The European Union General Data Protection Regulation (EU GDPR), the comprehensive single and unified privacy law enacted by the EU Commission, came in to effect on May 25, 2018. The primary goal of this regulation is to protect the privacy and associated rights of natural persons in the EU and how their data is used. Though it is specific to EU, it affects developers, IT administrators, and business owners worldwide who handle such data. While there have been discussions on how the regulation and its enforcement affects firms engaged in IT products and services, there is little attention as to how it will affect the internet as such.
The critical element of the internet is the domain name system, governed and managed by the Internet Corporation of Assigned Names and Numbers (ICANN), using a multi-stakeholder model. One of the important services that ICANN provides is the WHOIS. The WHOIS service provides name, address, email, phone number, administrative, and technical contacts of the person/entity who has registered internet domain names. This WHOIS data does not reside in a single repository. Instead, the data is managed by independent entities known as “registrars” and “registries” accredited by ICANN. There are more than 330 million registered domain names; and more than 2,500 accredited registrars and registries around the world.
WHOIS traces its roots to 1982, when the Internet Engineering Task Force published a protocol for a directory service for the erstwhile ARPANET users. As the internet grew, WHOIS began to serve the needs of different stakeholders, such as domain name registrants, law enforcement agents, intellectual property and trademark owners, businesses, and individual users. For example, if there is a domain name dispute, the WHOIS database and associated queries provide information about the owner details of the domain name to plaintiffs.
Hence, the WHOIS data is global in nature. It is the responsibility of registrants to disclose correct WHOIS information to the registrars and registries. There are also contractual clauses between ICANN and the registrars and registries, to disclose the WHOIS information to the public at large.
When you register a domain name, you must provide your registrar accurate and reliable contact details, and update them promptly if there are any changes during the term of the registration period. This obligation is part of your registration agreement with the registrar. On an annual basis, your registrar is required to send you an annual reminder of your obligation to maintain the accuracy of your WHOIS contact data.
However, with the enactment of privacy laws such as the EU GDPR, the mechanisms and processes for updating the WHOIS database, the information collected from registrants, the requirements of registrars and registries for protecting the privacy of the registrants and finally, the information disclosed by the WHOIS service in compliance with the privacy laws need rework. Specifically, Article 29 of the EU GDPR that deals with the responsibilities of third party processers of personal data, affects the WHOIS processing requirements.
While ICANN and its accredited registrars and registries are preparing for adherence to the EU GDPR, it remains a complex issue. WHOIS provides the required transparency about the domain name registrants as is the characteristic of the internet. However, privacy laws such as the EU GDPR, restrict registrant information that shall be made public by the registrars, registries, and the WHOIS system. Hence, analysis of the trade-off between open dissemination of the information versus protecting the privacy of the registrants is required.
This requires coming up with compliant processes; educating all stakeholders, including registrants, registrars, and registries, on EU GDPR compliance; enabling protection of Personally Identifiable Information of the registrants worldwide; and re-architecting the age-old WHOIS service to be complaint with privacy laws.
It is in this light that one can juxtapose the landmark privacy judgement by the Supreme Court of India, in August 2017, on the Justice K.S. Puttaswamy v. Union of India case. The judgement, in its 250 odd pages, does not define precisely what privacy is, and has left it to the executive to define appropriate regulation. On the other hand, the EU GDPR in its 250 odd pages has prescribed in granular details, various definitions and interpretations of privacy including natural vs. legal persons; right to delete and be forgotten; responsibilities of data controllers and processers; the 72 hours deadline for notification of security breaches; and the most important of all – administrative fine of up to 20 million euros or, 3-4% of the total worldwide annual turnover of the firm for each violation. However, the flip side of such gory details of the EU GDPR is that firms must adhere to it in its true spirit, and not make a mockery of the same under the guise of innocent users providing informed consent on hundreds of complex privacy clauses.
We really need an Indian data protection law which can stand the test of time; but at the same time, we need to make sure that the law is practiced and adhered to in its true spirits.
The author is Professor, centre for IT and public policy, IIIT Bengaluru (Views are personal)