ICANN releases new WHOIS specification plan as GDPR countdown nears zero

• ICANN publishes temporary specification for GDPR-compliant treatment of gTLD data
• Proposes anonymised email or online form to allow contact with domain registrants
• ICANN board expected to formally adopt its model a week before GDPR enforcement

ICANN has published its Temporary Specification for gTLD Registration Data in a bid to ensure WHOIS compliance with the European Union's General Data Protection Regulation (GDPR), while maintaining the existing WHOIS system to the greatest extent possible. Subject to further revision prior to a board vote, the model proposes the establishment of a mechanism to allow contact with domain name registrants – while cloaking their identity.

As we have reported previously, last month the Article 29 Data Protection Working Party (WP29) responded to ICANN’s initial request for feedback on a proposed interim model for ensuring that the treatment of WHOIS data is compliant with GDPR. While welcoming the decision of ICANN to propose an interim model which involves layered access, the WP29 raised a number of concerns. With the May 25 enforcement date for GDPR two weeks away, the past few days have seen a flurry of activity at ICANN HQ.

Last week, ICANN sent a new letter to the WP29, seeking further clarification and, crucially, asking whether the plans currently submitted were sufficient to not result in immediate fines for non-compliance. A day later, on Friday, Cherine Chalaby, chair of the ICANN board of directors, wrote to the Government Advisory Committee (GAC), to give official notification that it may be rejecting aspects of the GAC advice related to WHOIS. In particular, it pointed specifically to the government request that limitations to query volumes under an accreditation programme be balanced with “investigatory cross-referencing’ needs”, that there is confidentiality related to WHOIS queries by law enforcement agencies, and, crucially for rights holders, that continued access to WHOIS data – including non-public information – is ensured for “users with a legitimate purpose until the time when the WHOIS model is fully operational, on a mandatory basis for all contracted parties”.

The latter signals that access to WHOIS could, in effect, go dark for rights holders at the end of next week. On the same day as the official GAC letter was sent, ICANN revealed details of its proposed Temporary Specification for gTLD Registration Data, which aims to provide a contact mechanism for parties to reach domain name registrants in this new environment.  

In terms of public versus non-public data, the working draft document – which was discussed at an ICANN board meeting yesterday – states that redacted information would include the registrant’s name, street, city, phone and number. In terms of contact information, the register would have to provide an email address or web form mechanism to allow contact with the registrant, although it notes that the email address and/or web form URL should not contain, or be derived from, the email address of the specific contact.

The specification notes that registrants would be able to opt-in to having their full contact information made publicly available, and further states that users with legitimate purpose for accessing the non-public personal data would be able to request access through registrars and registry operators. However, the detail related to third-party access are still reliant on WP29 providing guidance that the provision of specified non-public elements of registration data to a specified class of third-party for a specified purpose is lawful. Therefore, whether rights holders could claim ‘legitimate interest’ in enforcement efforts remains to be seen.

On Twitter, Jeff Neuman, co-chair of ICANN’s Subsequent Procedures Working Group and SVP for Com Laude for the USA, reports that the ICANN board discussed the proposed specification for over 16 hours this weekend, and is planning to vote on its adoption around May 17 (after revisions have been made). However, he notes that the board does expect the Temporary Specification to be in place on May 25 for a period of 90 days (which is then renewable for three additional 90-day periods). That would provide the organisations with a year to finalise a permanent specification.

While ICANN awaits word of whether the efforts to date mean that it – and the “2,500+ data controllers who operate the WHOIS system” – will avoid fines for non-compliance with GDPR, a clearer picture is emerging of just how greatly online trademark infringement investigations will be impacted after May 25. Expect GDPR to be a hot topic at next week’s INTA Annual Meeting as counsel scramble to adapt their enforcement strategies.