Whois and GDPR: the US response is underway

The entry into force of the general data protection regulation (GDPR) (eur-lex.europa.eu) on May 25, 2018, caused an earthquake by imposing the silence of most of domain name databases. Since then, Whois records speak only “under duress”. The Internet Corporation for Assigned Names and Numbers (ICANN) resisted as long and as much as it could, but had to resolve to subject generic registries and registrars to compliance with European law. However, the United States Department of Commerce and the National Telecommunications and Information Administration were so adamant that a response could be expected. The counterattack is underway.

On February 26, 2020, Congressman Bob Latta introduced a resolution to counter the effects of the GDPR on Whois databases. According to Mr. Latta, the reasons justifying the necessary accessibility of information allowing the identification of holders of domain names are multiple:

  • protection of the national and economic security of the United States;
  • respect for intellectual property rights;
  • cybersecurity;
  • health; and
  • private life.

In summary, Mr. Latta recalls that a Whois record is a bit like the identity card of a website. If the Whois records are silent, the identification of the authors of illicit acts is made more difficult (latta.house.gov).

Let us add, for our part, that this identification is delayed, which is handicapping in situations where promptness must be imposed.

If such a law were passed in the United States, the most pressing issue would be its application in space. It is certain that it would have absolutely no impact on the databases of the Member States of the European Union and of the European Union itself. On the other hand, it would obviously apply to domain name registries and registrars having their main office in the territorial jurisdiction of the United States. Therefore, should they return Whois records their loquacity of yesteryear? Certainly since the law would impose them. But in so doing, by disclosing the personal data of citizens of the European Union, would they not take the risk of a (heavy) fine on the basis of the GDPR?

Indeed, a modification of the GDPR should be envisaged, which would consist in obliging registries and registrars to disclose even the professional postal and electronic addresses of companies holding domain names. There is no need in these addresses to refer to any personal data whatsoever. Admittedly, the parties concerned would not be satisfied with a solution which would keep the data of natural persons safe. It must be admitted that such a position can be understood insofar as cybercrimes are, most often, committed by natural persons and not by legal persons. However, it is equally certain that the European Commission will keep a stiff upper lip. In the end, it is likely that American registries and registrars will be forced to release Whois information only to holders of domain names who do not elect domicile in the European Union.

À propos d'IP Twins

IP Twins est un bureau d’enregistrement de noms de domaine accrédité par l’ICANN avec 15 ans d’expérience dans la stratégie et la gestion des noms de domaine.

Nous délivrons des certificats de sécurité parfaitement adaptés à vos besoins pour garantir la sécurité des visiteurs de votre site Internet.

IP Twins offre aussi des services de surveillance et de lutte contre la contrefaçon et le cybersquatting. Nous représentons les titulaires de marques dans les procédures UDRP. Notre logiciel de surveillance Detective identifie les contrefaçons en ligne. Nous collectons les preuves et pouvons procéder à la suppression des listes sur des centaines de plateformes de marché, de réseaux sociaux et sur le web en général.

Nous disposons également d’une équipe d’investigation présente en Chine.

N’hésitez pas à nous contacter.