WHOIS and the GDPR – can they co-exist?
While ICANN requires registries to publish registrant data in the WHOIS to ensure transparency, GDPR pulls in the other direction and restricts large-scale publication of personal data. What does this mean for registrars transferring personal data to DK Hostmaster when the data is published in the WHOIS?
Hot topic on an international level
A hot topic at ICANN60 in Abu Dhabi was the legality of an open, public WHOIS after 25 May 2018 where the GDPR shall apply. According to a legal opinion commissioned by ICANN and a recent decision from the Dutch Data Protection Agency, it will be illegal to keep a public WHOIS under the GDPR. Both parties agree that publication of personal data in the WHOIS cannot legally be based on neither consent, legitimate interest in publication nor in the necessity to publish in order to fulfill a contract.
While this is only a contribution to the interpretation of the GDPR’s impact on the WHOIS, it is necessary to prepare for the fact that this might be the reality from 25 May 2018. And perhaps even now, because the current EU Data Protection Directive already sets forth a regimen very similar to the GDPR.
Impact on registrars and DK Hostmaster
So what does this mean for registrars and DK Hostmaster? Can registrars even legally provide DK Hostmaster with personal data concerning their registrants knowing that this data will be published in the WHOIS?
Luckily, this question can actually be answered quite easily in Denmark. DK Hostmaster is bound by the Domain Names Act which legally obligates DK Hostmaster to maintain a public WHOIS showing the name, address and telephone number of all registrants. Since there is solid legal basis for the publication in the under Danish law, DK Hostmaster does not need to publish the data using any of the three legal bases mentioned above.
Registrars will therefore also have their legal basis in order under article article 6.1 (b) in the GDPR as it is necessary for the registrar to provide DK Hostmaster with the data needed for the WHOIS database in order to fulfill the registrar agreement.
It is also very important for registrars to inform the registrants that their data will be disclosed to DK Hostmaster and thus be published in the WHOIS. This is also a requirement under the current data protection legislation.
Business as usual after 25 May 2018?
So, will nothing change? Well, maybe. In addition to the above mentioned data required by the Domain Names Act, DK Hostmaster also publishes the same information regarding the registrant’s proxy (if the option of having a proxy has been chosen). The legal basis for this is currently in the registrant agreement.
However, if this is deemed unlawful, the publication of proxy data will cease and the registrant agreement will be changed accordingly. Or perhaps the Domain Names Act will be changed. No matter what happens, we will continue to keep you updated on the matter, and you are always welcome to contact us if you have any questions or comments.