Cartagena Michele Neylon CEO Blacknight Ireland

Why ‘Whois’ Must be Fixed to Comply with GDPR [Audio]

The EU General Data Protection Regulation (GDPR) comes into effect on 25 May this year, and one area of contention that has emerged is the question of Whois data. That’s the personal information of individuals or companies who register domain names. For historical reasons, domain registries and registrars have been contractually obliged to collect this data, and to make it publicly available to anyone who wants to query it.

To explain the issues involved, we turned to Blacknight’s CEO, Michele Neylon, for this week’s podcast. In addition to running Blacknight, Michele recently took over the chair of the industry group i2Coalition, and he’s also a member of ICANN’s Generic Names Supporting Organisation.

Click on the player below to play the podcast, or download it here: 23:16; 13MB; MP3.

Fines could put Companies Out of Business

The rules in GDPR aren’t new, explains Michele, but what is new is the powers of enforcement it gives to data protection authorities.

“With GDPR you get fines, and it’s not simply a question of a little smack on the wrist … these are fines of a level that could put a business in severe difficulty, or even put them out of business”

The internet, he explains, has changed from the days when Whois data was required to allow system administrators to contact each other about systems which were causing problems for the evolving network. Back then it wasn’t really envisaged that domain names would be registered to ordinary people, who would not be sysadmins.

“The Whois system as we know it was never really designed. It evolved organically over time. Twenty plus years ago, whois information was for a particular purpose: one technical operator wanted to interact with another technical operator”

Over time, as domain names were used more and more, that same process was followed, but it is no longer useful in the same way that it was. However, for historical reasons, ICANN still mandates the same kind of Whois obligations in its contracts with registrars and registries, but the collection and publication requirements are problematic. They’re not aligned with Irish or European data privacy rules.

“We already got involved in a fairly contentious debacle a couple of years back around the data retention requirements, I mean essentially the contract says you need to hold on to this data for a ridiculously long period of time. However data protection rules say, well, you can only hold on to the data for as long as you need it, and ‘as long as you needed it’ is not something linked to an arbitrary contract with an entity in California. It doesn’t work that way. No. You need to be able to say ‘I need it for a very specific reason’.”

A solution may lie in a proposal by Eco, an industry grouping of which Blacknight is a member. Michele describes it as “privacy by design”, and says it provides a framework which companies can use to address the Whois issues around GDPR. But he stresses that GDPR compliance is about the totality of a company’s involvement with personal data, and Whois is only one part of that.

Subscribe for free to receive The Blacknight Podcast, via Apple Podcasts or RSS.


, , , , , , ,

8 Responses to Why ‘Whois’ Must be Fixed to Comply with GDPR [Audio]

  1. Jerry January 22, 2018 at 15:25 #

    I note that more and more sites use a “private registration” to hide their details from Whois, so I wonder what info would you actually see if said “private registration” services were to hide the info that each of the modes would allow?

    • Michele Neylon January 25, 2018 at 14:21 #

      It depends on the whois privacy / proxy service in question.
      Essentially when an individual or organisation uses one of these services the registrant details are replaced with the details of the privacy service.

      Thanks for your comment.



  1. Introducing The Blacknight Podcast - January 30, 2018

    […] interested in internet governance and data protection, and in technology that works for […]

  2. GDPR Perspectives Webinar - February 15, 2018

    […] talked about GDPR a few times over the last few months, but our focus has been mostly around the implications for […]

  3. Whois – Why the hell is this so bloody complicated? - March 11, 2018

    […] I mentioned on a recent podcast, the GDPR and whois are a huge problem and as a company we have to comply with the law even if that […]

  4. Why Blacknight is Unbeatable with IE Domain Names at €4.99* - March 12, 2018

    […] the lead in developing internet naming policy at home and abroad, and we’ve been a voice for common sense and […]

  5. Game Over for Public Whois? Article 29 Gives ICANN the Advice it Asked for - April 13, 2018

    […] also been talking a bit about GDPR,  and how WHOIS and various other obligations imposed on us, either directly by ICANN or indirectly through its […]

  6. Game Over for Public Whois? Article 29 Gives ICANN the Advice It Asked For - April 13, 2018

    […] also been talking a bit about GDPR, and how WHOIS and various other obligations imposed on us, either directly by ICANN or indirectly through its […]