The (real) impact of GDPR on Whois data access

Since the implementation of the GDPR last May, many things have been said and written (among others, by us during our webinars and / or in this website’s articles) about access to domain names’ registration data (Whois) .

Summer starting, it seems to be useful to make a concrete point on where we are.

Contrary to an idea too often propagated, the GDPR does not block the access to Whois data and it is still possible to act. The process has just become more complex because you have to start taking action to get a registrant’s contact information before you can even launch another action to stop an infringement or to recover a domain name.

First of all, it is important to differentiate privacy services from the anonymization of Whois details due to the GDPR.

“Private whois” services, also called “proxy”.

In this case, the registrant, who may be an individual or a legal person, paid to hide his data. There is no obligation from the Whois privacy provider to disclose his client’s data. Even during a UDRP, the provider can either disclose them or not. Only a judicial request may bind the provider to disclose the hidden data. Among “Whois privacy” providers, some are legitimate but, we unfortunately noticed, that some are just using “Whois privacy” to … register the domain names in their own names!

Our experience in this area and our business connexions allow us in 95% of cases to indicate beforehand whether the provider will cooperate or not.

GDPR / Hidden data (the registrant is an individual).

In this context, it is possible to provide a request to the registrar, based on a right, in order to get the registrant’s contact details. Certainly a tedious process, but still possible. What seems to be a bit misty for most people is that following the implementation of GDPR, ICANN / the community * had to develop a uniform system designed to manage data release requests. But, as it frequently occurs with a multi stakeholder system like ICANN, discussions still last, and this framework is still under development. To this day, there are however “temporary specifications” governing the data release. Therefore, based on a justified request, domain name’s data can be disclosed. This lack of harmonisation and the incomprehension of GDPR by some registrars makes things more complex: it is sometimes necessary to insist, to quote relevant texts etc … It is on this ground that domain names’ experts like SafeBrands, ICANN- accredited registrar and accredited by many countries worldwide, can make a difference by providing a very specific expertise.

Moreover, and to make things even simpler (!), ICANN has unfortunately proposed two systems (a global one and a finer one). Thus, a lot of registrars mask the data of any natural person, a practice that goes beyond GDPR’s rules which basically relates only to European natural persons. For instance, an individual from India, has no reason to benefit from the GDPR, but some registrars, for various reasons (simplification, precaution, wrong analysis or on deliberate purpose) often hide all data.

Similarly, there is a current debate as to whether data from individuals displayed because associated with a legal entity registrant are considered personal data and therefore covered by the GDPR. The AFNIC ‘s answer (like SafeBrands) is no. But the situation is still blurry because nothing is decided on this subject.

Finally, in terms of private whois and anonymity, we note that regulatory systems are being developed within ICANN. But nothing has been finalized so far and will not be finalized until next year.

Matthieu Aubert, SafeBrands’ Head of Legal Department

*: Let us note here that the term “community” allows companies – main victims of cybersquatting – to make their voices heard in the ICANN debates. Unfortunately, most of them are terribly passive and absent from the discussions. “Corporate” registrars like SafeBrands, are in charge of defending their interests, but they often feel lonely in this fight! Notice to our readers who would like their voices to be heard: the next ICANN meeting will take place at the beginning of September in Montreal (https://meetings.icann.org/en/montreal66), where SafeBrands will have its North American representation. We will be delighted to welcome you during this major event, with the traditional French Night which SafeBrands is partnering with Afnic!