Alphabet Soup: WHOIS, GDPR (European Union General Data Protection Regulation), and CCPA (California Consumer Privacy Act)

By Carolyn Wimbly Martin

The European Union (EU) General Data Protection Regulation (GDPR) became effective on May 25, 2018. In light of this sweeping new law, the WHOIS global database of domain name registrants has ceased to be a key resource for intellectual property stakeholders seeking to protect their rights online. Registries will now need to have a good reason for collecting data and an even better reason for publishing it. Here is a look at what’s already changed and what we can expect going forward.

What is GDPR?

According to the EU’s GDPR website, GDPR is designed to harmonize data privacy laws across Europe, protect and empower all the data privacy of EU residents and reshape the way organizations across the region approach data privacy. The aim of GDPR is to protect all EU residents from privacy and data breaches. GDPR applies to all companies processing the personal data of data subjects residing in the EU, regardless of the company’s location. Therefore, U.S.-based companies with websites that reach EU residents need to be aware of and comply with GDPR. Companies in breach of GDPR can be fined up to 4% of annual global turnover or roughly $23.5 million in US dollars (whichever is greater). Other relevant provisions of GDPR include the following:

a. Consent to collect personal data must be freely given, clear and easily accessible. It must be as easy to withdraw consent as it is to give it;

b. Data controllers may hold and process only the data absolutely necessary for the completion of their duties, and limit the access to those needing the personal data to do the processing;

c. Data subjects have the right to be forgotten, including the right to have personal data erased, the cessation of further dissemination of data, and potentially to have third parties halt processing of the data. This right requires controllers to balance the rights of the subjects against “the public interest in the availability of the data” when considering such requests.

d. There is a very narrow exception which provides that consent is not needed where the data controller can claim a “legitimate interest” in collecting the data that outweighs the interests of the data subject. What constitutes compliance with the legitimate interest exception is unsettled.

What are ICANN and WHOIS?

ICANN (Internet Corporation for Assigned Names and Numbers) is the private, non-profit corporation with responsibility for IP address space allocation, protocol parameter assignment, domain name system management, and root server system management functions. Registries are under contract with ICANN to operate a generic top level domain, such as .com or .org. The system ensures that names and addresses are unique, therefore allowing for a single, interoperable Internet. (MacCarthy, 2018)

Each registrant for a domain name must provide identifying and contact information, which may include a name, address, email, phone number and administrative and technical contacts. This information is the WHOIS data.

Historically, ICANN has committed to implementing measures to maintain timely, unrestricted and public access to accurate and complete WHOIS data, subject to applicable laws. Thus WHOIS was an invaluable tool in cases of infringement for identifying the domain name registrant.

With GDPR, however, the domain name registries were faced with an impossible choice between liability under GDPR if they made the information public or breach of their contracts with ICANN if they did not. (Electronic Frontier Foundation, 2018)

Legitimate and Valuable Uses for WHOIS Data

WHOIS has allowed intellectual property owners and other businesses, consumers, consumer protection agencies and law enforcement to find out “who is” the owner of a domain name, plus important details about its registration and history to pursue a variety of remedies where there has been an infringement or other harm. (IP Constituency Letter, 2018)

WHOIS has been a tool to investigate cybercrimes such as phishing (the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers) or other types of spam. Although it is questionable whether criminals provide their real information, any information they provide — and especially information that they reuse across multiple domains and cybercrime campaigns — is valuable in both grouping cybercriminal operations and in ultimately identifying who is responsible for these activities. (Krebs, 2018)

WHOIS Issues Prior to GDPR

In a letter dated December 11, 2017, the EU’s Data Protection Authorities (Article 29 Working Party) expressed their continuing concerns regarding the unlimited publication of WHOIS data on the Internet. The Article 29 Working Party (now renamed the European Data Protection Board) noted that it had raised these privacy issues at least as early as 2003.

The Article 29 Working Party rejected three possible legal grounds for the publication of WHOIS data:

a. Consent is a requirement for obtaining a domain name, but it is not freely given and therefore would not be a valid legal basis for the publication of WHOIS data,

b. The argument that the information is necessary for the performance of a contract does not apply since the individual domain name holder is not a party to the contract between ICANN and the various registries.

c. ICANN and the registries would also not be able to invoke a legitimate interest basis for making available all personal data in WHOIS directories to the general public since such interests are overridden by the rights of the domain name holders.

Additionally, the letter stated that since ICANN and the registries jointly determine the purposes and means of the processing of personal data for the WHOIS directories, ICANN and the registries are joint controllers making both parties liable for violations of GDPR. The Article 9 Working Party reiterated a recommendation it had made earlier for ICANN to implement layered access to the personal data contained in WHOIS.

WHOIS Changes Precipitated by GDPR

On May 17, 2018 the ICANN Board of Directors adopted its Temporary Specification for generic top-level domain (gTLD) Registration Data (“Temporary Specification”). The Temporary Specification provides modifications to existing requirements in the Registrar Accreditation and Registry Agreements to bring them into compliance with GDPR. The reasoning was that without such changes each registrar would be making its own determination regarding what gTLD Registration Data should be collected, transferred and published, leading to a fragmentation of the globally distributed WHOIS directory. Under the Temporary Specification, the name, email address, and physical/postal address of the registrant will still be collected, but the information, except for the country and region, will be hidden from public display. (Historically registries have offered free or a-la-carte privacy protection services that mask the personal information provided by the domain registrant. In the latter case, this protection has provided a meaningful revenue stream for the registries.)

Third parties will only have access to “thin data,” which includes only the technical data sufficient to identify the sponsoring registrar, status of the registration, and the creation and expiration dates for each registration. The Temporary Specification applies to all domain name registration personal data, without differentiating between registrations of corporate/legal and natural persons. Even if it were possible to draw a clear line between individual and organizational registrations, organizational registrations may contain personally identifiable information about corporate officers or contact persons.

The Temporary Specification continues to require registries to collect personal information and instructs them to provide an automated way to reach domain name holders through an anonymized email or web form, without revealing personal information like name or email address. It requires each registrar to determine whether a party requesting access to personal information has a legitimate interest and whether that interest overrides the privacy interests of the registrant.

WHOIS is limited in its ability to support layered/tiered access. However, an eventual replacement for WHOIS, the Registration Data Access Protocol (RDAP), will enable users to access current registration data. RDAP has the ability to provide the option to enable differentiated access (for example, limited access for anonymous users and full access for authenticated users (i.e., non-anonymous users who have provided a legitimate interest, with supporting documentation, in receiving the information being requested).

The registries operate regionally, and all but one are outside the EU. This registrar, RIPE NCC, has been operating under GDPR’s predecessor, the Data Protection Directive (DPD), and it has concluded that its operations, for the most part, already comply with GDPR. Its focus is limited to ensuring that (1) there is continued access to the data for protection mechanisms for trademark holders against abusive registrations; and (2) registered name holders can continue to transfer their domain names to other registrars absent registrant and administrative contact information. (RIPE, 2018)

Accessing Contact Data with a Thin WHOIS System

Even when WHOIS only provides the state and/or country of the registrant, that information may be used to search a Secretary of State corporate database or a particular country’s Trademark Office. (INTA, 2018)

The WHOIS records should continue to indicate the name of the registrar. Therefore, third parties may ask the registries to make additional information available to them. In order to support a request based on legitimate interest, the request should include the basis on which the request is being made -- i.e., infringement of a trademark, copyright or other illegal activity and a statement of reasonable belief that the domain in question is being used to infringe intellectual property rights. (INTA, 2018)

Additionally, most jurisdictions permit a plaintiff that does not yet know a defendant's identity to file suit against John Doe and then use the discovery process to seek the defendant’s true name. Rights holders may also serve subpoenas on registrars. Subpoenas provide for the ability to obtain disclosure of more detailed data elements over a much longer period of time about potentially malicious registrants. So, although more expensive and time-consuming than using WHOIS, more information can be obtained.

Historical databases of WHOIS information maintained by non-EU parties and parties which are not contractually obligated to ICANN, may be a resource at least for as long as the data is relevant and reasonably timely.

What to Look for Going Forward

In the future, there may be standardized accreditation procedures and tiered-access databases to facilitate access. ICANN is working on a system where certain vetted third parties who have a legitimate interest and receive accreditation from ICANN might be granted less restrictive levels of access to WHOIS data. (CISCO, 2018)

Additionally, ICANN might provide something like a CAPTCHA-protected contact form (a challenge-response test to determine whether the user is human), which would deliver email to the appropriate contact point with no need to reveal the registrant’s actual email address.

California Consumer Privacy Act (CCPA)

Subsequent to the adoption of GDPR, California enacted the California Consumer Privacy Act (CCPA). CCPA is scheduled to take effect January 1, 2020. Under CCPA personal information is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. CCPA excludes information that is publicly available, but includes inferences drawn from other personal information to create a profile of the consumer’s preferences. Upon request, businesses must disclose to a consumer categories of personal information collected about the consumer, categories of sources of the personal information, the business or commercial purpose for collecting or selling (as very broadly defined) the personal information, categories of third parties with whom the personal information is shared and the specific pieces of personal information the business has collected about the consumer. There are specific procedural requirements for notice to consumers, methods for making requests and response times. CCPA allows for deletion requests as well. There is also a 12-month look back period dating back to January 1, 2019, which needs to be factored in by businesses planning for CCPA.

CCPA prohibits discriminating against a consumer for exercising rights under CCPA, but notably does not prohibit charging a different price or rate, or a different level or quality of goods or services, if the difference is “reasonably related to the value provided to the consumer by the consumer’s data.” We are awaiting clarification from the California Attorney General on a number of specifics. This will include guidance on loyalty program terms and consent requirements to comply with the CCPA.

CCPA also addresses the issue of putative class action litigation following security breaches. It creates a private right of action for consumers “whose nonencrypted or nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices….” Plaintiffs may recover statutory damages ranging from $100-$750 per consumer, per incident, or actual damages, whichever is greater. These rules will become effective July 1, 2020, if not sooner, once regulations are issued.

While CCPA will only apply to California residents, companies will have to decide from a public relations standpoint how to implement the changes across their customer base.

New Jersey is also looking at proposed privacy legislation. There could be further U.S. Senate hearings on federal privacy legislation in 2019. The CCPA and other state initiatives could therefore be preempted by federal legislation. (INTA and IAPP Presentation, 2018)

Conclusion

We will continue to monitor developments with CCPA, ICANN and elsewhere in order to let you know what resources may be available to enforce your intellectual property rights in this new and complicated environment. Stay tuned!

Sources

Advisory Statement: Temporary Specification for gTLD Registration Data Effective May 25, 2018. Web 5 Sept. 2018. https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf

California’s Privacy Law Changes and Its Impact on Brands. An INTA and IAPP presentation. 13 November 2018

Electronic Frontier Foundation. “Europe’s GDPR Meets WHOIS Privacy: Which Way Forward? 26 Jan. 2018 Web. 5 Sept. 2018. https://www.eff.org/deeplinks/2018/01/europes-gdpr-will-force-icann-improve-whois-privacy

RDAP Overview. Web. 5 Sept. 2018. https://www.icann.org/rdap

WHOIS Challenges: A Toolkit for Intellectual Property Professionals. 15 June 2018 Web. 5 Sept 2018. https://www.inta.org/INTABulletin/Pages/WHOISChallengesAToolkitforIntellectualPropertyProfessionals7310.aspx

IP Constituency Letter to EU 1 February 2018 Web 5 Sept. 2018. https://www.icann.org/en/system/files/files/gdpr-comments-ipc-bc-article-29-wp-whois-01feb18-en.pdf

MacCarthy, Mark. “Opinion: ICANN’s WHOIS service faces GDPR compliance challenges” 13 June 2018. Web 5 Sept. 2018. https://www.cio.com/article/3281377/privacy/icann-s-whois-service-faces-gdpr-compliance-challenges.html

GDPR and the RIPE NCC. Web 5 Sept. 2018. https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc

Security Trade-Offs in the New EU Privacy Law. 27 April 2018. Web 5 Sept. 2018. https://krebsonsecurity.com/2018/04/security-trade-offs-in-the-new-eu-privacy-law/