It doesn’t seem to “ban anonymous websites” but could create headaches for the domain industry.
The European Union is working on a Directive around cyber security that could impact domain names and Whois. But like the EU’s General Data Protection Regulation (GDPR), it’s a bit high level and how it would be implemented is up to a lot of interpretation at this point.
Directive of the European Parliament and of the Council on measures for a high common level of cybersecurity across the Union (original, unamended pdf) includes language that suggests that many businesses that touch DNS will have to keep data on domain name owners. They would also have to guarantee its accuracy and provide it to relevant authorities and interests upon valid request.
But it also says that this has to comply with GDPR as it relates to personal data. And since GDPR effectively nuked personal data from Whois, this doesn’t seem to actually “ban anonymous websites” in the EU as I read it. It doesn’t seem to dictate that personal information be published in Whois.
It’s important to note that this is a directive, not a regulation like GDPR. A Regulation is effectively a law that applies to all EU member states and overrides their national laws. A directive sets objectives for all EU countries, which then must translate this into their own national laws. So this means that this directive would be turned into different laws in 27 countries. And you can bet the governments’ privacy regulators will not suddenly say, “Go ahead and publish personal information in Whois.”
That said, this directive seems to be sneaking up on the domain name industry as GDPR did. Today is the first I heard of it. It’s clear that it could create headaches for the industry, especially for smaller players. The added rules could increase expenses for DNS-related businesses, which will increase costs for consumers.
ICANN submitted comments (pdf) to try to clarify the directive and ensure it doesn’t encapsulate unintended entities. This is separate from comments the ICANN Business Constituency submitted that have been incorrectly attributed to ICANN Org.
I’ll keep tabs on the progress of this directive and welcome opinions from those who have been studying this.