WHOIS is lining up to be the first victim of the General Data Protection Regulation (GDPR). It may soon be no more. 

The Internet Corporation for the Assigned Names and Numbers (ICANN) is the international non-profit organization charged with defining rules that regulate domain registrations. ICANN requires registrars (like the Verisign’s and GoDaddy’s of the world) to transfer registrant contact information, like the registrant’s name, address and email address, for entry into the publicly available WHOIS database. Failure of a registrar to provide this information could result in the registar losing ICANN accreditation.

Now enter the GDPR which becomes effective on May 25, 2018. The GDPR governs collection of personal information within the EU and of information of EU residents that is collected outside of the EU The GDPR has broad coverage, to say the least. The GDPR attempts to unify data protection rules among all EU member countries. The GDPR even governs personal information that is publicly available and provided voluntarily. Valid consent to collect information must be given in a manner dictated by the GDPR, and provisions in online terms will not suffice. Domain registration procedures do not obtain valid consent required by the GDPR. 

Potential fines for violations of the GDPR put fear in the hearts of very privacy profession – up to the greater of €20 million or 4% of a company’s global revenue!

When weighing potential massive fines for violating the GDPR and a loss of certification from ICANN from failing to transfer the registrant data to the WHOIS database, registrars are likely to risk the ICANN consequences – and ICANN recognizes the predicament. As a matter of fact, registrars have already begun refusing to transfer the data. See here.

ICANN has already received notice from an EU representative indicating that the WHOIS database does not comply with the GDPR requirements. See notice here. The notice proposed alternative approaches that are probably prohibitively expensive for many registrars to implement. See here for a memo commissioned by ICANN from an outside law firm – it does not offer ICANN realistic options: see here.