ICANN’s Whois proposal fails to impress European data regulators

ICANN’s interim proposal for making the Whois system compliant with the new General Data Protection Regulation (GDPR) in the EU has failed to impress European data regulators.

The European Data Protection Board (EDPB), which is an independent European body, published its letter to ICANN on Thursday, July 6.

Under the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.

ICANN approved a temporary solution for storing registration data in May, a week before the GDPR came into force, to comply with the new regulation. During the same month, it wrote to the EDPB to seek clarification on its obligations under the GDPR.

Personal data processed through Whois can be made available to third parties with “a legitimate interest in having access to the data”, the EDPB’s response said, but registrants should not be required to provide personal data identifying third parties to fulfil the “administrative or technical functions on behalf of the registrant”.

The EDPB also said it is for ICANN to determine and justify the appropriate data retention period.

However, it added that ICANN has yet to demonstrate why each of the personal data elements processed in the context of Whois “must in fact be retained for a period of two years beyond the life of the domain name registration”.

It requested that ICANN re-evaluate its proposed retention period of Whois data.

In its letter, the EDPB said ICANN must take further steps to become compliant with the GDPR.

ICANN first proposed interim changes to the Whois system in February this year, but in April, the Article 29 Data Protection Working Party (WP29) said the changes did not go far enough.

WP29 was an advisory group made up of a representative from the data protection authority of each EU member state. It has been succeeded by the EDPB.

Meanwhile, ICANN is embroiled in a legal battle with domain name registrar EPAG in Germany. ICANN requires full Whois data to be collected, and ordered registrars to continue collecting administrative and technical data after the GDPR came into effect in May.

But EPAG said it would delete the contact information for new domain name registrations following the introduction of the new regulation.

ICANN asked the Regional Court in Bonn to issue an injunction in order to ensure the data is made available, but the court refused. ICANN has appealed against the decision.