In approximately four months, the European General Data Protection Regulation (GDPR) will become effective. This regulation, intended to harmonize data protection and privacy laws across Europe, will have a significant impact on the domain name industry, particularly with respect to the collection and display of registrant information referred to as WHOIS” data. Currently domain name registrars are required to collect personal data from each domain name registrant escrow it and then pass that information to the Registry Operator pursuant to the terms of their Registrar Accreditation Agreement with ICANN.
For the last two months interested parties have suggested models for a GDPR compliant Whois output. On January 12 2018 ICANN published three of its own proposed models for the collection and display of WHOIS data that it believes would comply with GDPR. ICANN has solicited public comment on these models. The selected model seem to aim to ensure compliance with GDPR while maintaining some resemblance to the WHOIS data to which the industry has become accustomed.
In my view the optimal model should have at minimum these five important characteristics:
- The model must not extend beyond the requirements of GDPR and apply to data now within the scope of the regulation;
- The model must be easy for registrars and registries to implement with little financial cost or time delay;
- The model must not increase a registrar or registry’s risk for legal liability;
- Third parties that have a legitimate interest or purposes for gaining access to non-public WHOIS data must be allowed such access under the model; and
- The model must not create unnecessary or costly legal process impediments such as requiring a court order to access the data.
These five important characteristics are evident mostly in Models 1 and 2 but not Model 3 and therefore impacted stakeholders should focus efforts on combining aspects of Models 1 and 2 to yield the most workable model.
In Model 1 a clear distinction is made between data belonging to a natural person and data belonging to a legal entity. Because GDPR applies only to data belonging to natural persons this model does not extend beyond the scope of the European regulation. Model 3 makes no such distinction. Model 2 is less focused on making that distinction but could be modified to adopt the tenants in Model 1.
Under Model 1 most of the current WHOIS data is collected and displayed. As registries and registrars currently collect this information this keeps Whois more or less intact except for the masking of registrant name and email contact. Few burdens are imposed by registrars in this model but some registrars have taken the position that much of the Whois data historically collected is not needed for the provisioning of domains and creates more risk. After all registrars have been passing only “thin” Whois data to VeriSign for decades. Therefore Model 2 seems to be the more attractive model to registrars and registries and most similar to the Eco model previously embraced. While Model 2 may be preferable to the contracted parties many wish to have the email address included in the public Whois data. The e-mail address of the registrant is critical to fulfilling a variety of purposes from providing appropriate access and enabling reliable contact of the registrant to supporting legitimate interests such as consumer protection IP protection and law enforcement.
Model 2 also poses the least risk of legal liability to a registrar or registry because under this model those seeking access to non-public WHOIS data must certify to a centralized validation authority that they have a legitimate purpose for accessing the data. A detailed certification and validation process relieves registrars from the burden of balancing the requestor and the registrant’s interests on a case-by-case basis. Unfortunately it may take more than four months to implement centralized validation authority. Until that is established the community should look at Model 1 that proposes a self-certification process. A robust self-certification process could be a stopgap measure until a centralized authority can be instituted. As an added layer of protection third party requestors should offer a reasonably indemnity to the registrar.
Finally neither Model 1 nor Model 2 imposes any unnecessary legal burdens financial costs or impediments on the third party requestors and registrars and registries due to having to obtain and process subpoenas court orders and injunctions. Model 3 in contrast would impose this burden on registrars and third party requestors by requiring the parties to deal with the courts and other legal processes.
The community needs to have dialogue now on how to shape Models 1 and 2 into a single model that can meet the five characteristics. Representatives from several stakeholder and constituency groups are meeting this week to discuss how to reconcile elements of these two models with the hope of putting a single model forward to ICANN that it can and will endorse and that many can easily adopt. Then again ICANN has signaled it is going to publish its own model following the close of the public comment period on January 29th. If that doesn’t look very similar to Models 1 and 2 the community will be cheated out of its hard work and its community voice.