For intellectual property owners policing their rights on the internet, domain name WHOIS services have been a hugely valuable tool. Not only do they give brand owners access to information to identify who is infringing their rights, but they also track patterns of abuse by particular infringers. For some years, however, there have been questions over how publishing personal data on WHOIS squares with data privacy laws – these questions have now come to the fore with the General Data Protection Regulation (GDPR) taking effect across the EU from 25 May 2018.
ICANN's proposed interim GDPR compliance model was thought by many to have come too late, particularly given that there has been a two year period in order to get ready for the impact of GDPR. ICANN, alongside a number of brand owner organisations, also asked for a moratorium on enforcement under GDPR by national Data Protection Authorities to lift the threat of a WHOIS blackout. However, the EU data protection advisory body, the Article 29 Working Party (WP29,to be re-named the European Data Protection Board under GDPR) has confirmed that national Data Protection Authorities cannot allow enforcement forbearance in relation to individual data controllers, though they will no doubt take into consideration what steps have been taken or are in train when deciding on how to deal with any complaint.
The WP29 has criticised aspects of ICANN's proposed compliance model for not complying fully with GDPR. Others, including brand owners, have criticised the model for over-compliance with GDPR. They argue that allowing the proposed new model to be applied globally (as opposed to having purely an EU jurisdictional reach), and to companies (as opposed to just individuals), is an over-interpretation of GDPR's requirements.
ICANN has now issued a draft 'temporary specification', with the aim of preventing WHOIS 'going dark' on 25 May, which will allow users with a legitimate purpose to request access to non-public data. Under the temporary specification, registrars must also provide an email address or web form to facilitate contact with the registrant, but not provide the registrant's actual email address (or make it feasible to ascertain this).
What does ICANN's interim compliance model propose?
The interim compliance model proposes layered or tiered access to registration data. It proposes a public WHOIS which will not include the registrant's name, address, or other contact details. An organisation name will be included, and the registrant's state/province and country. There will be an anonymised email address or web form from which messages can be forwarded to the registrant's email address.
However, it will be possible for certain types of users to access non-public registration data, namely those with a legitimate interest and who are bound to comply with adequate measures of protection – ICANN proposes a formal accreditation program for law enforcement agencies and IP lawyers (but it is not clear how individual brand owners, particularly SMEs, will be able to access such information).
What about .uk?
In relation to .uk country code domains (e.g., co.uk etc), Nominet has proposed a different model. Law enforcement agencies will be able to access all registry data via an enhanced Searchable WHOIS free of charge, but rights owners will be only able to access this service on a charged-for basis, and will not be given access to the registrant's name and address.
However, they will be able to request access to all registry data, including contact data, via Nominet's data disclosure policy for no fee, with Nominet operating to a 1 working day turnaround. It will be interesting to see how this operates in practice, in terms of Nominet's response times and resourcing.
What happens next?
Following a meeting between ICANN and WP29 in April, ICANN must provide the WP29 with more detail on its proposed accreditation model, which will allow rights owners to access non-public WHOIS data, and further information as to how its proposed interim compliance model complies with GDPR. If agreement is not reached, the concern is that WHOIS will become a 'fragmented system', with registries and registrars adopting divergent approaches to access to registration data, including potentially adopting charging models for access and WHOIS blackouts.