Whois and GDPR: the US response is underway
The entry into force of the general data protection regulation (GDPR) (eur-lex.europa.eu) on May 25, 2018, caused an earthquake by imposing the silence of most of domain name databases. Since then, Whois records speak only “under duress”. The Internet Corporation for Assigned Names and Numbers (ICANN) resisted as long and as much as it could, but had to resolve to subject generic registries and registrars to compliance with European law. However, the United States Department of Commerce and the National Telecommunications and Information Administration were so adamant that a response could be expected. The counterattack is underway.
On February 26, 2020, Congressman Bob Latta introduced a resolution to counter the effects of the GDPR on Whois databases. According to Mr. Latta, the reasons justifying the necessary accessibility of information allowing the identification of holders of domain names are multiple:
- protection of the national and economic security of the United States;
- respect for intellectual property rights;
- health; and
- private life.
In summary, Mr. Latta recalls that a Whois record is a bit like the identity card of a website. If the Whois records are silent, the identification of the authors of illicit acts is made more difficult (latta.house.gov).
Let us add, for our part, that this identification is delayed, which is handicapping in situations where promptness must be imposed.
If such a law were passed in the United States, the most pressing issue would be its application in space. It is certain that it would have absolutely no impact on the databases of the Member States of the European Union and of the European Union itself. On the other hand, it would obviously apply to domain name registries and registrars having their main office in the territorial jurisdiction of the United States. Therefore, should they return Whois records their loquacity of yesteryear? Certainly since the law would impose them. But in so doing, by disclosing the personal data of citizens of the European Union, would they not take the risk of a (heavy) fine on the basis of the GDPR?
Indeed, a modification of the GDPR should be envisaged, which would consist in obliging registries and registrars to disclose even the professional postal and electronic addresses of companies holding domain names. There is no need in these addresses to refer to any personal data whatsoever. Admittedly, the parties concerned would not be satisfied with a solution which would keep the data of natural persons safe. It must be admitted that such a position can be understood insofar as cybercrimes are, most often, committed by natural persons and not by legal persons. However, it is equally certain that the European Commission will keep a stiff upper lip. In the end, it is likely that American registries and registrars will be forced to release Whois information only to holders of domain names who do not elect domicile in the European Union.