Whois GDPR carnage continues: Afilias to ditch almost all data in Whois on millions of domains

Afilias will stop showing contact info and ownership data on millions of domains including .info, .mobi and more.

Please see update

Much of the focus of General Data Protection Regulation (GDPR) as it relates to Whois has been on registrars. But many top level domains operate under a “thick Whois” system in which the registry maintains the personal data of registrants.

Today, registry Afilias informed registrars that it’s ditching almost all of the data in Whois. No contact data whatsoever; just a bit of technical data and the registrar’s data.

Here’s what Afilias Whois records will look like at the end of May:

As for law enforcement and trademark owners? Until models are worked out, they’re screwed.

(An Afilias spokesperson reiterated that it is committed to working with law enforcement to provide them the information they need. Please note the portion of the email titled “Law Enforcement”.)

Here’s the full text of the message Afilias sent to registrars today:

***
Dear Registrar,

As a follow-up to discussions at ICANN61, this provides an update of Afilias’ plans for addressing compliance with the EU General Data Protection Regulation (GDPR) that will go into effect on 25 May 2018.

Effective 25 May 2018, Afilias will minimize the data displayed in the public WHOIS for Afilias-owned TLDs and will begin displaying ONLY operational technical data (not contact data). AFILIAS-SUPPORTED TLDS MAY OPT-IN TO THIS APPROACH (LIST NOT AVAILABLE YET).

A marked-up version of our current WHOIS output is shown on “Attachment 1” so you can see which data will continue to be displayed and which data will no longer be publicly displayed. Our Registry Operator clients may either adopt our solution or leave the WHOIS as is; we do not expect to provide tailored solutions.

Afilias “owned” TLDs affected by this are: .info, .mobi, .pro, .poker, .pink, .black, .red, .blue, .kim, .shiksha, .promo, .lgbt, .ski, .bio, .green, .lotto, .pet, .bet, .vote, .voto, .archi, .organic and .llc.

From a registry standpoint, we see no impact of this registry action on registrars. Registrars are free to continue transferring thick data to the registry, although you may elect to similarly truncate your own WHOIS display (that is up to individual registrars).

The approach above is supplemented by our perspectives on the following:

ICANN Compliance:
Our ICANN registry contracts require display of the full WHOIS, which is inconsistent with GDPR requirements. To avoid possible ICANN contract compliance issues, ICANN has suggested to Afilias that a “local law exemption” be sought. As an Irish company, Afilias plans to consult with the Irish DPA and local counsel on how to best address the application of local law (the GDPR) on WHOIS output.

Law Enforcement:
Afilias continues to constructively engage with law enforcement agencies (LEAs) and other Registration Authorities to explore potential mechanisms to ensure that LEAs are not unreasonable restricted in their access to WHOIS data.

Trademark/IP Interests:
As there is no “accreditation” mechanism yet for access to WHOIS by Trademark and IP interests, Afilias intends to eliminate access until a consensus emerges in this area.

ccTLDs:
Some of the ccTLDs Afilias supports may be affected by GDPR as well, especially if they have registrants or registrars in the EU. It is unclear to Afilias how DPAs will treat cases involving ccTLDs. ccTLD operators may or may not adopt the Afilias approach to WHOIS; they may contact you separately.

There are a host of other GDPR-related issues that remain unresolved (e.g. consent management, natural/legal person status, etc), and Afilias is actively engaged with the community.

Should consensus or other changes indicate adjustments to the above, we will advise you accordingly.

Please reach out to your Afilias contact if you have any questions.