Whois status and impacts from GDPR on European ccTLDs

CENTR, the association of European country code top-level domain (ccTLD) registries, published a report on Whois status and impacts from GDPR.

Respondents of the survey were the following ccTLDs: .at, .au, .be, .ch, .cz, .de, .dk, .ee, .es, .eu, .fi, .fr, .ie, .lu, .me, .nl, .no, .nz, .pl, .pt, .rs, .se, .si, .ua, .uk.

(Once again .gr, the ccTLD of Greece, was absent. But then again .gr has never published any whois data and does not have an opt-in mechanism.)

Collection of registrant data

• Controller/Processor role – In context of registrant data collection, 64% of registries consider themselves to be the ‘controller’ in their relationship with registrars. A further 29% consider their role mixed (controller/processor) depending on the dataset. Of those that consider themselves ‘controller’, most (79%) provide instructions on what registrars collect and transmit
  via the registry-registrar agreement.
• Legal grounds to collect data – The most common reason for registries consider their legal grounds to collect registrant data is for “performance of a contract”.

Data Accuracy – verification of registrant data

• 50% of registries perform verification of domain holder identity after the point of registration and 18% before the point of registration. The remaining 32% do not perform any verification.
• The most common sources used to verify identity are official registers such as a business register and supporting documents from the domain holder. Several registries rely upon the use of
  eID to verify individuals, other means of verification include registered letters from the domain holders to confirm the accuracy of the provided data and rechecks of provided data in publicly
  available web mapping services and national registers.
• 17 out of 25 registries state that the data they receive from registrars on registrants is full and non-obfuscated. In terms of the data obfuscated to some registries, it is often the email
  or some combination of name, address and email that is individually obfuscated. For email obfuscation it is often an email per address holder with only 3 that have a catch all (per
  registrar) email address for different holders obfuscation.
• Just under half of registries allow an ‘auto-command’ whereby a new registrar automatically receives data of current registrant from current registrar in a transfer command.

Publishing registrant data

• Although several registries explicitly stated they do not publish personal data in the whois, others list some of the legal grounds they rely on to publish registrant data. Some of the common
  reasons were;
  o Legitimate interest or to allow contact from third parties
  o Contract or terms and conditions
  o Consent by registrant (eg. opt-in)
  o National law
• 11 out of 27 (44%) of registries provide an opt-in service for public whois with a further 3 planning to. This leaves 10 registries (40%) that do not have an opt-in service.
  (Math of the report is a little off here.)
• For almost all registries, data subjects can make access requests. Most commonly this is done via email with 8 registries that have a webform option.
• To rectify registrant data, email and/or webform to the registrar are common methods however 46% of registries also accept emails.
• To synchronise the registry and registrar databases, most commonly the registrar makes the changes in their database and the registry database is updated automatically. In other limited cases, the registry does not change data and considers the registrar as sole “source”.

Data retention and requests

• For 60% of registries, data on the domain holder is kept for more than 5 years following deletion of the domain and for 32% (8 registries) it is kept forever.
• The ‘right to be forgotten’ – for many registries this principle is not implemented for registration data. Some registries consider such requests case by case, deriving from local laws and their own discretion, others delete related data because of such requests and if a sound rationale is provided. Some registries consider personal data of a domain holder necessary to perform their contract duties and therefore right to be forgotten cannot be requested.
• Generally, requests for access, rectification and deletion are either handled by either the customer service team, the legal department and/or a dedicated DPO or privacy team. There is no 1 department or team that is more common to another.

Data Access

• 88% of registries provide some form of access to non-public whois. In most cases, access is provided via email from individual requests. Access is available as follows:
  o law enforcement (91%)
  o parties identified in a court order (86%)
  o someone with ‘legitimate interest’ (54%) – see below.
• Of those that provide access, 10 registries limit the access on volume and/or IP address. 5 registries have no limits on the access provided.
• When providing access based on ‘legitimate interest’ it is most commonly the legal department that makes the judgement. Only a small number of registries also base it on the declaration of the requestor and/or judgement by the customer service team. There are 4 registries that have considered and are planning accreditation mechanisms for parties with legitimate interest. A further 8 registries are interested to discuss this subject further within CENTR.
• When responding to individual requests, most respond between 1 – 3 days

Data Protection Officers (DPO)

• 54% of registries have appointed a DPO at the time of taking the survey with several more in planning. For more than half, their DPO sits within their legal department. This leaves 7 registries where the DPO is not within a dedicated legal department (note that not all registries have a dedicated legal department and staff have overlapping roles).
• For almost all registries, the DPO reports directly to the CEO or general manager

General GDPR / Other

• 6 registries have experienced issues with registrars unwilling to share requested registration data. All other stated the have not experienced any issues.
• 61% of registries perform ‘privacy impact assessments’
• 88% of registries regularly monitor internal compliance
• 70% of registries plan random checks / audits
• To differentiate between private and organisations as registrants, 68% of registries allow the registrant to self-select. In several cases, the registry uses social security number, business number or even tax file number. 18% make no distinction.
• To deal with non-compliant registrars, the two most common methods are to provide more time with a deadline and then to terminate the contract after notice.

You can download the full report here.