Can we still have a GDPR moratorium, asks US domain-name body
The Whois public database of domain name registration details is dead.
In a letter [PDF] sent this week to DNS overseer ICANN, Europe’s data protection authorities have effectively killed off the current service, noting that it breaks the law and so will be illegal come 25 May, when GDPR comes into force.
The letter also has harsh words for ICANN’s proposed interim solution, criticizing its vagueness and noting it needs to include explicit wording about what can be done with registrant data, as well as introduce auditing and compliance functions to make sure the data isn’t being abused.
ICANN now has a little over a month to come up with a replacement to the decades-old service that covers millions of domain names and lists the personal contact details of domain registrants, including their name, email and telephone number.
Hey, so Europe’s GDPR privacy deadline for Whois? We’re going to miss it … by a year or so
ICANN has already acknowledged it has no chance of doing so: a blog post by the company in response to the letter warns that without being granted a special temporary exemption from the law, the system will fracture.
“Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain Whois,” it warns. “Without resolution of these issues, the Whois system will become fragmented.”
We spoke with the president of ICANN’s Global Domains Division, Akram Atallah, and he told us that while there was “general agreement that having every thing public is not the right way to go”, he was hopeful that the letter would not result in the Whois service being turned off completely while a replacement was developed.
Justify my love
“I think the Working Party is looking at this issue from a ‘do you have the right justification?’ perspective,” he argued. “So we need to dig into the justifications in terms of our bylaws and mission and remit.”
In other words, the Whois service may still publish some personal details once everything has been worked through, so long as there is a clear justification for it. It’s uncertain at this stage what that would be.
But Atallah’s current focus is on persuading the authorities to grant ICANN a stay of execution while it comes up with an interim model. “It is very important for us to have a moratorium and be able to say to our contracted parties ‘if you implement this model, you will be in full compliance’,” he noted. “We need some kind of relief.”
He was however unable to give an example of another industry that has been granted similar relief, relying on public statements from data protection authorities that they aren’t seeking to punish people but want to work with organizations to improve privacy, as an argument for why ICANN should be exempted for now.
Critics point out that ICANN has largely brought these problems on itself, having ignored official warnings from the Article 29 Working Party for nearly a decade, and only taking the GDPR requirements seriously six months ago when there has been a clear two-year lead time.
One company that is caught in the middle of the dispute is sanguine about the possible death of the service. “Is this the end of public Whois? Yes, in its current form,” CEO of Irish registrar Blacknight, Michele Neylon told us. “But is it going to go completely dark? No.”
Neylon has long complained about ICANN’s refusal to acknowledge European law when it comes to the Whois service: back in 2013, he refused to sign an updated version of the contract that domain name sellers have with ICANN until it gave him a legal waiver over its data retention requirements.
“That decision probably cost us money, but if we have to choose between operating legally or illegally our path is clear,” he wrote in a blog post this week.