Domain operator PID can stay secret under GDPR
5 June 2018 | 0
Finding out who is operating an internet domain may get a little harder, thanks to a German court ruling that the European Union’s General Data Protection Regulation (GDPR) applies to personal information held in the worldwide whois service.
While that is potentially good news for domain name owners, it may pose problems for law enforcers or anyone else trying to report a problem with a domain.
ICANN, the Internet Corporation for Assigned Names and Numbers, manages the whois service, and requires its accredited domain name registrars to collect and store for each domain the owner’s name and postal address, and also the name, postal address, e-mail address, telephone number, and (where available) fax number of the domain’s technical and administrative contacts. (These three may be the same person.)
German registrar EPAG Domain Services told ICANN it wanted to stop collecting personal details for the technical and administrative contacts when the GDPR came into effect on 25 May, as this went against the principle of data minimisation, although it would continue collecting information about domain name owners.
ICANN promptly filed suit in at the Regional Court in Bonn, Germany, asking for an injunction forcing EPAG to continue recording administrative and technical contact details for any domains it registered, or pay a €250,000 fine — but now the court has rejected its request.
The court refused to grant the injunction because there was no evidence that the additional information was necessary, given that the same person could be listed for all three contacts, according to a translation of the ruling provided by the court.
It also questioned why ICANN required more personal information about the administrative and technical contacts than it did about the domain name owner, the person legally responsible for the domain.
Until recently, information gathered by registrars was made publicly available through the global whois service, but in May ICANN published a temporary policy on how the information would be published once GDPR took effect. That policy proposes introducing tiered or layered access to personal information, limiting it to users with a legitimate and proportionate purpose. Those purposes could include law enforcement, competition regulation, consumer protection or rights protection, according to the policy document.
The court ruling “did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN general counsel and secretary. The organisation will seek further clarification of the effect of GDPR on the whois service from the European Commission and the Article 29 Working Party, an umbrella body bringing together the EU’s national privacy regulators.
Some organisations avoid registering any personal information for their administrative and technical contacts — among them ICANN itself, which provides generic email and office addresses. It also lists a single number for both contacts’ phone and fax, which is also the main number for its network operations centre.
IDG News Service