Opinion EU data protection authorities on WHOIS data

By EDRi · July 19, 2003

The associated European data protection authorities (the Article 29 Working
Party) issued a formal opinion on WHOIS directories. These directories
associate social information (like holder’s identity and contact
information) with network identifiers such as domain names or IP addresses.

The opinion is focused on domain name WHOIS, especially the fact that
personal data about individual domain name holders are publicly accessible.

The working party notes that the original purpose of making these data
publicly available — finding contact points for addressing technical
problems in operating the internet — is legitimate. Concerns are raised
about the compatibility of other purposes for which the data are being used
today, e.g., private policing of intellectual property rights.

The working party questions whether the publication of contact information
about individual registrants is actually relevant to the original purpose.
This purpose could be served well — or even better — by publishing
contact information pointing to the registrant’s ISP, who would then know
how to reach the registrant. The working party finds that “there is no
legal ground justifying the mandatory publication of personal data
referring to this person.” Publication would lead to a conflict with
directive 2002/58/EC (Privacy in the electronic communications sector).

Concerns are also raised about proposals to introduce extended search
services which would, for instance, return a list of all domain names
registered by one individual. Earlier, the working party concluded that the
inclusion of personal data with this kind of services must be based on
unambiguous and informed consent of the individual.

The working party explicitly supports recent decisions of the Internet
Corporation for Assigned Names and Numbers (ICANN) to improve the accuracy
of the data collected, and to forbid any marketing uses of WHOIS data
obtained in bulk.

Very recently, ICANN held a workshop in Montreal, Canada, on WHOIS policy.
This policy is part of ICANN’s contracts with domain name retailers
(‘registrars’) and database operators (‘registries’).

Registrars in general pointed to the contribution of WHOIS data to consumer
fraud. European registrars in particular noted that the WHOIS provisions of
their contracts with ICANN may be incompatible with applicable law. Data
users from the Intellectual Property and Law Enforcement communities
considered any possible restriction of access to WHOIS data as a nuisance
which would hamper effective law enforcement on the internet.

Opinion 2/2003 on the application of the data protection principles to the
WHOIS directories

WHOIS-related consensus policies recently adopted by ICANN

Background material for the Montreal WHOIS workshop

(Contribution by Thomas Roessler, FITUG)