WHOIS data privacy - EU considers ban on anonymous websites

November 5, 2021 | Blog

There is a long history of attempts to strike the right balance between the privacy of website owners and the importance of transparency of WHOIS data. The EU is drafting a proposal to revise the NIS Directive (Directive (EU) 2016/1148), would implement measures curtailing the privacy of website owners.

This blog aims to set out why protecting - or, in fact, disclosing - WHOIS data may be considered important and what differences there are in the level of protection.

There are multiple reasons for keeping WHOIS data under lock and key. Most domain name holders will want to remain free from commercial offers and spam sent to them on the basis of the data in the WHOIS register. Even the safety of a domain name holder may be at stake - one such example could be a website criticising dictatorial regimes. Open WHOIS data would not be in their benefit.

There is another side to the coin. Stringent levels of protection of WHOIS data may give rise to problems where websites clearly act against the law. What comes to mind are websites publishing defamatory or libellous information, infringing trademarks, or engaging in fraudulent practices. In these cases, it may be essential for injured parties to have effective access to the data relating to the domain name holders in order to take legal action. Limiting effective access, privacy laws then essentially function as “guardians of evil”. Finding the proper balance between the various interests at stake is a major challenge.

Differences in level of protection

The level of protection offered varies from one Top Level Domain (TLD) registry to another. Managed by SIDN, the TLD .nl has been governed by the following terms and conditions since 2016.

From 1 March 2016, private registrants' names will no longer be available from SIDN's WHOIS register. Anyone able to show that they need additional - shielded - information for the purpose of preventing or dealing with damaging content may submit a request to that effect.

Obtaining WHOIS information can be made even more difficult, however, by domain name proxy services. Domain name proxy services basically are intermediary registration agents which license out the use of registered domain names to the actual user. Yet even these services do not rule out the possibility that the identity of the actual domain name owner is retrieved. They do, however, raise the threshold for a successful clampdown on unlawful domain names or websites. In the United States, the issue was at the heart of a case brought last year by Facebook against Namecheap and WhoisGuard (Facebook Inc. v. Namecheap Inc., No. 2:20-cv-00470-GMS (D. Ariz. Nov. 10, 2020)). Namecheap is a domain name registrar allowing its customers to make use of WhoisGuard's proxy service. WhoisGuard registers the domain names of Namecheap's customers in its own name, only to license those domain names back to those very customers. A similar construction is used by GoDaddy, which has entered into an alliance with Domains By Proxy for that very purpose. The Facebook v Namecheap litigation revolves around several issues, one being whether Namecheap and/or WhoisGuard, both of which refused to disclose the names of their licensees/ actual domain name owners, can be held legally responsible for the content of their customers’ websites. At the time of writing, the court had yet to issue its final reasoned decision.

The proposal for a revised NIS Directive

The Network and Information Security Directive aims to support and facilitate strategic cooperation between the Member States regarding the security of network and information systems.

Part of the proposal for the NIS 2 Directive is a provision regarding the maintenance and disclosure of data by TLD organisations such as SIDN and domain name service providers, such provision to be laid down in Article 23.

Under the proposal, TLD registries and domain name service providers will be required to publish domain name registration data which are not personal data. The implication is that business data would - generally - have to be disclosed. By virtue of Article 23(5), the above organisations would be required to provide access to specific domain name registration data upon lawful and duly justified requests of “legitimate access seekers”.

This point has sparked off a debate, with some parties saying it is sufficiently effective and others arguing it might be too broad. Privacy activists are in the latter camp. Opinions in the industry are divided, as demonstrated by the reactions of DENIC (manager of the .de TLD) and ICANN. DENIC takes the view that a mandatory ex ante invasive identification of domain name owners is unnecessary and disproportionate. In contrast, ICANN actually is in favour of the NIS 2 Directive to include a specification or obligation for Member States to specify the minimum categories of data to be provided as part of the registration process. In fact, ICANN has submitted a proposal for a - rather extensive - list of minimum data to be provided.

On 28 October 2021, the ITRE committee of the European Parliament voted on the proposal.

We will of course keep you up to date on developments.

Sign up for our newsletters