Skip to main content

ICANN’S WHOIS Database, The Next Frontier: EU Data Protection

  • date icon March 20, 2017
  • category icon

by: Abigail Slater, Internet Association General Counsel

IA attended ICANN58 in Copenhagen last week and was grateful to the ICANN board and staff to be included in a panel discussion with EU data protection commissioners and the Council of Europe.  The purpose of the panel was to discuss EU data protection principles and their application to the WHOIS database in particular.

For those who work in the domain name system (DNS) space, the publicly available WHOIS database is the glue that holds the internet together.  It is probably the most centralized function in an otherwise decentralized network, and it needs to be.  Imagine a world in which we had no way of pinning down who owns a website: is it the company that has poured billions of dollars (or any other currency) into building the business, or is it a Russian cyber hacker?  Thanks to WHOIS, we can sort the good guys from the bad.  WHOIS also plays a critical role in defending the network from attack, including denial of service attacks.  And we know that when the DNS is under attack, many of the internet applications we have come to rely on to get through the day can be badly impacted, sometimes even on a global scale.  


Because the WHOIS database is so critical to the DNS, it was even included in the 2009 Affirmation of Commitments between the U.S. government and ICANN, which have since become part of ICANN’s bylaws.  The Affirmation of Commitments laid the foundation for last year’s successful transition of ICANN’s IANA function from U.S. government control to the multistakeholder ICANN community, an important goal supported by the Internet Association and its members.  

WHOIS serves an important – even critical – role in holding the internet together, but it’s not perfect. Among the loudest critics of WHOIS are EU privacy enforcers who are concerned that a publicly available database containing personally identifiable information (“PII” in privacy-speak) is a red flag under EU data protection law.  This concern came to the fore at ICANN this week when several EU data protection commissioners and the Council of Europe came to ICANN for the first time.  On the panel, the EU privacy advocates explained at a high level the data protection principles they apply in their roles.  They also explained that these principles are soon to be backed up by massive fining powers (up to 4 percent of global revenues) when a new EU data protection law kicks in next year, making it time for the ICANN community to sit up and listen to them.  Unfortunately, however, the data protection officials did not apply those principles to ICANN in general or WHOIS specifically.  

Also on the panel, Internet Association argued that in order to join issue with the ICANN community on WHOIS and to provide legal certainty to businesses, guidance from the data protection commissioners beyond talking about general principles should be provided soon (and preferably before massive fines are levied).  We also argued that we live in a world of competing equities, and while data protection is an important equity, so is the stability and security of the DNS from a DoS attack – something that has equally negative consequences for consumer privacy.  Similarly, there are important equities at stake in WHOIS beyond data protection, since it is a key tool used to combat fraud and trademark infringement.  Ultimately, however, the number one equity at ICANN – ICANN’s core mission – is protecting and preserving a stable and resilient DNS.  At the end of the day, this is the equity that comes before all others and WHOIS is the glue that binds the DNS together.  

The EU data protection enforcers’ position raises several questions for the ICANN community: how will their law apply to WHOIS?  What is its reach?  What data is implicated when much of WHOIS is populated by technical jargon and not sensitive personal data?  Will the data protection commissioners take into account the critical role that WHOIS plays under ICANN’s bylaws in holding the DNS together when they enforce their data protection law?  Will they weigh competing equities such as protecting the network from DoS attacks and other forms of fraud and abuse?

We are grateful to ICANN for including us in this important discussion and we look forward to hearing more from the ICANN community and staff on this issue.  As the IANA transition taught us, having an honest, bottom-up conversation about important issues is the best and only path forward for the community and its stakeholders.