Abion / Blog / WHOIS after GDPR
Bild på tjej som försäker ändra ägaruppgifter på domän

WHOIS is the standard query and response protocol for all internet resources. For everyone in the domain name business, the WHOIS is synonymous with the domain name itself since it is the source of the “core” information about a domain name.

The WHOIS of a domain name has therefore always been the go-to source for getting the public information regarding a domain name, including (but not limited to) owner information, contact information, name servers, current registrar and more.

As we all know, GDPR greatly affects the way organizations present data. Since the WHOIS for most TLDs (top-level domains) includes entities such as the name, phone number and email of “living individuals” (for example the contacts at the company owning the domain name), it was expected that GDPR was going to drastically change the way WHOIS is going to function in the future.

On May 17th 2018, the ICANN board passed a “Temporary Specification” for gTLD registration data (gTLD being a “generic” top-level domain, such as .COM, .NET and ORG). This was just eight days before the GDPR deadline leaving registries and registrars with a lot of last minute changes in order to be compliant with both GDPR and the temporary specification. The Temporary Specification stipulates for contracted parties how to treat WHOIS going forward. Although, important to understand about the temporary specification is that it is reviewed by the board every 90 days, renewable for max one year.

Under the new specification, WHOIS requirements will be drastically reduced and only include Registrant organization (if provided), State/Province and Country.

However, ICANN remains committed to the collection of full data and require registrars to collect complete contact information in the same manner as before. The full data set must also be transferred to the registry, as well as the escrow provider.

Since the reduced WHOIS information “hides” most of the information about the owner of the domain name (like the registrant’s email address) registrars are also required to provide a way for third parties to contact the registrant of the domain name. This is done either by an anonymized email address set up by the registrar, alternative by a web form. Both forwarded to the registrants actual email address. This solution is also applicable on the admin and tech contact that will otherwise be omitted from WHOIS.

Apart from that, ICANN is obliging registrars to provide access to full WHOIS data for parties with “legitimate” interests to address the concerns of IP attorneys, Trademark/brand protection firms and law enforcement. An accreditation model with access to tiered data has been suggested but nothing of that sort has come into place. Registrars are left with the requirement, but no guidelines as to how this practically can be handled.

The reduced WHOIS output will also affect the transfer process of a domain name, most obvious being the registrant confirmation. In the ICANN stipulated transfer policy, the email address of the registrant or the admin contact is the only email address trusted to accept the Form of Authorization (transfer agreement). In the absence of an email address in WHOIS, the FOA loses its authority in the registrar transfer confirmation. Until ICANN and contracted parties have a new way of safely and securely transfer data, the FOA will be omitted, leaving the authorization code to be the single confirmation token on the right to transfer the domain name to a new registrar. The “loosing” registrar (from which the domain is transferred away) is still required to send the loosing Form of Authorization. The loosing Form of Authorization is an email informing the current registrant that a registrar transfer has been requested, providing the registrant a last resort to cancel the transfer by immediately taking action. No response within five days will allow the transfer to be carried out.

In regards to ccTLDs (country code top-level domains, like .SE for Sweden and .DE for Germany) there is a variety of solutions stretching from hiding all WHOIS data to doing absolutely nothing, leaving the WHOIS as is. The effects on various operations is a smorgasbord of equally as many solutions. With the late awakening of the domain industry to the requirement and impacts of GDPR, it is our belief that we are facing a lot of temporary – and perhaps even hasty – solutions which would suggest recurrent model updates, tweaks and reformulations in the coming months.



Read/see more:

Related reading

Alfa Romeo sign

Alfa Romeo makes a U-turn: Milano goes Junior

Trademark Management
13, May 2024
Following pressure from the Italian government, Alfa Romeo is forced to change the name of its newly unveiled SUV.
Made in Italy label

The Rising Importance of “Made in” Labels: A European Perspective

Trademark Management
11, May 2024
When consumer choices are increasingly driven by a desire for authenticity, quality, and sustainability, the signi...

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Abion AB, corporate identity number 556633-6169 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data