Home > Insights > Blogs > Internet Law Twists & Turns > WHOIS data still headed off the GDPR cliff

WHOIS data still headed off the GDPR cliff

Mark Sableman April 26, 2018

Despite efforts of the international domain name authority to save the WHOIS database, it still appears likely to black out after GDPR becomes effective.  And the blackout could herald other changes for this often-used and essential database, including toll gates.

As previously reported, the European GDPR privacy mandate has led ICANN, the domain name authority, to plan to shut down public access to most information regarding owners of domain names once GDPR goes into effect.  Trademark and security professionals, who regularly use and depend on the WHOIS database, have been urging ICANN to keep it open, at least to them.

But an April 11, 2018 letter to ICANN from the European Article 29 Data Protection Working Group (WP29), the body charged with advising on GDPR implementation, suggests that European regulators are carefully scrutinizing how the registrant information in the WHOIS databases is being removed and protected, and are unlikely to permit anything like the current open access to registrant data.

While the WP29 letter generally approves of ICANN’s plan for removing registrant data, allowing communications to registrants only through anonymized email addresses, and allowing data release only under an accreditation program, it warns that it will carefully scrutinize each of these steps.  Presumably the accreditation program will be the means by which intellectual property lawyers and investigators get access to the identities and contact information for registrants who are infringing trademarks and other IP rights.

Among other things, the WP29 letter notes, as to the accreditation program, that “important details remain absent regarding the circumstances in which access will be provided, to what extent and under which conditions and safeguards.”  Put simply, after the GDPR becomes effective on May 25, 2018, it may take lots of time and effort for IP investigators to get access to the database that they have long used in addressing infringement of their clients’ rights.

ICANN responded to WP29 on April 12 and again asked for a moratorium on enforcement of GDPR in connection with WHOIS because of “the importance of balancing the right to privacy with the need for information,” and the difficulty of effectuating the blackout.  The ICANN letter also pointed out the detrimental effect of a WHOIS blackout, by protecting cybercrime perpetrators, hampering consumer protection, inhibiting trademark enforcement, and making it harder to identify and fight fake news.

On a side note, an Australian domain name registrar, CoCCA, has given notice that it will soon charge trademark owners for access to WHOIS records.  A fee schedule of a single registrar is irrelevant now, when the same data is available free from other registrars, but this change may presage access fees being set under the accreditation program. 

Mark Sableman is a partner in the firm's intellectual property practice group.