Finding out who's operating an internet domain may get a little harder, thanks to a German court ruling that the European Union's General Data Protection Regulation (GDPR) also applies to personal information held in the worldwide whois service.
While that's potentially good news for domain name owners, it may pose problems for law enforcers or anyone else trying to report a problem with a domain.
ICANN, the Internet Corporation for Assigned Names and Numbers, manages the whois service, and requires its accredited domain name registrars to collect and store for each domain the owner's name and postal address, and also the name, postal address, e-mail address, telephone number, and (where available) fax number of the domain's technical and administrative contacts. (These three may be the same person.)
German registrar EPAG Domainservices told ICANN it wanted to stop collecting personal details for the technical and administrative contacts when the GDPR came into effect on May 25, as this went against the principle of data minimisation, although it would continue collecting information about domain name owners.
ICANN promptly filed suit in at the Regional Court in Bonn, Germany, asking for an injunction forcing EPAG to continue recording administrative and technical contact details for any domains it registered, or pay a €250,000 (US$291,000) fine -- but this week the court rejected its request.
The court refused to grant the injunction because there was no evidence that the additional information was necessary, given that the same person could be listed for all three contacts, according to a translation of the ruling provided by the court.
It also questioned why ICANN required more personal information about the administrative and technical contacts than it did about the domain name owner, the person legally responsible for the domain.
Until recently, information gathered by registrars was made publicly available through the global whois service, but in May ICANN published a temporary policy on how the information would be published once GDPR took effect. That policy proposes introducing tiered or layered access to personal information, limiting it to users with a legitimate and proportionate purpose. Those purposes could include law enforcement, competition regulation, consumer protection or rights protection, according to the policy document.
This week's court ruling "did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings," ICANN General Counsel and Secretary John Jeffrey said. The organization will seek further clarification of the effect of GDPR on the whois service from the European Commission and the Article 29 Working Party, an umbrella body bringing together the EU's national privacy regulators.
Some organizations avoid registering any personal information for their administrative and technical contacts -- among them ICANN itself, which provides generic email and office addresses. It also lists a single number for both contacts' phone and fax, which is also the main number for its network operations center.