EU data protection authorities write again to ICANN on WHOIS and the GDPR

On 11 April 2018, the Article 29 Data Protection Working Party (composed of data protection authorities in EU member states) wrote to the Internet Corporation for Assigned Names and Numbers (ICANN) with regard to ICANN’s proposal for an ‘Interim model for compliance with ICANN agreements and policies in relation to the European Union’s General Data Protection Regulation (GDPR)’. The group welcomed ICANN’s proposal for layered access to WHOIS data (data of domain name registrants) and for an accreditation programme to govern access of law enforcement agencies and other parties to non-public WHOIS data. But it also raised concerns about several provisions of the proposed interim model seen as not being in line with the GDPR, and asked ICANN to further work on issues such as: explicitly defining the legitimate purposes for which registrant data is collected; specifying more clearly the relation between the legitimate purposes of the data processing and the relevant legal basis; developing policies applicable to incidental and systematic requests for access to WHOIS data, in particular for law enforcement agencies; and ensuring that registrars and registries have appropriate logging and auditing mechanisms in place to detect possible misuse of WHOIS data.​