Whois will change forever next year.
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR) will go into full effect. The privacy regulation will have a major impact on industries that handle personal data of people in the EU, including the domain name industry.
Domain name companies are scrambling to figure out how to comply with the regulation, all while racing against the clock with unclear guidelines from the EU and ICANN.
A sweeping new privacy regulation
GDPR is a regulation designed to protect the privacy of European Union citizens and residents. It will apply to all companies that handle data about EU residents, not just companies based in the EU.
“The goal is to strengthen and unify data protection for all individuals of the EU…to protect personal data and ensure free flow of data within the EU,” said Thomas Rickert, an attorney and Head of the Names & Numbers Forum at eco (Association of the Internet Industry e.V.), which represents domain name registrars and registries.
The regulation aims to minimize data collection and increase transparency. Two overarching principles are privacy by default and privacy by design. So when offering services, privacy must be the default setting rather than an opt-out.
GDPR comes with a big stick, too. Companies can be fined up to €20 million or 4% of their annual turnover. Also, authorities can be sued for failure to take action against those that violate the regulation.
This means domain name companies are paying close attention to GDPR.
On Tucows’ most recent earnings call, CEO Elliot Noss noted “…there will be material impact. It [GDPR] will change the delivery of public WHOIS, privacy and proxy services.”
GDPR will certainly affect Whois and what data registrars collect about their customers, plus who they share it with.
What do domain companies need to do?
All parties that contract with ICANN will be impacted. This includes registrars, registries, data escrow companies and even ICANN itself.
“ICANN is affected by this as much as the other players,” said Rickert. “It’s safe to say that, since ICANN is spelling out the requirements on what needs to be collected and how data is being dealt with, ICANN is also a data controller and therefore the sanction risks are also with ICANN since they’re basically prescribing exactly what needs to be done with it.”
ICANN has set up ad hoc groups to evaluate GDPR and figure out how to handle it. It has created a matrix of data flow in the domain name process and opened it for public comment. It will then need to do a legal assessment to figure out how to comply with GDPR.
For example, it may determine that certain information needs to be collected in order to provide a domain registration to a customer. But is it required that this data be passed to the registry? Should it be published?
The regulations are not entirely clear about this.
“The beauty and the curse of laws is that they are not individual and concrete, but they are abstract and general,” said Rickert. “We need to apply the ideas of the law to this technical scenario that we find in the DNS.”
The default is that data shouldn’t be collected and processed. So ICANN and its contracted parties will need to have a good reason for collecting data and an even better one for publishing it.
The clock is ticking
Process and policy move slowly at ICANN. If contracted parties are to have time to implement changes, they will need to be debated and approved at the Abu Dhabi meeting in October. Don’t expect everyone to be on the same page; law enforcement and intellectual property interests will push back against a reduction in public data.
If push comes to shove, registrars are on record threatening to turn off their Whois when May passes. They’d rather face ICANN’s wrath than the EU’s penalties.
Regardless of what changes are made, registrars and registries will have their work cut out for them.
“We can expect with a high degree of certainty that Whois will not look like it does today,” Rickert said. He also believes ICANN will need to change some of its contracts.
My take
Here are some of my takeaways on GDPR:
- Expect tiered access to certain elements of Whois. Perhaps they will be available to law enforcement but not the public. The Registration Directory Service (RDS) idea might not be too far off.
- This is going to be a big cost burden on domain name registrars, especially small ones. They might start contracting with third parties to handle Whois for thin whois domains.
- Right now registrars handle private information for .com and .net domains and publish this in Whois (thin whois). These two domains are supposed to transfer to a thick Whois model, but don’t be surprised if this is delayed. Also don’t be surprised if Verisign is allowed to raise the price on .com domains after implementing thick Whois.
- New top level domain name companies are going to lean on their registry service providers for GDPR compliance when it comes to Whois. New TLDs use a thick whois that is managed at the registry level rather than the registrar.
- GDPR could impact the value of Whois privacy services, which are a big cash cow for many registrars.
is this only going to effect EU registrars? or EU citizens? I don’t want my whois blocked…its how people contact me to buy domains!
It only matters for EU citizen’s data, but whois might be changed across the board. It will impact registrars around the world.
seems like a terrible idea to change whois for everyone due to europes overbearing privacy rules. personally my view is, if you want to buy a domain then you have to deal with the lack of privacy that can come along with it which is pointless mostly as whois privacy is cheap or free most places.
Presumably you may get to opt out of privacy
I wonder how this will affect DomainTools ? Quite a lot hopefully since they are the ones who have been giving data to Complainants for years Time for payback I hope.
Hopefully it hurts them a lot since they hate small businesses and are greedy $(@&$@&(*.
Andrew, aren’t .com prices frozen until 2024 for .com? Can verisign increase prices earlier upon thick whois implementation, despite the current price freeze?
They can petition to increase prices if their costs go up due to a new policy being forced on them. I can’t imagine them not using thick whois as an opportunity to ask for a raise.
But this is a good thing or not? Can someone maybe expand the impact on domain users?
Having private data exposed on the Internet is not something most people desire, in particular your home address and phone, with all the trolls and online attacks, its not uncommon that individuals don’t want to have data like this public. I don’t. But if this is going to increase domain costs because companies have extra burdens, then this is bad as in the end we customers will end up paying those extra costs.
Phone number and email should be hidden. Legal owner with mailing address should not. Your car, house, any property tax paid – all your life – is searchable right now with full name and address. If you want to consider domain names as property or a business then your info should follow these same rules. I hate spam and think whatever can be done to stop it is great. But this may benefit shill bidders at auctions and registrar / auction house conflicts of interest.
“GDPR is a regulation designed to protect the privacy of European Union citizens and residents.”
Only complete idiots actually believe that. It’s designed to further undermine personal and economic freedoms and continue to erode civil society by destroying access to and flow of information.
It only matters for EU citizen’s data