Dutch DPA: unlimited publication of WHOIS-data violates privacy law
The unlimited publication of WHOIS-data of domain name registrants by Dutch registries is a violation of current Dutch privacy law. The Dutch Data Protection Authority (DPA) has published a letter it sent to a Dutch administrator of the domain name extensions .amsterdam and .frl. WHOIS-data are data such as name, address, e-mail address and telephone number of the domain name registrant.
Unlimited publication of these personal data on the internet is not necessary. Needless to say, access to personal data of domain name registrants should be granted when such access is necessary for technical reasons, or for law enforcement when it is legally entitled to such access: so called layered access.
Request Dutch registry
The Dutch DPA publishes this statement in response to a request by this Dutch registry. Registries are parties who perform the technical administration of domain name extensions such as .com and .nl. Based on the rules issued by ICANN, the worldwide domain name administrator, this Dutch registry would be required to publish WHOIS-data on the internet with unlimited access. This Dutch registry however offers the possibility to publish only limited WHOIS-data of private domain name registrants. This is in accordance with current privacy law.
European data protection authorities
The Dutch DPA regularly receives signals from citizens, domain name registrants, who notice that their WHOIS-data is republished and re-used via several websites. Earlier, since 2003, the European data protection authorities, assembled in the Article 29 Working Party (WP29), already expressed their concerns about the unlimited publication of personal data of domain name registrants.
Unlimited publication of WHOIS-data in violation of privacy law
If WHOIS-data concern individuals, these data are personal data and Dutch privacy law is applicable. The unlimited publication of WHOIS-data via internet is a form of processing personal data for which a legal ground is necessary. According to the Dutch DPA and the WP29 before that, ICANN and registries cannot successfully appeal to the grounds ‘necessary for the performance of a contract’ or ‘legitimate interest’. Relying on the ground of ‘consent from the individual domain name registrants’ is not possible either, because consent in this context would be a requirement for obtaining a domain name, and therefore not freely given.
The General Data Protection Regulation (GDPR) becomes applicable law on 25 May 2018. Under the GDPR, unlimited publication of WHOIS-data would also violate privacy law.