In April 2016, the European Union (EU) Parliament approved the General Data Protection Regulation (GDPR). The GDPR will repeal the existing Data Protection Directive in the EU when it comes into force on 25 May 2018. The GDPR is intended to give back control to EU citizens over their personal data and to harmonise data privacy laws across Europe.
While the GDPR is effectively EU legislation, its provisions are far reaching as it is applicable to organisations within and outside the EU which offer services or process information of EU citizens. Companies that hold or process the information of citizens residing in the EU will be affected by the GDPR, regardless of the company’s geographical location.
The GDPR requires, inter alia, data minimisation and specifically calls for data controllers to hold and process only the data absolutely necessary for the completion of its duties. It also limits access to personal data to those needing to act out the processing of that data. Data subjects may also request that data controllers erase their personal information and cease dissemination of that information to third parties, subject to this right being weighed up against the public interest in the availability of the data in question.
One corporation that will be affected by the implementation of the GDPR is The Internet Corporation for Assigned Names and Numbers (ICANN). ICANN’s primary focus is the management of the internet’s global Domain Name System (DNS). Its responsibilities include policy development for the internalisation of the DNS. Central to the DNS is the WhoIs database which draws data from all ICANN accredited Domain Name Registries responsible for facilitating the registration of domain names.
The WhoIs database as we know it, provides access to publicly available information containing the domain name owner’s or registrant’s details, administrative contact and technical information. This information is utilised by authorities in matters relating to cybercrime and other forms of criminal activity. Also, in cases of domain name disputes, trade mark infringement and counterfeiting cases for the purposes of identifying the registrant and making contact to enforce the rights of IP holders. The enactment of the GDPR will change the information accessible on the WhoIs record.
ICANN has proposed an interim model to enable Domain Name Registries and Registrars to comply with the data privacy requirements under the GDPR whilst trying to preserve as much of the currently publicly available WhoIs information as possible. It is expected that the registrant contact information will be redacted. Naturally, this change has sparked fierce debate and criticism from Governments, Law enforcement authorities, stakeholders and especially IP holders amongst others, who rely on WhoIs registrant information for enforcement of the law and IP rights, as the case may be.
To date, there has been no consensus on the implementation of the interim model and ICANN has been criticised for over-interpreting the provisions of the GDPR.
Specific aspects of the interim model that have attracted criticism are the proposal for anonymous or pseudonymous registrant email addresses, the global application of the model as opposed to limiting its territorial scope to the EU connection via the Registrant or Registrar, and the model’s failure to draw any distinction between natural and legal persons.
It was also hoped that the interim model would include an accreditation model allowing, at least, access to WhoIs information that is controlled by Domain Name Registrars, but the model has drawn criticism in that it has not made any proposals on accreditation and how registrant information can be accessed. At the recent ICANN61 meetings in Puerto Rico, ICANN invited input on an accreditation model from stakeholders. The process of putting together an accreditation model continues without any certainty as to whether or not a model will be in place or if interim measures will be taken to allow access to registrant information by 25 May 2018.
Considering the lack of consensus surrounding the implementation of the interim model and an accreditation model, it seems that WhoIs for gTLD’s as we know it, will no longer exist and will possibly go “dark” on 25 May 2018. This will have an impact on Law enforcement and will prevent IP holders, among others from being able to contact registrants to enforce their rights against online infringements during the period of seemingly indefinite darkness.
The compliance of our own Domain Name Authority with the GDPR in so far as it affects EU citizens seems inevitable. With the advent of our own data privacy laws (i.e. the Protection of Personal Information Act) which was drafted in line with international trends, it is likely that South Africa will follow suit with the models proposed by ICANN.
While discussions regarding the implementation of the GDPR and its effect on the WhoIs database continue, interested persons and IP holders are encouraged to provide comments to ICANN and EU DPAs directly regarding concerns on the interim and accreditation models. So, come 25 May 2018, we don’t have to go looking for Who he or she is.