Good luck figuring out what individual in the EU owns a domain name.
The European Union will begin enforcing its General Data Protection Regulation (GDPR) in May of 2018. As I’ve written about before, this will have a major impact on Whois.
How big? Well, I have jokingly included this image in my August story of what Whois could look like:
Turns out I’m not that far off. Consider what the world’s second largest registrar, Tucows/Enom, suggests that a public record for an individual in the European Union will look like:
Note that this Whois record doesn’t even have a forwarding address for email!
Think of the impacts this will have on domain name investors trying to buy domains or verify ownership. I also wonder how this will work when transferring a domain name. Even Whois updates in which contacts must be emailed will be an issue.This is what a Whois record might look like in 2018Click To Tweet
The answer might lie in gated Whois. In a blog post, Enom states:
…we plan to provide authenticated access in a specific and limited manner, so that those with legitimate reason to request personal data can access the information they require while the privacy of individuals remains protected.
Who has a legitimate reason? Enom notes a couple of examples:
Think about, for example, an intellectual property lawyer who wants to know the owner of a domain in order to submit a trademark dispute, or a law enforcement officer tracking down the people behind a phishing scheme; they should be able to find out who owns the domain name under investigation.
It will be interesting to see who is considered to have a legitimate reason to view at least some part of the Whois record.
Although the regulation will only impact individuals in the EU for now, we could see this sort of Whois change apply across the world in the future. Again, from Enom’s blog post:
While the GDPR only applies to EU-local individuals, there are data privacy and protection regulations in many other places around the world, which render a public Whois highly problematic, if not unlawful. With this in mind, what we know for sure is that we will no longer be able to publish personal data for any EU-located individual in the public Whois. What remains an open question is if we will continue to publish personal data for registrants based outside of the EU; we don’t yet have a final answer on that, and we’ll work through this issue over the next few months.
This change is going to have a big impact on almost everyone in the domain name industry.