The Impact of GDPR On the WHOIS Database PC & Laptops by Gabriel Dustin - January 24, 20190 The General Data Protection Regulation (GDPR) has had a wide effect on individual data privacy and protection across the European Union. In a post-GDPR world, the regulations affect a variety of technologies and processes throughout the world. One of these areas affected is the WHOIS database that stores information about domain names. WHOIS Overview The WHOIS database is a repository of internet domain name information by the Internet Corporation for Assigned Names and Numbers (ICANN). A domain name registrar provides these registration services. ICANN governs domain name registrars through accreditation and coordinates the use of this data through ICANN specifications. These registrars, in turn, provide accurate WHOIS information through unrestricted public access. Post-GDPR Impact to WHOIS Since the domain registration process collects personal information, the GDPR affects the operation of the WHOIS process. The level of personal information in WHOIS made it non-compliant with GDPR which requires personally identifiable information to be masked. In response to this, ICANN adopted the “Temporary Specification for gTLD Registration Data.” This is ICANN’s temporary GDPR compliance solution with a more permanent solution to be developed in the future (this specification expires in May 2019). This has resulted in a change to what type of information is available when performing a WHOIS lookup on a domain name. The information publicly available include the registrar name, the creation date, the domain expiration date, and the status of the domain name registration. Requesting Domain Name Contact Information Before the GDPR, contact information on a domain name was readily available. Now, an individual wanting registrar contact information must contact the domain registrar. The domain registrar must provide, in a timely manner, respond to this request. The amount of contact information provided varies between registrars. The registrars determine, on a case-by-case basis, whether the request’s interest in the information outweighs the domain registrant’s privacy interests. Another way to get domain information is via an anonymized email that is provided by the registrar with the WHOIS information. This may or may not work since it is up to each individual registrar to determine how to respond to anonymous requests. Domain Name Complaints Trademark owners and businesses still have a need to dispute the ownership of domain names. The Uniform Domain Name Dispute Resolution Policy (UDPR) provides a means to dispute domain names via UDPR providers such as the World Intellectual Property Organization (WIPO), Forum and others. The ICANN Temporary Specification includes the fact that a domain name complaint is not invalid if it does not include the name and contact information of the registrant. A “John Doe” can be used in the UDPR complaint. The GDPR has provided tremendous individual privacy protections across the European Union resulting in the requirement to restrict public access to a registrant’s contact information in WHOIS. Be aware of this impact when investigating domain information and know that more effort is needed to contact a domain name registrar.