Temporary Specification, determining whether a “legitimate interest” exists in a particular case is left up to the discretion of Registries and Registrars. This covers the idea of necessity and excludes any other legal basis, according to the GDPR.
Thus, we can communicate the identity of a domain owner in three cases:
- when there is no other way to identify them;
- when identifying them is necessary to safeguard the public interest, for example during an investigation; or
- when identifying them is necessary to protect the right of ownership of a particular trademark.
We reserve the right, however, to reject any request to communicate personal data in cases where the fundamental rights and freedoms of the owner prevail over those of the requester.
Founder of the firm Labruyère&Co, Oriana Labruyère advises her clients on issues related to digital law and especially on ensuring GDPR compliance.