The ICANN WHOIS system is gone, the process for a GDPR compliant WHOIS has started!

 

After twelve months of endless discussions and a looming deadline, ICANN received information from the Art 29 Working Party. 

The EU Data Protection Authorities will not grant ICANN forbearance regarding the May 25th deadline when it comes to the WHOIS. Again the DPA’s re-confirmed their advise towards ICANN and does not deviate much from the advice they have provided ICANN since 2000.

The full press release from ICANN and the Article 29 WP letter can be read here.

Now that it is official there will be no forbearance regarding WHOIS, which was a silly request to begin with, registrars must shift into gear to get the WHOIS GDPR compliant.

Our solution will look like the screenshot below, though the below is subject to future change, I do not expect our GDPR solution will change drastically.

 

We will continue to display the country code and state field (if provided), due to the fact that it might be relevant for trademark lawyers.

The solution mentioned above is a mix of what ICANN has sent to the Art 29 WP, there is some advice incorporated from the ECO playbook. Last but not least we cherry-picked some elements from the WHOIS output solution by the Dutch Registry SIDN.

SIDN does not publish personal data of the registrants for many years now, so we have a great deal of experience with such WHOIS output and as a result, we have many operational procedures and solutions in place.

 

Reseller lookup tool
Our Reseller lookup tool is available here. We will also mention the link to this tool in the WHOIS output of the Realtime Register WHOIS server.
This tool allows people to look up the domain and the relevant reseller contact information.

As a data processor, we are limited in our role due to data protection laws, and we must refer to the data controller (our reseller) when it comes to domain name inquiries.
I think our lookup tool will be of great assistance for Law Enforcement Agencies, Trademark Lawyers, etc.

Most of our Dutch resellers will be very familiar with the above concept, as reseller data plays a significant role in the WHOIS for .NL domain names.

I expect that the WHOIS will become less relevant on May 25th and will have an effect on transfers.
Expect a blog post about the transfer details within a week.

Also, this blog describes the WHOIS server of Realtime Register, not the WHOIS servers operated by thick registries all over the world. It is possible that while we at a registrar level do not display personal data, a Thick WHOIS registry continues to show the data of your customers in their available public WHOIS…

Update on ICANN and WHOIS

Kevin Murphy from DomainIncite has written an excellent article about the all the ins and outs how WHOIS might look like in May this year, which you can read here.

I do not entirely agree with Kevin if privacy services are going to be free.
In the current setup, our privacy proxy service still has added value when it comes to spam prevention.
I think it is more accurate, that if ICANN no longer requires personal data to be displayed in the WHOIS the need use a privacy service to prevent such display of personal data becomes obsolete, after all that is what a privacy service does, replacement of personal data from the registrant through the use a privacy proxy service.
Many data protection laws have a data minimization requirement, which is absent in the ICANN proposal. The Realtime Register privacy proxy service makes sure that such condition is fulfilled. Of course, there is a chance that ICANN will stop with the Thick WHOIS requirements, but for now, the ICANN community is not ready for such chance.

The ICANN model still requires that the organization/company field should always be displayed.
I do not agree, while it is true that companies are exempt from the GDPR, it is not up to ICANN to make the distinction here and would go against the recommendation of the ICANN PPSAI working group. This group recommended that there is no distinction between natural persons and companies when it comes to the usage of privacy proxy services. Why ICANN thinks they are in charge to make the distinction is beyond me.
In most cases, if not all, regional law or national law requires companies to publish their contact data on their website(s) NOT the WHOIS.

My advice to our customers, use our privacy service (or data protection compliance service) at all times. You can read more regarding this service here.

With ICANN 61 starting this week, we will soon know more how the WHOIS will look like. ICANN still seeking input, so some of it is subject to change, though I think we have a rough outline now on how it will look like.