How does GDPR affect WHOIS?

In the same way that there’s a motor vehicle register where you you can find out who owns a particular car, there is a register for owners of domain names. This register is called WHOIS, and it contains technical information as well as contact details linked to domains – details that often refer to a specific, actual person. When the much talked about GDPR legislation came into force in May of this year, many of the details that would previously have been publicly available have now been hidden.

On the 17^th May, in the run-up to the introduction of GDPR, ICANN issued a new, temporary ‘GDPR-compliant’ specification for gTLD registration data (gTLDs are generic top level domains such as .org, .com or .net). The specification states that until further notice only limited information will be publicly available on WHOIS, such as the registrant organisation, and its province, state and country. Registrars continue to be duty-bound to collect the registrant’s information in full, just like before GDPR, but a lot of these details will be hidden by WHOIS. As before, the registrant’s details must be forwarded to the respective registry.

An important consequence of the reduced information available on WHOIS, is that it’s harder to find out who owns a specific domain. This means that domain name registrars now need to provide a way for third parties to contact domain owners, via the registrars themselves. In practice this has been resolved in a number of different ways. One example is via anonymised email addresses, where incoming mail is sent direct to the registrar who then forwards the mail to the owner on behalf of the party requesting information.

If this is a third party with a so-called legitimate interest (for example, regarding copyright protection or the transfer of a domain name), then ICANN can demand that the registrar give out the complete WHOIS details.

On the same subject, it is important that you always have up-to-date ownership details for your domains. Do not, for example, allow your domains to remain registered to someone who has stopped working at your company. If you don’t have up-to-date ownership details there is a risk of losing your domains. For more crucial advice about domain ownership, read our blogpost Who owns your domains?

Meanwhile, the story continues to unfold. ICANN announced at the time that it will review its rules every ninety days, up to a maximum of 12 months – it plans to have a permanent specification in place by then.