Whois will change forever next year.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into full effect. The privacy regulation will have a major impact on industries that handle personal data of people in the EU, including the domain name industry.
Domain name companies are scrambling to figure out how to comply with the regulation, all while racing against the clock with unclear guidelines from the EU and ICANN.
A sweeping new privacy regulation
GDPR is a regulation designed to protect the privacy of European Union citizens and residents. It will apply to all companies that handle data about EU residents, not just companies based in the EU.
“The goal is to strengthen and unify data protection for all individuals of the EU…to protect personal data and ensure free flow of data within the EU,” said Thomas Rickert, an attorney and Head of the Names & Numbers Forum at eco (Association of the Internet Industry e.V.), which represents domain name registrars and registries.
The regulation aims to minimize data collection and increase transparency. Two overarching principles are privacy by default and privacy by design. So when offering services, privacy must be the default setting rather than an opt-out.
GDPR comes with a big stick, too. Companies can be fined up to €20 million or 4% of their annual turnover. Also, authorities can be sued for failure to take action against those that violate the regulation.
This means domain name companies are paying close attention to GDPR.
On Tucows’ most recent earnings call, CEO Elliot Noss noted “…there will be material impact. It [GDPR] will change the delivery of public WHOIS, privacy and proxy services.”
GDPR will certainly affect Whois and what data registrars collect about their customers, plus who they share it with.
What do domain companies need to do?
All parties that contract with ICANN will be impacted. This includes registrars, registries, data escrow companies and even ICANN itself.
“ICANN is affected by this as much as the other players,” said Rickert. “It’s safe to say that, since ICANN is spelling out the requirements on what needs to be collected and how data is being dealt with, ICANN is also a data controller and therefore the sanction risks are also with ICANN since they’re basically prescribing exactly what needs to be done with it.”
ICANN has set up ad hoc groups to evaluate GDPR and figure out how to handle it. It has created a matrix of data flow in the domain name process and opened it for public comment. It will then need to do a legal assessment to figure out how to comply with GDPR.
For example, it may determine that certain information needs to be collected in order to provide a domain registration to a customer. But is it required that this data be passed to the registry? Should it be published?
The regulations are not entirely clear about this.
“The beauty and the curse of laws is that they are not individual and concrete, but they are abstract and general,” said Rickert. “We need to apply the ideas of the law to this technical scenario that we find in the DNS.”
The default is that data shouldn’t be collected and processed. So ICANN and its contracted parties will need to have a good reason for collecting data and an even better one for publishing it.
The clock is ticking
Process and policy move slowly at ICANN. If contracted parties are to have time to implement changes, they will need to be debated and approved at the Abu Dhabi meeting in October. Don’t expect everyone to be on the same page; law enforcement and intellectual property interests will push back against a reduction in public data.
If push comes to shove, registrars are on record threatening to turn off their Whois when May passes. They’d rather face ICANN’s wrath than the EU’s penalties.
Regardless of what changes are made, registrars and registries will have their work cut out for them.
“We can expect with a high degree of certainty that Whois will not look like it does today,” Rickert said. He also believes ICANN will need to change some of its contracts.
Here are some of my takeaways on GDPR:
- Expect tiered access to certain elements of Whois. Perhaps they will be available to law enforcement but not the public. The Registration Directory Service (RDS) idea might not be too far off.
- This is going to be a big cost burden on domain name registrars, especially small ones. They might start contracting with third parties to handle Whois for thin whois domains.
- Right now registrars handle private information for .com and .net domains and publish this in Whois (thin whois). These two domains are supposed to transfer to a thick Whois model, but don’t be surprised if this is delayed. Also don’t be surprised if Verisign is allowed to raise the price on .com domains after implementing thick Whois.
- New top level domain name companies are going to lean on their registry service providers for GDPR compliance when it comes to Whois. New TLDs use a thick whois that is managed at the registry level rather than the registrar.
- GDPR could impact the value of Whois privacy services, which are a big cash cow for many registrars.