On May 17, just a few days before the entry into force of the General Data Protection Regulation (“GDPR”), the ICANN Board approved a Temporary Specification for gTLD Registration Data (“Temporary Specification”) in an attempt to ensure WHOIS compliance. In a nutshell, the Temporary Specification provides open access to Registrant, Administrative and Technical contact information while restricting most personal data to layered/tiered access to users who can show a legitimate interest. However, this has proven to be difficult, as the legitimate interest has been usually set up too high. For instance, GoDaddy only provides full WHOIS information if proof of a legal process is provided to them. This requirement does not reflect the real practice of the digital brand protection industry.
To overcome this difficulty, ICANN has published a new draft on the Framework Elements for Unified Access Model for Continued Access to Full WHOIS Data (“Unified Access Model”). As was already advanced by ICANN, this approach seeks to provide access to full WHOIS data to, among others, defined categories of private third parties who are bound to abide by codes of conduct.
The Unified Access Model proposal will go through three different phases. The first phase, and the current one, involves community discussion and consultations. The second phase, will entail consultation with the European Data Protection Board on the proposal and the approach to develop the different Codes of Conduct for the different user groups. The final phase, involves further refinement and finalization of the Unified Access Model based on inputs from the community and the European Data Protection Board.
Of note is that, as required by the Temporary Specification, registries and registrars are required to implement the RDAP technical protocol by mid-December 2018. The RDAP enables users to access current registration data and was created as an eventual replacement for the WHOIS protocol. As this is a necessary step to enable the implementation of the Unified Access Model, it is likely that the Model will be implemented by early 2019.
The Unified Access Model will be established for only defined groups of legitimately interested users. The different categories of legitimately interested users will be identified by governments within the European Economic Area. ICANN envisions that these groups might include intellectual property rights holders, law enforcement authorities, operational security researchers, and individual registrants which will be identified by relevant bodies with expertise to authenticate these users legitimate interest.
In order to become a legitimate user who can access the non-public WHOIS database, the user would have to go through an application process to be approved by an authenticating body. If the user successfully satisfies the requirements of the authenticating body, then it would be required to confirm its adherence to the relevant Code of Conduct – which will establish a framework for the use of non-public WHOIS data. Possibly a fee will be charged for this.
However, the scope of data that will be available to the authenticated users has not been clarified yet. ICANN will seek guidance from the European Data Protection Board on two possible approaches: (1) access to non-public WHOIS data consistent with the identified legitimate purpose presented to the registry operator or registrar for each query or (2) access to the full WHOIS record for each query.
There is a long road ahead of us and the final text is still far from sight.
Manuela Adrogué, lawyer, LLM in Intellectual Property and Knowledge Management. Data Protection Officer of Pointer BP.