icannwhois100759917orig
Internet

Domain operators: Your personal information can stay secret under GDPR

Finding out who's operating an internet domain may get a little harder, thanks to a German court ruling that the European Union's General Data Protection Regulation (GDPR) also applies to personal information held in the worldwide whois service.

While that's potentially good news for domain name owners, it may pose problems for law enforcers or anyone else trying to report a problem with a domain.

ICANN, the Internet Corporation for Assigned Names and Numbers, manages the whois service, and requires its accredited domain name registrars to collect and store for each domain the owner's name and postal address, and also the name, postal address, e-mail address, telephone number, and (where available) fax number of the domain's technical and administrative contacts. (These three may be the same person.)

German registrar EPAG Domainservices told ICANN it wanted to stop collecting personal details for the technical and administrative contacts when the GDPR came into effect on May 25, as this went against the principle of data minimisation, although it would continue collecting information about domain name owners.

ICANN promptly filed suit in at the Regional Court in Bonn, Germany, asking for an injunction forcing EPAG to continue recording administrative and technical contact details for any domains it registered, or pay a €250,000 (US$291,000) fine -- but this week the court rejected its request.

The court refused to grant the injunction because there was no evidence that the additional information was necessary, given that the same person could be listed for all three contacts, according to a translation of the ruling provided by the court.

It also questioned why ICANN required more personal information about the administrative and technical contacts than it did about the domain name owner, the person legally responsible for the domain.

Until recently, information gathered by registrars was made publicly available through the global whois service, but in May ICANN published a temporary policy on how the information would be published once GDPR took effect. That policy proposes introducing tiered or layered access to personal information, limiting it to users with a legitimate and proportionate purpose. Those purposes could include law enforcement, competition regulation, consumer protection or rights protection, according to the policy document

This week's court ruling "did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings," ICANN General Counsel and Secretary John Jeffrey said. The organization will seek further clarification of the effect of GDPR on the whois service from the European Commission and the Article 29 Working Party, an umbrella body bringing together the EU's national privacy regulators.

Some organizations avoid registering any personal information for their administrative and technical contacts -- among them ICANN itself, which provides generic email and office addresses. It also lists a single number for both contacts' phone and fax, which is also the main number for its network operations center.

IDG Insider

PREVIOUS ARTICLE

« Get last year's iPad for just $249 today at Walmart

NEXT ARTICLE

Let a robot do your dirty work with this great deal on Eufy's BoostIQ RoboVac 11S »
author_image
IDG News Service

The IDG News Service is the world's leading daily source of global IT news, commentary and editorial resources. The News Service distributes content to IDG's more than 300 IT publications in more than 60 countries.

  • Mail

Recommended for You

Trump hits partial pause on Huawei ban, but 5G concerns persist

Phil Muncaster reports on China and beyond

FinancialForce profits from PSA investment

Martin Veitch's inside track on today’s tech trends

Future-proofing the Middle East

Keri Allan looks at the latest trends and technologies

Poll

Do you think your smartphone is making you a workaholic?