The EU General Data Protection Regulation (GDPR) comes into effect on 25 May this year, and one area of contention that has emerged is the question of Whois data. That’s the personal information of individuals or companies who register domain names. For historical reasons, domain registries and registrars have been contractually obliged to collect this data, and to make it publicly available to anyone who wants to query it.
To explain the issues involved, we turned to Blacknight’s CEO, Michele Neylon, for this week’s podcast. In addition to running Blacknight, Michele recently took over the chair of the industry group i2Coalition, and he’s also a member of ICANN’s Generic Names Supporting Organisation.
Click on the player below to play the podcast, or download it here: 23:16; 13MB; MP3.
Fines could put Companies Out of Business
The rules in GDPR aren’t new, explains Michele, but what is new is the powers of enforcement it gives to data protection authorities.
“With GDPR you get fines, and it’s not simply a question of a little smack on the wrist … these are fines of a level that could put a business in severe difficulty, or even put them out of business”
The internet, he explains, has changed from the days when Whois data was required to allow system administrators to contact each other about systems which were causing problems for the evolving network. Back then it wasn’t really envisaged that domain names would be registered to ordinary people, who would not be sysadmins.
“The Whois system as we know it was never really designed. It evolved organically over time. Twenty plus years ago, whois information was for a particular purpose: one technical operator wanted to interact with another technical operator”
Over time, as domain names were used more and more, that same process was followed, but it is no longer useful in the same way that it was. However, for historical reasons, ICANN still mandates the same kind of Whois obligations in its contracts with registrars and registries, but the collection and publication requirements are problematic. They’re not aligned with Irish or European data privacy rules.
“We already got involved in a fairly contentious debacle a couple of years back around the data retention requirements, I mean essentially the contract says you need to hold on to this data for a ridiculously long period of time. However data protection rules say, well, you can only hold on to the data for as long as you need it, and ‘as long as you needed it’ is not something linked to an arbitrary contract with an entity in California. It doesn’t work that way. No. You need to be able to say ‘I need it for a very specific reason’.”
A solution may lie in a proposal by Eco, an industry grouping of which Blacknight is a member. Michele describes it as “privacy by design”, and says it provides a framework which companies can use to address the Whois issues around GDPR. But he stresses that GDPR compliance is about the totality of a company’s involvement with personal data, and Whois is only one part of that.