How European Data Protection Law Is Upending the Domain Name System

Shane Tews is the president of Logan Circle Strategies. You can follow her @ShaneTews.

This May, in a regulatory sea change for data privacy and protection, the European Union’s (EU) General Data Privacy Regulation (GDPR) is set to take effect. The GDPR was crafted to harmonize data protection laws for all EU citizens—it replaces a number of data protection directives that currently address the collection and export of personal data outside the EU. But the rules will also bring on new challenges for those who manage international data transfers enabled by the internet.

The Internet Corporation for Assigned Names and Numbers (ICANN) currently administers an important database for the “who’s who” of web addresses, known as the “WHOIS” service. The WHOIS database collects and disseminates information on who administers, manages, and holds the contractual responsibilities for domain names. For example, the WHOIS database allows someone to find who manages the google.com domain, and provides the domain owner’s contact details allowing him or her to be reached in the event google.com was being used to send spam or host illegal content. WHOIS is often used by law enforcement to investigate computer crime and intellectual property rights owners to protect their trademarks.   

Some of the information contained within the WHOIS database, such as names and contact details, could be considered to be private data under EU law and be subject to the GDPR’s prohibitions against sharing data without an individual’s explicit consent and other handling limitations. That could mean that law enforcement, consumer protection agencies, brand and intellectual property protection advocates, and cybersecurity experts looking to protect citizens, and their corporate products might be unable to access the contact information they once did in a pre-GDPR world. Absent changes in the way WHOIS data is handled, rights holders, law enforcement, and computer security companies will have access to a lot less information on who is contractually responsible for a domain.

ICANN is reviewing several new WHOIS compliance models that may change the current model of unrestricted access where anyone can look up WHOIS data to a tiered-access model for data collection. Some other models require consent procedures and processes for third-parties to have access, in accordance with GDPR guidance, and others keep most the data out of reach with limited exceptions.

The important factor in all of these proposed new database models being considered by ICANN is determining what data may be made publically available and how will this affect the entities seeking the data. The critical question for those seeking the information to protect harmed parties is how data can be accessed, and if it will be available to take down a domain name that is causing harm and possibly promoting illegal activity. 

The chosen outcome of the new ICANN model will impact the collection, storage, display, transfer, and retention of domain ownership data.

The larger challenge is keeping the balance of trust on the internet and managing the information flow between parties for accurate content. Free expression and the flow of information online is fundamental to how the internet works. For this to continue there needs to be a level of trust on who is sending information out and trust that the information being sent is accurate. “Fake news” producers, stolen content, illegal marketplaces, and illicit content on the dark web are enough of a challenge. Online actors who know how to be deceptive in their ways can weave through online networks to protect themselves. It would be a shame if the well-intended GDPR became one of their tools of the trade.