GDPR’s First Anniversary of Implementation and WHOIS: Where Are Brand Owners Now?

It’s been nearly a year since the European Union’s implementation of the General Directive on Privacy Regulation. Lori Schulman, INTA’s Senior Director of Internet Policy, takes a look at where things stand today.

In a recent interview conducted at the International Association of Privacy Professionals (IAPP) Global Privacy Summit in Washington, D.C., European Data Protection Board Chair Andrea Jelinek expressed that she is pleased with the first year of the GDPR because it has prompted a global discussion on privacy and “the sky has not fallen.”

While it is true that GDPR compliance is becoming a norm for brand owners, it is equally true that access to critical brand enforcement information is still being masked without a reliable method of access. The unforeseen consequences of GDPR implementation in the domain name system continue to harm brand owners and the consumers who they are tasked with protecting.

Domain name registration data such as WHOIS has been masked worldwide by registries and registrars ever since the Internet Corporation for Assigned Names and Numbers (ICANN) put its Temporary Specification for WHOIS data compliance with GDPR into effect on May 25, 2018. As ICANN grapples with this issue as part of its Expedited Policy Development Process (EPDP), law enforcement, brand owners, and cybersecurity experts are scrambling to find ways to obtain information on domain name registrants. To help brand owners navigate the new landscape, INTA has prepared the WHOIS Toolkit, which provides direct contact information for registrars.

As of now, brand owners must contact registrars directly with their requests for WHOIS information. While this may seem reasonable, several industry studies have shown that these requests generally go unanswered or unresolved. An area in which ICANN and INTA agree is that there is a genuine need for a Uniform Access Model (UAM). ICANN has convened a group of technical experts to explore automated solutions while the EPDP is tasked with developing a reasonable and balanced policy.

The EPDP has been divided into two phases. Phase 1 looked at the legitimate purposes and legal bases for collecting and processing WHOIS data in relation to ICANN’s mission and contractual relationship. Phase 2 will focus on access, and address any open questions from Phase 1. The open questions from Phase 1 have caused great concern for INTA members as they do not fully recognize enforcement of intellectual property (IP) rights as a legitimate purpose for data collection and processing.

INTA’s full comments are available on the advocacy section of inta.org. INTA and IP stakeholders must now look to Phase 2 to provide greater clarity and certainty to the IP community that the right tools to combat cybercrime and online infringement will be provided in a timely manner. INTA hopes that the direction of Phase 2 will be made clearer when ICANN holds its next meeting in Marrakech, Morocco on June 24-27.

In the meantime, INTA continues its advocacy outside of ICANN, meeting with EU Commission representatives and participating in dialogues on Internet governance. INTA is preparing substantive comments in response to proposed guidelines on the purposes of data collection for the performance of a contract under GDPR.

As INTA keeps a spotlight on this issue in the privacy realm as well as in the domain name space, the Association’s strategic alliance with IAPP is helping to spread the word of the unforeseen consequences of GDPR implementation. IAPP leadership has been briefed on the importance of this issue to brand owners. In addition, INTA staff has been interviewed for articles, and INTA volunteers presented a panel at the IAPP Policy Conference in Brussels on this topic.

INTA encourages all of its members to follow the developments in WHOIS and GDPR implementation, as these policies will likely determine the way brands enforce their rights on the Internet for many years to come.