Legal Alert: ICANN Proposes Framework for WHOIS Access, but Questions Remain


On May 25, 2018, the European Union's (EU) General Data Protection Regulation (GDPR) went into effect, establishing new restrictions on the use and publication of personal information. The GDPR has broad application, extending to data that is processed (1) in the EU, (2) by EU companies, or (3) for activities related to goods/services offered to EU residents. As a result, its impact extends far beyond the EU.

One area where we see significant change is the WHOIS database for domain names (i.e., the identity and contact information for the person or entity that owns the domain). Until recently, that information was publicly available online. However, to comply with the GDPR, a new policy was adopted by the Internet Corporation for Assigned Names and Numbers, the nonprofit responsible for managing the domain name system.

ICANN's Temporary Specification for gTLD Registration Data, adopted May 17, 2018, substantially limits the amount of WHOIS information that is available online. On June 18, ICANN published guidelines to sketch out the basic framework for a system to allow access to non-public WHOIS data to persons with a "legitimate purpose" and to impose "codes of conduct" for such access.

What is a legitimate purpose? That remains to be seen. The guidelines state that ICANN will work with EU countries and other stakeholders to craft appropriate categories of legitimate uses, anticipating at least:

  1. ICANN/Registrars will have access to facilitate registration and transfer of domain names.
  2. Law enforcement officials will have access upon approval, with each country being responsible for determining the types of law enforcement officials who should have access.
  3. Intellectual property (e.g., trademark) owners will have access upon approval from a designated organization.

For intellectual property owners, the system will involve submitting an application to a nongovernmental organization, explaining the legitimate purpose for the access, and agreeing to be bound by a code of conduct. For instance, in a case of cybersquatting (i.e., when someone registers a domain name where your trademark is in the domain name), you might need to explain that you own the trademark, that you did not authorize the registrant's use of the mark in the domain name, etc. If approved, you would receive a credential, which you could use to access the nonpublic WHOIS information through the appropriate registrar (i.e., a company like GoDaddy that manages the registration of domain names).

What are the codes of conduct? At present, it is unclear what the codes of conduct will entail or who will develop them, but they will establish (among other things):

  1. Limitations on the use of data.
  2. Procedures for accessing data to prevent abuse.
  3. Security measures to preserve the integrity of data.
  4. Limitations on transfers of data.
  5. Safeguards to protect the rights of persons who own or are identified by the data.
  6. Obligations for data controllers to comply with GDPR requirements.
  7. Requirements for fair and transparent processing.

Unfortunately, while ICANN's guidelines are thought-provoking, they provide little more than the abstract information outlined above. Some of the many questions that remain include:

  1. Administration: Who will administer the program and oversee the application and authentication process? Will it be one organization or many? So far, the top candidates appear to be the World Intellectual Property Organization or the Trademark Clearinghouse, but little else is known.
  2. Compliance: How will registrars be held accountable if they fail to comply with a proper, authorized request?
  3. Costs: Will there be any cost associated with the application process (e.g., an application fee)? Will there be any cost associated with access (e.g., an access fee)?
  4. Logistics: Will the credentials be issued by the same nongovernmental body that receives and processes the applications, or will they be issued by a central credentialing body?
  5. Scope of authority: Will authorized persons have access to (a) WHOIS information for all domain names, (b) WHOIS information for specifically defined domain names or categories of domain names, or (c) specific WHOIS information limited to specifically defined domain names?
  6. Transparency: How will effectiveness and compliance be monitored and audited?

In short, ICANN's new guidelines provide a useful starting point for developing a system of providing appropriate, reasonable access to nonpublic WHOIS information under the GDPR. However, this is the first phase of a three-phase process. We anticipate many changes in the coming years.