The European Union Continues to Tackle the WHOIS Issue

INTA members have been struggling with obtaining access to domain registration data since May 18, 2018. This is the date that the European Union implemented the General Data Protection Regulation (GDPR). As a result of the interpretation of the GDPR by ICANN (the Internet Corporation for Assigned Names and Numbers) and the domain industry, most publicly available domain name registration information has been redacted. INTA members have been left to their own devices to try to find the information necessary to conduct investigations into suspected intellectual property (IP) infringement. INTA has been working within the ICANN system and with government officials to solve this critical problem, as IP owners have lost a major tool in combating abuse.

In response to the implementation of GDPR, ICANN enacted a temporary specification to its contracts (Temp Spec), which allowed registrars and registries to redact personal information from publicly available registration databases known collectively as “WHOIS.” The Temp Spec came into effect when GDPR came into effect. As a result, the WHOIS system was rendered inoperable for its primary purpose of facilitating contact with domain registrants.

ICANN responded to the problem by implementing an Expedited Policy Development Process in June 2018. However, the results have not been optimal for brand owners, cybersecurity experts, and law enforcement investigators. In a nutshell, the current solution on the table at ICANN is a proposed WHOIS disclosure system that does not differentiate between personal and legal entity information and does not guarantee access to information. However, the system would at least create a centralized system for requesting data.

The implementation of GDPR and the threat of heavy fines have made it difficult for registrars and registries to assess their risk for improper disclosure of domain name registration data. Therefore, the responses to requests for information remain low. Some registrars have even gone as far to say that the GDPR has effectively eliminated the need for WHOIS because the registrars do not need the data required by ICANN’s WHOIS policy. Under the principle of data minimization, GDPR requires that registrars only collect the data that they need. The EU has attempted to address some of these concerns with its proposed implementation of the second iteration of The Network and Information Security Directive (NIS2), an EU-wide legislation on cybersecurity with a specific aim to achieve a high, common level of cybersecurity across the member states.

While NIS2 covers a broad range of cybersecurity issues, the proposed legislation confirms five essential pillars of operating a WHOIS database:

1. A WHOIS database must be maintained by Internet service providers;
2. Registration data is collected and maintained, and must be complete, accurate, and verified;
3. Data is available immediatelyl once it is entered into the database;
4. Access is available for “legitimate access seekers,” for public and private sector actors; and
5. Those legitimately seeking access to the database should not be charged for data.

The balancing test for the release of data is still left in the hands of registration service providers, which includes registrars, registries, privacy/proxy providers, and resellers. This means that there is no guarantee that redacted, personal data will be released upon request from a legitimate access seeker. However, NIS2 is a big step in the right direction for affirming (1) the importance of the WHOIS system; and (2) that access to personal data for legitimate purposes is permissible. The proposed legislation will apply to EU member states as well as essential and important entities as defined by the directive and the implementing language of the member states.

The language of NIS2 has been agreed upon by the European Parliament, the Council of Europe, and the European Commission through its trilogue process. The next step is for the Parliament and Council to vote on the Directive, which should take place later this year. Once the Directive is passed, the 27 member states will have 20 months to transpose it into their national laws.

INTA’s External Relations Team and EU Representative Officers have been following this issue closely. Since the Directive was proposed in December 2020, INTA has met with key government officials, been part of informal industry coalitions, and provided comments throughout the process. We will continue to monitor the progress of NIS2 and advocate on behalf of brand owners, for whom the WHOIS data access is an ongoing, critical issue. Such activities will include advocacy at the member state level and gathering data on whether access to redacted WHOIS information improves as a result of the Directive.

Although every effort has been made to verify the accuracy of this article, readers are urged to check independently on matters of specific concern or interest.

© 2021 International Trademark Association