On May 25, 2018 the General Data Protection Regulation (GDPR) entered into force, impacting every entity handling the personal data of European residents. The WHOIS system, a public directory filled with personal data seems, at first, incompatible with this new regulation. So how does the GDPR affect the fight against online infringements and abuse?
To try to get a clearer picture, we interviewed Luc Seufer, Chief Legal Officer of the EBRAND Services Group.
First of all, could you tell us whether EBRAND Services has been impacted by the GDPR?
Because of our clientele type and the range of services we provide, EBRAND Services knows first hand the concerns the GDPR creates for the domain name industry.
As a domain registrar, the protection of our clients’ personal data is paramount, so we have always complied with all applicable laws in this regard. Aside from the redaction of certain data in our WHOIS databases, the Regulation has not imposed drastic changes to the manner in which we operate but rather a more thorough documentation.
As a brand protection services provider, however, the aforementioned redaction does constitute a hindrance we would prefer not exist.
In the last few months, a constant stream of articles from intellectual property protection groups have been published to warn the public and lawmakers of the dire consequences of what they call the “WHOIS shutdown”. Could you tell us more about it?
To understand the current state of affairs, allow me to give you a brief history of ICANN and data privacy. For many years, data privacy specialists have formally and informally told ICANN that certain policies were infringing on European data protection laws.
The former Article 29 Working Party, now rechristened European Data Protection Board, sent several letters to each successive ICANN CEO.
Unfortunately, none took those warnings seriously and necessary reforms were never initiated.
Goran Marby, the current CEO of the organization, had to pressure the ICANN board of directors to approve a temporary policy allowing registries and registrars to take the actions they deemed necessary to abide by GDPR.
However, this policy’s text is so vague that each registry and registrar has implemented a different set of rules. Certain registries, for example, are redacting every Whois record in their database without regard to the location of the registrant or even the fact that they are a legal person and, thus, outside of the Regulation scope.
Others, like EBRAND Services, have taken a more pragmatic approach, only redacting details of natural persons while displaying an anonymized email contact address for those registrants. Others have opted to make an online contact form available on their websites. And some have even attempted to create an access model with a pseudo accreditation system.
In a few months, it has assuredly become difficult to access the contact details of domain name registrants.
Isn’t it ICANN’s role to define industry standards and enforce them?
During its latest meeting in Panama City, which I attended, ICANN announced that an expedited policy development process was being initiated, so that a lasting gloabl solution could be created. ICANN’s goal is to have this new policy finalised and put into force by the end of April 2019.
Although this may seem very slow to the general public, it is light speed for ICANN. As a reminder, it took ICANN 10 years to launch the new extensions program.
This new policy should introduce a tiered access system to the Whois databases. For example, law enforcement agencies should have a certain type of access, IP owners another one, registrars another, security researchers another…
As previously mentioned, certain registrars have tried to pre-empt ICANN by devising their own tiered access, but their models are not based on a common standard and are operated by the registrars themselves. Although every registrar is presumably a competent technical services provider, they are certainly not qualified to judge the legitimacy of requests for access to customers’ personal data. In my opinion, this initiative is rather dangerous and ill-adapted but the eagerness to find a solution easily explains its conception.
Does this mean that the DNS has really become a lawless place?
Not quite. On top of their local laws, every ICANN accredited registrar is bound by the same accreditation agreement to ICANN. This agreement requires registrars maintain a so-called abuse contact point. They must investigate reports of illegal activity involving domain names under their management.
As evidenced by our enforcement team results, it is still possible to obtain the suspension of domain names used in an illegal fashion. However, it’s very difficult to know the identity of the person behind the abuse.
So there is no way to identify infringing parties anymore?
Here, too, the crux of the issue is the lack of standard process and policy. Each WHOIS database maintainer (registry or registrar) is acting in accordance with its own interpretation of GDPR.
Some are adamant that only a court decision allows them to disclose personal data. Others solely require a substantiated complaint meeting the DMCA requirements. And some are clueless and, regrettably, remain mute.
When the infringement is constituted by the domain name itself, the initiation of a UDRP or URS may be considered as it will compel the registrar to disclose the registrant details. However, this route is quite expensive for a mere disclosure.
But this does not mean that brand owners are left to their own devices. EBRAND Services has developed a set of innovative technological tools over the years which are still fully functional despite the current situation.
Luc Seufer, Chief Legal Officer EBRAND Services Group