On May 25th, 2018, the EU implemented the GDPR (General Data Protection Regulation), a far-reaching and important step towards data privacy regulation. It allows for stronger governance of personal information trading, and is widely regarded as a cultural milestone in this newly developing internet-focused age.
How Free Access to WHOIS Database Might be a Violation of the GDPR
However, not all of its implementation has gone over smoothly. WHOIS database is a well-known lookup service that has historically allowed anyone at any time to find the personal contact information of the owners of a certain domain. Free, public access to this database is necessary in ongoing cybersecurity and investigative tasks. Officers of law enforcement have used it in the past to put a quick stop to website users that have been propagating terrorist information, hosting malicious botnets, or stealing IP addresses. Such free and easy access to personal information, however, may be a violation of the GDPR’s 5th and 6th articles. U.S. Secretary of Commerce Wilbur Ross, along with many others, has expressed concern that the well-intentioned set of rules could now be putting public safety at risk by enforcing WHOIS GDPR compliance.
Could there be a “Middle of the Road” Solution
The council of European data protection authorities has gone on record to say that there is no legal basis for public access to the WHOIS database. This position puts the ICANN at a significant legal risk, the consequences of which could result in a fine of up to 4% of its global revenue. The same month the GDPR went into place, ICANN modified its own contract with the registrars who manage the domains on their list. Information is still being collected, but access to it is now protected by a system of “layered access”, in effect allowing information to only be accessed by those who can prove a significant “need to know”, such as the law enforcement. This is, for the moment, a temporary fix. ICANN could very well have continued as they did previously and simply challenge subsequent complaints from data protection authorities in court, but such a stance would pose a sizable risk. The European Court of Justice has historically been both for and against access to public information in different circumstances, and it’s a new and unstable legal ground with a lot of never-before-seen variables.
Changes in the World of Cybersecurity and Data Privacy
Unfortunately, there is currently no one size fits all solution to this issue. ICANN is working on a potential system to allow law enforcement easy access while still allowing for proper WHOIS GDPR compliance, but such a system could take more than a year to work out. Even then, it could very well be nothing more than an unwieldy work-around. Either way, the GDPR is one big first step in what may be many upcoming changes surrounding the world of cybersecurity and data privacy, and each action will have aftershocks no-one will be able to see coming. The WHOIS database case will no doubt, in the future, become a symbol of the direction the internet age will take on the debate of safety versus privacy. Only time will tell how a compromise will be reached.