20180110 eco gdpr domain industry playbook · pdf fileandreas konrad** martin lose* thomas...
TRANSCRIPT
1
GDPR Domain Industry Playbook
V.1.0
PLEASENOTEASUMMARYISPROVIDEDWITHASEPARATEDOCUMENT
Authors:
JuliaGarbaciok*AndreasKonrad**
MartinLose*ThomasRickert**JanSchlepper**OliverSüme*
*FieldfisherGermanyLLP,Hamburg,Germany,fieldfisher.com**RickertRechtsanwaltsgesellschaftmbH,Bonn,Germany,rickert.net
Illustrations:JefferyFrankenhauser,dougstudio.com
2
1
PartA-Introduction/Scope 7
I. PrincipleofDataMinimization 8
II. Ourapproachtodevelopingadatamodel 9
1. Whatisprocessing? 9
2. Whatislawfulprocessing? 9
3. Risksassociatedwithdataprocessing 10
a) Consent 10
b) Legitimateinterest 11
c) Performanceofacontract 11
4. Compliancerequirements 11
5. Alayeredmodel 12
6. Internationaltransfers 14
PartB–Processingofdatafordomainregistrationsandmaintainingdomainregistrations 15
I. Registrationandmanagementofthedomainname 15
1. Currentdatarecords 15
RegistrantName:Notdisplayedduetoapplicabledataprotectionlaw 20
RegistrantOrganization:Notdisplayedduetoapplicabledataprotectionlaw 20
3
RegistrantStreet:Notdisplayedduetoapplicabledataprotectionlaw 20
RegistrantCity:Notdisplayedduetoapplicabledataprotectionlaw 20
RegistrantState/Province: 20
RegistrantPostalCode:0000 20
RegistrantCountry:NL 20
RegistrantPhone:+00.0000000 20
RegistrantPhoneExt: 20
RegistrantFax: 20
RegistrantFaxExt: 20
RegistrantEmail:[email protected] 20
2. ICANNrequirements 20
II. DRL1Registrarandregistrydatawithoutadditionaleligibility/nexuscriteria 21
1. Registrar 22
a) Necessarydatarecord–registrar 22
aa)RegistrationDataRegistrar 22
bb)TechnicalData 23
cc)AccountingData 24
dd)Admin,Tech,andBillingContacts 25
ee)FurtherData 26
b) Reasons 26
aa)Contractprocessing 26
bb)Contacting/Transferissues 26
cc)Abuse 27
dd)Ownershipposition 27
ee)Transfers 27
ff)Result 27
2. Registry 28
a) Necessarydatarecord–registry 28
4
aa)Qualificationofthedomainnameaspersonaldata 30
bb)Result 33
b)Reasons 33
3. Datacontroller 33
a) DefinitionsArt.4no.(7)andno.(2)GDPR 34
b) Jointresponsibility(Art.26GDPRinconjunctionwithArt.4no.(7)GDPR) 34
aa)Hamiltonopinion 34
bb)Comment 35
(i)Distinctionbetweenprocessorandcontroller 35
(ii)Distinctionbetweenjointandco-controller 36
(iii)PurposeofArt.26GDPR 36
(iv)Setofoperations 37
(v)Assessment 37
(vi)Legalconsequence 38
(1) Liability 38
(2) Datasubject’sclaims 39
(3) Fines 39
(4) Agreement 39
(5) Jointcontactpoint 39
(6) Procedurerecord 40
cc)Responsibilityforotherdata 40
III. DRL1registrarandregistrywitheligibility/nexusrequirements 40
1. Obligation 40
2. Purpose 41
3. Responsibility 42
4. Authorization 42
IV. DataEscrow 43
1. Obligation 43
5
2. Purpose/necessity 43
3. Registrar 43
4. Affecteddata 44
5. Responsibility 44
6. Authorization 45
V. EBERO 45
1. Obligation 45
2. Affecteddata 46
3. Responsibility 46
VI. Resellersituation 46
1. Responsibility 47
a) AccountData 47
b) Registrationdata 47
2. Resellerchains 48
VII. DRL2–Transferofregistrantdatatotheregistry 48
1. Authorization 49
a) MitigatingAbuse 49
b) Centralmanagement 50
c) Securityandstability 51
d) Result 51
2. Responsibility 51
3. Risk 52
4. Conclusion 52
VIII. DRL3–Datacollectedbasedonconsent 53
PartC–DisclosureofData 53
I.NoJustificationforaPublicWHOISundGDPR 55
1. LegallyIneffectiveConsent 55
2. NoJustificationunderStatutoryLaw 56
6
II.LegalGroundsforDisclosureofRegistrationDatato3rdParties 57
1. Art.6(1)lit.b)GDPR-PerformanceofaContract–(PrivateSectorOnly) 57
2. Art.6(1)lit.c)GDPR(PublicSectorOnly) 58
3. Art.6(1)lit.f)GDPR–LegitimateInterests(PrivateSectorOnly) 60
a)"LegitimateInterests" 61
b)BalancingofInterests 62
c)NecessityofDataProcessing 63
d)RighttoObject,Art.21GDPR 64
e)Legitimate3rdPartyInterestsforDisclosureofWhoisData 64
4. Otherrequests 65
5. Note:DataSubject´sRights,Art.12etseq.GDPR 65
6. Disclaimer 65
III. InternationalTransferofData 66
1.InternationalDataTransferunderGDPR 66
2.InternationalTransferofWhoisDatatoNon-EULawEnforcementAgencies 67
IV. ProceduralAspects 68
a)CertificationofPublicAuthorities 68
b)CertificationofPrivate3rdParties 70
c)LogicalStructureofaDisclosureProcess 71
V. ProposalofaTrustedDataClearinghouse(TDC) 73
PartD–Outlook 74
PartA-Introduction/Scope
The General Data Protection Regulation (GDPR) poses a challenge for the Registries, Registrars,
Resellers,ICANN,andtheircontractors.
ByMay25,2018,allpartiesneedtobecompliant,whichmeansnotonlythatcontractsneedtobe
reviewed,butalsothattechnicalsystemsneedtoberevisited.
Todate,variouslegalmemorandahavebeensharedandseveralpartieshaveworkedontheirown
compliance, but no industry-wide proposal has been published that allows for a discussion of the
respectiverolesandresponsibilitiesofthepartiesinvolvedaswellasareviewofdataflows.
This paper shall facilitate the process of finding a commonly-adopted data model to allow for
compatibilityofthetechnical,organizational,andlegalmodelsthepartieswilluse.
Thepaper is not tobe construedas legal advice.All parties involvedneed toworkon theirGDPR
complianceindividually,whichgoesfarbeyondthetopicsdiscussedhere.
ThispaperonlydealswiththedataelementswhichICANNcurrentlyrequiresthecontractedpartiesto
process.
Furthermore,thepaperwillonlyaddressthedataflowsinthelightofgTLDdomainnameregistration
services.Thepartiesmightofferadditionalservicesorwishtoprocessadditionaldataelementsfor
theirownbusinesspurposes.Thelegalbasisforsuchprocessingneedstobeassessedbytherespective
partyandmightleadtoadditionalorothertreatmentthandiscussedinthispaper.
Thedatamodeldoesnotreflectanyoutsourcingthepartiesmightengagein.Particularcautionneeds
tobeexercisedwhenusingaRegistryServiceProviderora“Registrarasaservice”model.
Dataflowswillbeanalyzedbearinginmindthepartiestypicallyinvolvedinadomainnameregistration
andasrequiredbyICANNorganizationinitscontracts.Thegraphicbelowshowshowthesepartiesare
related.Dottedlinesrepresentdataflows.ICANN´sCentralizedZoneDataService(“CZDS”)andBulk
RegistrationDataAccess(“BRDA”)havenotbeenassessedinthispapber.However,thesewouldalso
8
needtobereviewed.WeshouldnotethatCZDSiscausingconcerns,asitcurrentlyenablessystematic
harvestingofWhoisdatabasesandleadstohugevolumesofunsolicitedelectroniccommunicationto
registrants.
Note: This illustration includes neither outsourcing, such as RSPs or Registrar-as-a-service
models,norICANN’sCZDSandBRDArequirements.
I. PrincipleofDataMinimizationTheRAandtheRAArequiretheprocessingofnumerousdataelements,notallofwhichconstitute
personaldata.WhiletheGDPRonlyprotectspersonaldata,thepaperincludesalldataelements,in
ordertoallowforaholisticviewofthedataflowsandofferabasisforimplementation.
Whilethecurrently-useddatarecordsarealludedto inthispapertoallowforacomparisonofthe
statusquowiththeproposeddataflows,theapproachhasnotbeentomodifythecurrentsystemby
wayof subtracting certainelements toachieve compliance,but rather theopposite.Basedon the
principleofdataminimization(Art.5(1)lit.c)GDPR),thethoughtprocesswastostartwithwhatis
requiredasaminimum toprovide the servicesand toadequately recognize the rightsof thedata
subjects, while also taking into consideration use cases and interests brought forward by law
enforcement, IP interestsandothergroups,whicharenotpartof thecontractual relationships for
gTLDs.
9
II. OurapproachtodevelopingadatamodelThedatamodelisbasedonananalysisofhowdatacanbeprocessedinalegallycompliantfashion.
Wheredifferentoptionsforprocessingexist,theoptionswiththeleastriskforthepartiesinvolved
shouldbeprioritized.
1. Whatisprocessing?Processingmeansanyoperationorsetofoperationswhichisperformedonpersonaldataoronsets
ofpersonaldata,whetherornotbyautomatedmeans, suchascollection, recording,organization,
structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosurebytransmission,
dissemination or otherwise making available, alignment or combination, restriction, erasure or
destruction(seeArt.4no.(2)GDPR).
Ascanbeseenfromthisdefinition,oneneedstorevieweachandeveryprocessfromcollectionto
deletionforeachdataelementandestablishwhatlegalbasis,ifany,thereisforprocessing,i.e.the
processesneedtobeanalyzedatthemicroandmacrolevels.
Togiveafewexamples:Datathatcanbelegallycollectedbyapartyforacertainpurposemustnotbe
transferredtoanotherpartywithoutalegalbasisforthattransfer.Datathatcanlegallybecollected
andusedinternallymustnotbepublishedwithoutalegalbasisfordoingso.
2. Whatislawfulprocessing?
TheGDPRoffersvariousalternativesforlawfulprocessing.ThesecanbefoundinArt.6(1)GDPR,which
readsasfollows:
Processingshallbelawfulonlyifandtotheextentthatatleastoneofthefollowingapplies:
(a) thedatasubjecthasgivenconsenttotheprocessingofhisorherpersonaldataforoneormorespecificpurposes;
(b) processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectispartyorinordertotakestepsattherequestofthedatasubjectpriortoenteringintoacontract;
(c) processing isnecessaryforcompliancewitha legalobligationtowhichthecontroller issubject;
(d) processing is necessary in order to protect the vital interests of thedata subject or ofanothernaturalperson;
10
(e) processingisnecessaryfortheperformanceofataskcarriedoutinthepublicinterestorintheexerciseofofficialauthorityvestedinthecontroller;
(f) processing is necessary for the purposes of the legitimate interests pursued by thecontrollerorbyathirdparty,exceptwheresuchinterestsareoverriddenbytheinterestsor fundamental rights and freedoms of the data subject which require protection ofpersonaldata,inparticularwherethedatasubjectisachild.
3. Risksassociatedwithdataprocessing
Inthepresentcase,subparagraphs
(a) Consent(b) Performanceofacontractand(f) LegitimateInterest
ofArt.6(1)GDPRcouldbeapplicable.Thelegalassessments1availablehaveprovidedmoredetailson
thistopic,soratherthanreiteratingtheirreasoninghere,wewillsimplybaseourworkonthosethree
alternatives.
Itshouldbenoted,thatArt.6(1)lit.b)GDPRcannotbeusedasalegitimizationforthecurrentsetup
arguingthatICANNrequiresRegistriesandRegistrarstocollectandretainalldataintheircontracts.
This argument would comprise of circular reasoning. What needs to be reviewed is whether the
requirements ICANNpresentsarecompliantwithGDPR´sbasicprinciplesofdataminimizationand
purposelimitation.
Ananalysisofthethreealternativesshowsthattherearedifferentrisksandrisklevelsassociatedwith
eachalternative.
a) Consent
Withrespecttoconsent,thereareseveralfactorstoconsider(seeArt.7GDPR):
• Thecontrollermustbeabletodemonstratethatthedatasubjecthasconsented.• Ifthedatasubject'sconsentisgiveninthecontextofawrittendeclarationwhichalso
concernsothermatters,therequestforconsentshallbepresentedinamannerwhichisclearlydistinguishablefromtheothermatters,inanintelligibleandeasilyaccessibleform,usingclearandplainlanguage.AnypartofsuchadeclarationwhichconstitutesaninfringementofthisRegulationshallnotbebinding(Art.7(2)GDPR).
• Consentcanbewithdrawnatanytimewithoutgivingareason.
1HamiltonOctober2017Memorandum:https://www.icann.org/en/system/files/files/gdpr-memorandum-part1-16oct17-en.pdf;TaylorWessing:https://www.icann.org/en/system/files/correspondence/sheckler-to-swinehart-atallah-29oct17-en.pdf;WSGR:https://gnso.icann.org/en/drafts/wsgr-icann-memorandum-25sep17-en.pdf
11
• Consentmustbegivenfreely.Thereisaprohibitionofcoupling.
There are risks associated with proof, such as potentially coupling consent with a domain name
registrationandwithdrawal.
b) Legitimateinterest
FordataprocessingaccordingtoArt.6(1)fGDPR,thereistheriskofobjectionaccordingtoArt.21(1)
GDPR,whichreads:
Thedatasubjectshallhavetherighttoobject,ongroundsrelatingtohisorherparticularsituation,at
anytimetoprocessingofpersonaldataconcerninghimorherwhich isbasedonpoint(e)or(f)of
Article6(1)GDPR,includingprofilingbasedonthoseprovisions.Thecontrollershallnolongerprocess
thepersonaldataunlessthecontrollerdemonstratescompellinglegitimategroundsfortheprocessing
whichoverridetheinterests,rightsandfreedomsofthedatasubjectorfortheestablishment,exercise
ordefenceoflegalclaims.
c) Performanceofacontract
Thereisneitherapossibilityofanobjection,norcananyconsentbewithdrawn.
Insummary:
- theleastriskisinvolvedwithdataprocessingrequiredtoperformacontract;- thesecondbestoptionisdataprocessingclaimingalegitimateinterest,shouldtherebeany,
asthisgivesthedatacontrollerarighttodefenditsposition;- thehighestriskisinvolvedwithconsent,asthewithdrawalmustbeacceptedbythedata
controller.
NOTE:Whenreferenceismadetoperformanceofacontractinthispaper,thismeansperformance
ofthecontractwiththeregistrant,note.g.contractualrequirementsinthecontractswithICANN.
4. CompliancerequirementsICANNhaspublishedastatementonNov.2ndexplainingthatICANNContractualCompliancewilldefer
takingactionagainstanyregistryorregistrarfornoncompliancewithcontractualobligationsrelated
to the handling of registration data, see https://www.icann.org/resources/pages/contractual-
compliance-statement-2017-11-02-en.
ICANNalsoindicatedthatguidanceontheprocessandeligibilitycriteriawillbeprovidedshortly.
12
Intheabsenceofanyguidanceatthetimeofdraftingofthispaper,weassumethat
- ICANNContractualCompliancewillnotonlydefertakingactionbasedonnoncompliancerelatedtoregistrationdata,butwithrespecttoanypersonaldatasubjecttoGDPR.Thispaperreferstoallpersonaldata,andsuchanapproachshouldnotcauseissueswithICANNContractualCompliance.
- ICANNwillsupporttheapproachtakeninthispaper,whichisnottolimitthelegalassessmentofdataprocessingtoonlyonelegalbasis,butinsteadtosupportamodelallowingforbestpossibleriskmitigationandcompliance.
5. AlayeredmodelBasedontheabovefindings,thedatamodeldescribedinthispaperwillbebasedonthreedatarisk
levels (DRL).Minimizing the risk forallparties involved isnecessarynotonly toavoidsanctionsby
authorities,butalsotoensurethatdomainnameregistrationscanbeupheldandtolimittheriskthat
dataelementsmustberemovedfromsystemsoperatedbydifferentparties.Thelevelsare:
DRL1–Lowrisk–Performanceofacontract
DRL2–Mediumrisk–Legitimateinterest
DRL3–Highrisk-Consent
Asafirststep,itneedstobeestablishedwhatdataisnecessaryforregistriestoregisterandresolve
domainnames(“RegistryMinimumDatarecord”),aswellaswhatminimumsetofdataisnecessary
forregistrarstocompletethedomainnameregistrationprocess(“RegistrarMinimumDatarecord”).
ThatdatafallsintoDRL1.
Pleasenotethat thesedatarecordsmayvarybasedontherequirements,particularly thoseof the
registries.Togivejustoneexample:Someregistrieshavenexusorothereligibilityrequirements,while
othersdonot.However,suchdatawouldstillfallintoDRL1,asitisrequiredtoperformthecontract.
Anyadditionalprocessing,suchasthetransferofdatatoanEscrowAgentforbackuppurposes,falls
intotheDRL1categoryasdefinedinthispaper.
13
As a second step, we will analyze what processing can be based on a legitimate interest. This is
particularlyrelevanttothequestionofwhetherornottodisclose/publishdataviaWhois.
Sinceprocessingbasedonconsentbearsahighrisk for theparties involved,andmaynotevenbe
possible for certain types of processing, the model described in this paper will not include any
suggestionsforconsent-basedprocessing.Whileitispossiblethatpartiesinvolvedwillintroducesuch
processing, consent-based processing should not be mandatorily required by ICANN due to its
associatedrisks.
Inthisdocument,youwillfindadescriptionofthejourneyofthevariousdataelements.
Thedata inquestion isasubsetofthedataelementscurrentlyrequiredtobeprocessedbyICANN
contractsandpolicies.
Contained in the document, you will find a proposal for DRL1, DRL2 and DRL3 data, as well as
informationontherolesoftheparties,e.g.whoisdataprocessorandwhoisdatacontroller?This
informationisrequiredtoenablethepartiesinvolvedtoinformthedatasubjectsaccordinglyandto
therebyfulfillinformationandtransparencyrequirements.
Wewillexplainwhywethinkthesolutionofferedisdefendable.However,wedonotclaimthatthe
solutionofferedistheonlyconceivableoption.
ItisimportanttonotethatwerecommendadatamodelbasedonDRL1tobeenforcedbyICANN.The
recommendationarisesbecausewedonotthinkitisappropriatetocontractuallyrequire(andsanction
in case of non-compliance) contracted parties to take additional risks in the course of managing
domainnameregistrationsandtheiruse.However,thisdoesnotmeanthatweareadvocatingagainst
dataprocessingaccordingtoDRL2andDRL3.AlllegalgroundsmentionedintheGDPRcanbeusedfor
data processing (with the caveat that they are applied in a compliantmanner). Thedatamodel is
designed to be sufficiently open to allow for additional data processing, particularly based on
legitimateinterestswhichapartyorpartiesinvolvedmighthave.Inthispaper,welistseveralcases
wherealegitimateinterestcanbeclaimedtobepresent,butthatlistisnotexhaustive.
14
Thesolutionofferedwillbeopenforcommentandconsultation.Itcouldbeusedonan“as-is”basis
for the interim phase until such time as the policy development process to reflect the GDPR is
completed.Ideally,itwouldbeusedasthebasisforalong-termsolutionforacompliantgTLDeco-
system.
6. InternationaltransfersPleasenotethatthispaperdoesnotelaborateoninternationaldatatransfersandthesafeguardsthat
mustbeinplaceforthosetobelegal.Forexample,usingEUmodelclausesorPrivacyShielddoesnot
maketheprocessingofdatacompliantingeneral,andtheprocessingdescribedinthispaperdoesnot
rendertherequirementforsafeguardstocoverinternationaltransfersredundant.
Inotherwords:WhereverdataistransferredoutsidetheEU,thatneedstobelookedatbothwhenit
comestodatatransfersbetweenregistrants,resellers,registrars,registries,escrowagents,theEBERO
andICANN,andalsowhenitcomestodisclosurerequestswheretherequestorisbasedoutsidethe
EU.
15
Part B – Processing of data for domain registrations andmaintainingdomainregistrations
I. Registrationandmanagementofthedomainname
The first step (see table below) indicates the data required by the various participants in
registeringandmaintainingadomaintocomplywiththeircontractualobligations.
1. Currentdatarecords
In its contracts and policies, ICANN specifies the data to be collected and provided by
participants.Theillustrationbelowshowsthecorrespondingrelevantdata.2
Pleasenotethatnodifferentiationismadehereasbetweenthespecificdatatobecollected
andprovidedbyeachparticipant.
Alldataelementscurrentlyrequired
DomainName
RegistryDomainID
RegistrarWhoisServer
RegistrarURL
UpdatedDate
CreationDate
RegistryExpiryDate
RegistrarRegistrationExpirationDate
Registrar
RegistrarIANAID
RegistrarAbuseContactEmail
RegistrarAbuseContactPhone
Reseller
DomainStatus
RegistryRegistrantID
2https://www.icann.org/en/system/files/files/draft-gdpr-dataflow-template-registration-data-elements-29jun17-en.pdf
16
RegistrantFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email 2ndEmailaddress
AdminIDAdminFields
• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email
TechID
TechFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.)
17
BillingIDBillingFields(notapplicabletoallregistries)
• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email
NameServer
DNSSEC
NameServerIPAddress
LastUpdateofWhoisDatabaseOTHER DATA Transfer Contact Driver’s License Transfer Contact Passport Transfer Contact Military ID Transfer Contact State/Government Issued ID Transfer Contact Birth Certificate Registrar Primary Contact Name Registrar Primary Contact Address Registrar Primary Contact Phone Number Registrar Primary Contact Fax Number Registrar Primary Contact Email Address Name and Contact Information of Shareholders with 5% ownership interest in Registrar Full name, contact information, and position of all directors of the Registrar Full name, contact information, and position of all officers of the Registrar Ultimate parent entity of the Registrar, if applicable List of Registrars’ Resellers Registrant IP Address
Maintainer URL The ENS_AuthId identifying the authorization of the registration
18
Last Transferred Date Name Server Status Any other registry data that Registrar submitted to registry operator Types of domain name services purchased for use in connection with the registration “Card on file,” current period third party transaction number, or other recurring payment data Information regarding the means and source of payment reasonably necessary for the Registrar to process the registration transaction, or a transaction number provided by a third party payment processor Log files, billing records and, … other records containing communications source and destination information, including (depending on the method of transmission and without limitation): (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number; and (3) email address, Skype handle, or instant messaging identifier, associated with communications between Registrar and the registrant about the registration
Log files and, … other records associated with the registration containing dates, times, and time zones of communications and sessions, including initial registration Privacy/Proxy Customer contact information Those objects necessary in order to offer all of the approved Registry Services
Inordertofurtherenhanceunderstanding,theabovedataelementscanbecategorizedasshownin
thefollowingillustration.
19
PleasenotethattheAccountHolderDataboxinthegraphicdoesnotconsistofdatathatis
requiredtobeprocessedbyICANN.However,Registrarsdoinpracticesetupaccountsand
hence they process account holder data, which is also used for invoicing and contacting
customers.
We recommend that the thick registry data model not be abandoned. We have also not
recommended any changes to be made to the individual data elements / fields. However, the
analysis below will indicate which of the data elements mentioned above can legitimately be
collectedandhowtheycanbeprocessed.Wheredataelementscannotbeprocessed,fortechnical
reasons,therespectivedatafieldswillbepopulatedwithsyntacticallycorrectplaceholderdata.For
anexampleofsuchplaceholderdata,pleaseseethebelowexample:
20
RegistrantName:Notdisplayedduetoapplicabledataprotectionlaw
RegistrantOrganization:Notdisplayedduetoapplicabledataprotectionlaw
RegistrantStreet:Notdisplayedduetoapplicabledataprotectionlaw
RegistrantCity:Notdisplayedduetoapplicabledataprotectionlaw
RegistrantState/Province:
RegistrantPostalCode:0000
RegistrantCountry:NL
RegistrantPhone:+00.0000000
RegistrantPhoneExt:
RegistrantFax:
RegistrantFaxExt:
RegistrantEmail:[email protected]
2. ICANNrequirementsAccordingtothedatamodelproposedwithinthisdocument,ICANNwillandcanspecifythedatato
be collectedwithobligatory effect for theparticipants. This is the casebecause,while thedata in
categoryDRL1isgenerallynecessaryfortherespectiveparticipantstoprovidetheirservice,itisalso
necessaryforthestabilityandfunctionalityoftheoveralldomainsystemandtheparticipantsarein
anycaseobligatedbyICANNtocollectandprovidethisdata.Thus,theprocessingofDRL1datashall
bemandatoryandenforcedbyICANN.
Withregardtotheresponsibilityoftherelevantparticipantsunderdataprotectionlaw,referenceis
madetoClauseIINo.3ofthisdocument.
21
II. DRL1 Registrar and registry data without additional
eligibility/nexuscriteria
Alldatathatthevariousparticipantsareobligedtocollectandprocessforthepurposeofcontract
fulfillmentarecontained inDRL1 (see Illustrationbelow).Adistinctionmustbemadebetweenthe
RegistrarandtheRegistry,which requiredifferentdata for the fulfillmentof their tasks.Here, it is
assumedthattheregistrydoesnothaveanyfurtherspecificrequirementsforaregistration.
Thedataelementsintheredboxesarenotrequiredtobecollected.Thedataelementsinthegreen
boxesshallbecollected.Furthercommentonthedataelementsintheyellowboxwillbeprovided
below.
Authorization
Art.6Ib)GDPRallowstheprocessingofpersonaldataforthefulfillmentorperformanceofacontract
where the party is the contractual person. In this respect, the datamandatorily required for the
fulfillmentoftheregistrationorderarelegitimatelyprocessedthroughArt.6Ib)GDPR.
22
1. Registrar
a) Necessarydatarecord–registrar
Definitionof“necessary”:
Processingisnecessaryforcontractfulfillmentifthecontractcouldnotbefulfilledwithoutprocessing
thedatatothestatedextent.
Theregistraristhecontractualpartneroftheregistrantwithregardtotheregistrationofthedomain.
Withinthescopeoftheregistrant’sorder,theregistrarwillstriveforregistrationwiththerelevant
registryandmaintainsuchfortheregistrantaftersuccessfulregistration.
Thefollowingdataelementsareobligatoryforexecutionoftheorderbytheregistrar:
aa)RegistrationDataRegistrar
DomainName
RegistrarWhoisServer
RegistrarURL
UpdatedDate
CreationDate
RegistryExpiryDate
RegistrarRegistrationExpirationDate
Registrar
RegistrarIANAID
RegistrarAbuseContactEmail,mustberolecontact
RegistrarAbuseContactPhone,mustberolecontact
DomainStatusRegistrantFields
• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country • Phone • Phoneext(opt.)
23
• Fax(opt.) • Faxext(opt.) • Email
Registrantsmaybenaturalorlegalpersons.Therefore,thequestionarisesastowhetherenterprise
datamustbetreateddifferentlythandatafromprivatepersonsasregistrants.Thedifferentiated
treatment, however, bears significant risksbecauseenterprisenamesmayalso containpersonal
referencesanda self-identificationof the registrant in this respectwouldnot result ina reliable
distributionofdatainventory.Inthisrespect,adifferentiationbetweennaturalandlegalpersons
shouldnotbemade.
However,inputfromDPAsshouldbesoughtastowhetheradistinctioncouldbemadebasedona
self-identification by the registrant. Should that be deemed to be an acceptable safeguard,
differentiatedtreatmentcouldbeconsidered.
Fromapracticalstandpoint,itmaybedesirableorevennecessarytohavedifferentcontactdatafor
differentpurposesfromtheregistrant.Thismayinparticularbetrueforcorporatecustomers,where
itisnotpracticaltosendanycommunicationregardingaregistereddomainnametoonecontact
onlyandthereisaneedtodifferentiatewithregardtothenatureofthecommunication,i.e.have
differentcontactsfortechnicalandcommercialmatters.Asalreadystated,thiscouldalsobeinthe
registrant’sowninterests.Suchinterestsforadditionalcollectionandprocessingofdatahavetobe
reviewed by each registrar and do not form the subject of this evaluation. Typically, these are
containedinthesetofdataelementstheregistrarisprocessingforthecustomeraccount.
bb)TechnicalData
Theregistrarcollectsthefollowingtechnicaldatafromtheregistranttopasstheseontotheregistry,
sothattheregistrycansetupdomainregistrationonthetechnicalsideinthecorrespondingtop-level
domainnamespace.
NameServer
DNSSEC
NameServerIPAddress
LastUpdateofWhoisDatabase
24
cc)AccountingData
Inadditiontoregistrationdata,theregistrarwillalsocollectinvoicedataofthecontractualpartner,
whichisnotmandatorilyidenticaltotheregistrantdata.Theaccountdataoftheregistrantoranother
listed obligee under the contract may also be collected and processed. This is necessary for the
collectionofregistrationandprocessingfeesunderthecontract.
Furthermore,theregistrarwillalsoretainavailableincomingpaymentsaswellascorrespondencewith
aregistrantorcontractualpartnerinacustomeraccountorothercustomer-specificdatabase.
Thisdataisnecessaryforproperperformanceofthecontract.Asageneralrule,thispertainstothe
followingdata:
• Bankdata
• Customerdata(insofarasdifferentfromregistrant’sdata)
• Billingdata
ICANNobligation
AspecificationbyICANNonthecollectionandprocessingofthisdataisnotappropriatebecausethis
data isnotnecessary for themaintenanceandstabilityof theDNS.Only the registrar requires the
stated data for its performance of the contract vis-à-vis a contractual partner. In this respect, a
compulsoryspecificationby ICANNtostore thisdata isnotnecessary tomaintain theDNS.To this
extent, collection andprocessingof thedata fields following from thedata retention specification
should not be compulsory under ICANN.Rather, applicable statutory regulations,which should be
applied,existfortherelevantregistrarregardingtheobligationtocollectandretaindata.Thisdata
may be requested from customers, so that no disadvantages should exist, e.g. for prosecution
authoritiesincasesoflegitimatecollectionandstorage.ProcessingatthebehestofICANNmightresult
inajointcontrollersituation(seeICANN3bbb(iv)),withtheconsequencethatICANNwouldbear
liabilityrisksforthesedataelements.This,however,doesnotappeartobeinICANN’sbestinterests.
Specifically,thispertainstothefollowingdataelements:
Any other registry data that registrar submitted to registry operator
25
Types of domain name services purchased for use in connection with the registration “Card on file,” current period third party transaction number, or other recurring payment data Information regarding the means and source of payment reasonably necessary for the Registrar to process the Registration transaction, or a transaction number provided by a third party payment processor Log files, billing records and, … other records containing communications source and destination information, including, depending on the method of transmission and without limitation: (1) Source IP address, HTTP headers, (2) the telephone, text, or fax number, and (3) email address, Skype handle, or instant messaging identifier associated with communications between Registrar and the registrant about the Registration
Log files and, … other records associated with the Registration containing dates, times, and time zones of communications and sessions, including initial registration
BasicSetup:DataRiskLevel1>Registrar
Dataelementsshouldnotbecollectedandprocessed/retainedforICANN
CertaindataelementsareprocessedbytheRegistrarfortheir?Purposeandneedtoberetainedaccordingtoapplicablelaws.NoneedforanICANNrequirement.GoodforICANN;noriskinvolved
Thedata in thedataretentionschedulemaybecollectedandprocessedbyregistrarsaccordingto
applicablelegalrequirements,buttheyshouldnotbemandatedbyICANN.
dd)Admin,Tech,andBillingContacts
Theprovisionofadmin,tech,orbillingcontactdataisnotnecessaryintermsofArt.6(1)lit.b)GDPR,
becausetheyarenotnecessarytoperformregistrationforeithertheregistrarortheregistry.Thedata
fieldscurrentlyrequiredinthisrespectcanbedeletedwithoutsubstitution.
26
ee)FurtherData
Registrarprimarycontact
In light of further data retained by the registrarwith regard to domain registration, the “registrar
primarycontact”datarecordrecordedbytheregistraritselfisstillrelevantunderdataprotectionlaw.
The registrar’s own employee data disclosed here by the registrar itself for contact purposes is
necessaryforfulfillmentofthecontract,inordertooffertheregistranttheopportunityforcontact
withinthescopeofthecontract.
b) Reasons
aa)Contractprocessing
Theregistrarmustbeabletoallocateaspecificdomaintoaspecificcustomerinordertomanageand
process its internalcontracthandling. In this respect, theregistrarmustbeallowedtoallocate the
domainsregisteredthroughitsservicetospecificcustomers,inordertobeinapositiontoallocate
andimplementinquiriesandrequestswithinthescopeofdomainmanagementtotheactualowner
orauthorizedperson.
bb)Contacting/Transferissues
Theregistrarmustfurthermorebeabletocontactitscustomerswithinthescopeofcurrentcontracts.
Withrespecttodomainregistrations,aquickandeasyaccesstoregistrantsisalsonecessarytobeable
toaddressanyproblemsorotheranomalieswithregardtothedomainnamewhichmayarise.3
Thecurrentprocedurefordomainnametransfersviaemailcommunicationcannotbecontinueddue
toGDPRrequirements.Atpresent,emailscanbesenttotheAdmin-Ctogettransfersconfirmed.In
theabsenceofcollectionofAdmin-Cdata,thetransferprocessneedstoberevised.Furthermore,as
PartCofthisdocumentwillexplain,theregistrant’semailaddresswillnolongerbepublished.
We therefore suggest establishing a new system based on secure auth-codes with the option of
revoking transferswithin a reasonable timeframe.As such, thedisclosureof the registrant´s email
addressinapublicWhoisisnolongerrequired.Thisway,theprincipleofdataminimizationisfulfilled.
3Overallinthisrespectseehttps://www.icann.org/resources/pages/gtld-registration-dataflow-matrix-2017-07-24-en
27
Alternatively,transferscanstillbecarriedoutwithouthavinganemailaddresspublishedbymeansof
communicationbetweentheregistrars.SincetheInterRegistrarTransferPolicyallowsforcontacting
eithertheregistrantortheAdmin-Cemailaddress,itwouldneedtobeclarifiedthatonlytheregistrant
emailaddressmustbeusedfortransfers.
We should note that registrars are currently engaged in discussions about newways to facilitate
transfers,andthesediscussionscouldcontributetoasolution.What’smore,adistinctionneedstobe
madebetweentransfersandtrades(ownerchanges),asthesehavedifferent legalandoperational
implications.
cc)Abuse
Thiscategorymayrefertocasesinwhichthedomainisabusedexternallybythirdpartiesortocases
inwhichitissuspectedthattheregistrantitselfisinvolvedinperforminganactofinfringement.The
registrarmustalsobeabletofulfilllegitimateclaimsofthirdpartieswithregardtothedomainorthe
relevantregistrant.Inthisrespect,aneedtoquicklyestablishcontactwiththecustomerfrequently
arises.
dd)Ownershipposition
The registrar has an interest in quickly and directly contacting the registrant in case of disputes
concerning factualand legitimateownershipof theregistrantwithregardtothedomainand/or to
haveownershipconfirmedbythelistedowner.
ee)Transfers
Evenintheeventofatransfertoanotherregistrarandinquiriesorrequestsreceivedinthisrespect,it
maybeintheregistrar’s(andregistrant’s)interestiftheregistrarincaseofdoubtcanquicklycontact
theregistrant.
ff)Result
Forthispartofdomainmanagement,itiscorrespondinglynecessaryfortheregistrartocollectand
storetheregistrant’sfullcontactdata.
Unfeasibledomainregistration
28
Sincetheregistrarhasnoguaranteethataregistrationcaninfactbeperformedbytheregistry,itmay
occurthattheregistrarhasalreadycollectedtheregistrant’sdatabutthatadomainisultimatelynot
registered.
In this case, data collectionmaybe justifiedeven if a registration canultimatelynotbeexecuted,
because the justificationpursuant toArt. 6 I b)GDPRalsoencapsulatespre-contractualmeasures.
Furthermore, the registrar’s effort to register represents the content of the order vis-à-vis the
registrant,sothatcontractfulfillmentmeasuresexistwithregardtofulfillmentofthiscontract,but
notpre-contractualmeasures.
2. Registry
a) Necessarydatarecord–registry
ThroughtherelevantRRA,theregistry istheregistrar’scontractualpartnerandresponsibleforthe
technicalimplementationofdomainregistrationsandtheirmaintenance.Intheprocess,theregistry
reviews the availability of a domain name, registration of a domain name, and subsequently the
technicalavailabilityofthedomainnamethroughtheDNS.
29
Thefollowingdataiscompulsoryfortheregistrytoperformregistrationandtomaintainthesame,
andmustbecollectedbytheregistrarandtransferredtotheregistry:
RegistrationData-Registry
DomainName
RegistryDomainID
RegistrarWhoisServer
RegistrarURL
UpdatedDate
CreationDate
RegistryExpiryDate
Registrar
RegistrarIANAID
RegistrarAbuseContactEmail,mustberolecontact
RegistrarAbuseContactPhone,mustberolecontact
DomainStatus
Fromadataprotectionperspective,onlythedomainnameisrelevantfortheregistryaspotentially
involvingpersonaldata.
However,apolicydevelopmentprocessinvolvingallICANNstakeholdershasconfirmedbywayofa
consensus policy that is binding for all contracted parties, that a thickWhois model should be
maintainedbyallregistries.Thelogicbehindthisembracesarchivalandrestorationpurposesaswell
astheobjectiveofimprovingdataquality.WeareseekinginputfromtheDPAsastowhethersuch
apolicycanbeusedasa justificationforthetransferofregistrantdatafromtheregistrartothe
registryandforsucharequirementtobeenforceablebyICANN.Thatdoesnotmeanthatsuchdata
shouldbeavailableviaapublicWhoisservice.
Thesameappliestotechnicaldatawhichisrequiredfortheregistrytoperformregistrationandto
maintaintheconnection:
30
NameServer
DNSSEC
NameServerIPAddress
LastUpdateofWhoisDatabase
Theremainingdata,inparticularthedatapertainingtotheregistrar,doesnotconstitutedatathatis
identifiableorthatpertainstoanidentifiednaturalperson.Assuch,thisdataiscurrentlynotrelevant
underdataprotectionlaw.
aa)Qualificationofthedomainnameaspersonaldata
AdomainnamemaybepersonaldataintermsoftheGDPR.Thedifferentiationprocessinvolvedin
determining whether the relevant domain represents personal data causes major problems in
practice4;assuch,weareconsideringalldomainnamestobepersonaldatawithinthescopeofthis
paper.
4SeealsoHamilton,December2017Memorandum,paragraph2.18.2:https://www.icann.org/en/system/files/files/gdpr-memorandum-part2-18dec17-en.pdf
31
PursuanttoArt.4no.(1)GDPR,“personaldata”meansany informationrelatingtoan identifiedor
identifiablenaturalperson(“datasubject”);anidentifiablenaturalpersonisonewhocanbeidentified,
directlyorindirectly,inparticularbyreferencetoanidentifiersuchasaname,anidentificationnumber,
location data, an online identifier or to one ormore factors specific to the physical, physiological,
genetic,mental,economic,culturalorsocialidentityofthatnaturalperson.
Adomainnameisdatathatisallocatedtoaspecificpersonorenterprise.Assoonastheownerofa
domainisanaturalperson,thedomainnamethereforeconstitutesdatapertainingtoanidentifiable
naturalperson.Thefactthattheidentificationoftheregistrantunderthemodelshownhereisnot
easilypossiblefortheregistryitselftoidentifyhasnoeffectonthequalificationaspersonaldata.
Inthisrespect,theEuropeanCourtofJustice(ECJ),whenconsideringasimilarcasesituation5–the
storageofdynamicIPaddressesofvisitorsatwebsitesofofficialauthorities–ruledthat,withregard
to thequalificationaspersonaldata, it is irrelevant that thisdatacannotbeallocated toanatural
personbythecollectingorstoringentityitself.PursuanttothejudgmentoftheECJ,theidentifiability
ofthepersonbehindthedataisalreadysufficient.Withregardtothevariantofanofficialauthority
storingthedynamicIPaddress,referencewasmadetothedisclosureoftheconnectiontoanatural
person in particular through the information processes vis-à-vis the relevant telecommunication
provider.
Followingthislineofreasoning,adomainnameisalsodatathatinthepresentmodelcanbedisclosed
bytheregistrar.
By limiting theprotectionof theGDPR tonaturalpersons (seepreviousdefinitionofArt.4no. (1)
GDPR),onlydomainnameswithnaturalpersonsasregistrantswouldbesubjecttotheprotectionof
the GDPR. However, this gives rise to potential allocation problems on several levels. Firstly, the
registrydoesnotknowwhethertheregistrantofadomainnameisanaturaloralegalperson.Inthe
presentmodel,thisdisclosureisonlypossiblefortheregistrartoundertake.
Evenwithaclearallocationofthedomainnametoanaturalorlegalperson,thedomainnameitself
maycontainnamecomponentsofanaturalpersonandthuspersonalreferences.Furthermore,the
protective scopeof theGDPRmayalsobeopenwith regard to legalpersons, if and insofaras the
5ECJ,judgmentof19October2016,C-582/14
32
enterprisenameofa legalperson itselfmaycontainnamecomponentsenablinganallocationtoa
naturalperson.
ItshouldbeclarifiedthatRecital14doesnotchangethisresult.Ithasthefollowingwording:
The protection afforded by this Regulation should apply to natural persons,whatever their
nationality or place of residence, in relation to the processing of their personal data. This
Regulationdoesnotcovertheprocessingofpersonaldatawhichconcernslegalpersonsandin
particularundertakingsestablishedaslegalpersons,includingthenameandtheformofthe
legalpersonandthecontactdetailsofthelegalperson.
ThescopeofRecital14maystillbeopenforinterpretation.However,itisouropinionthatitdoesnot
contradicttheconclusionsasdetailedabove–i.e.thateventhedomainnameofalegalpersoncanbe
deemedasconstitutingpersonaldataincertaincases.
Recital14shallnotlimittheprotectionofrightsofindividualswithregardtotheirdata.Lookingata
domainnameregisteredonalegalpersonwhoseentitynameisconstitutedbythename(orpartsof
it)ofanaturalperson:itisclearthatsuchanamecanalsobeusedtoidentifythepersonbehindthe
entity´sname.EventhoughRecital14limitstheapplicabilityofGDPRtothelegalpersonitself,this
doesnothindertheapplicabilityandneedforprotectionofthenaturalpersonbehindthelegalperson.
This is true in particularwith regard to small legal persons consisting possibly of just one natural
person.
Also, ina judgmentof theECJof9November2012,CaseC-92,93/09, theCourtof Justice ruled in
paragraph 53 that the protection of Articles 7 and 8 of the Charter of Fundamental Rights of the
EuropeanUnion(hereinafterreferredtoas"theCharter")isinparticularsubjecttotheprotectionof
small legal persons (one person enterprises / sole proprietorships). Article 7 and 8 of the Charter
specificallyprotect“Respectforprivateandfamilylife”and“ProtectionofPersonalData”,sothatit
canbepresumedthatRecital14relatesonlytodatarelatingexclusivelytolegalpersonsandnotto
naturalpersons.
This is also covered by the view that data can have a double character. As such, data can have a
connectiontothelegalpersonontheonehand,butontheotherhandalsoaconnectiontothenatural
33
personconcerned,sothatatleastthereferencepointtothenaturalpersonisprotectedbyGDPR.6
Duetotheextremedifficultiesindefiningtheboundaries,wethereforetreatalldomainnamesasif
theywerepersonaldata.
TheprocessingofthedomainnameforDNS(SEC)andapublicWhoisisrequiredfortheexecutionof
thecontractualrelationshipwithinthescopeofArt.6(1)lit.b)GDPRandisthereforepermissible.
bb)Result
Basedontheseuncertainties,alldomainnamesmustbetreatedasiftheyconstitutepersonaldatain
termsofGDPR.This,ontheonehand,specificallycircumventspotentialdelimitationproblems,while
on theotherhandensures sufficientdataprotectionunder theGDPR for eachdomainname. The
domainnamesonDNSserversareequallyaffectedbythis.
b)Reasons
The authorization to process this data follows from Art. 6 (1) lit. b) GDPR, because the data are
compulsoryforcontractfulfillment–registrationandallocationofthedomainnametoaspecificIP
address.
Thelisteddataarecompulsoryfortheregistrytoregisterandconnectthedomain.Registrationand
connectionofthedomainisnotpossiblewithoutreceivingthedomainname.Consequently,thisalso
appliestomaintainingtheallocationofthedomainaswellasprocessingthedomainnameonDNS
servers,theoperationofwhichisalsotechnicallycompulsoryforcontractfulfillment.
3. DatacontrollerWithinthescopeofthesuggesteddatamodel,thequestionarisesastowhotheresponsibleentityis
forprocessingDRL1registrationdata,inparticularbecauseonlyverylimiteddataareforwardedby
theregistrartotheregistryinordertobestimplementtheprincipleofdataminimization.Indetail,the
question arises as towhether joint or separate control exists on the side of the registrar and the
registry,orwhetheraprocessorsituationexists.
6Paal/Pauly;Datenschutzgrundverordnung,Art.4,Rn.5f.;Ehmann/Selmayr,Datenschutzgrundverordnung,Art.4,Rn.11;Gola,Datenschutz-Grundverodnung,Art.4,Rn.22f.
34
a) DefinitionsArt.4no.(7)andno.(2)GDPRController is the person that alone or jointly with others determines the purpose and means of
processing.Processing,inturnis“anyoperationorsetofoperationswhichisperformedonpersonal
dataoronsetsofpersonaldata,whetherornotbyautomatedmeans,suchascollection,recording,
organization,structuring,storage,adaptationoralteration,retrieval,consultation,use,disclosureby
transmission, dissemination or otherwise making available, alignment or combination, restriction,
erasureordestruction”.
b) Jointresponsibility(Art.26GDPRinconjunctionwithArt.4no.(7)GDPR)
JointControllers:DataRiskLevel1
Controller
Theprerequisiteforajointresponsibilityofregistry,registrar,andICANNisthatalljointlydetermine
thepurposesandmeansforprocessing.
aa)Hamiltonopinion
The Hamilton opinion commissioned by ICANN states that, due to the complexity of processing
structures, it is recommended that joint responsibility between ICANN, registrar, and registry be
35
assumed (October 2017 Memoradum gTLD Registration Directory Service and the GDPR, Part 1,
Section 3.7.3). This also results in themost extensive liability, which also sufficiently satisfies the
interestsofsupervisoryauthorities.
bb)Comment
PursuanttoArt.4no.(7)GDPR“controller”meansthenaturalorlegalperson,publicauthority,agency
or other body which, alone or jointly with others, determines the purposes and means of the
processingofpersonaldata;wherethepurposesandmeansofsuchprocessingaredeterminedby
UnionorMemberStatelaw,thecontrollerorthespecificcriteriaforitsnominationmaybeprovided
forbyUnionorMemberStatelaw.
Art.26GDPRspecifiesthejointresponsibilityintermsofspecifyingthemannerinwhichthosejointly
determiningthepurposesandmeansofprocessingshallberesponsible(“JointController”).Decision-
makingpowerconcerningpurposeandmeansofprocessingisdecisivefordeterminingresponsibility.
(i)Distinctionbetweenprocessorandcontroller
Incontrasttojointcontrollers,processorsdonothavefreedomtomakedecisionswithregardtothe
purposesandmeansofprocessing,butactforthecontractorwithadutytocomplywithinstructions.
Insofarastheagentshaveoptionstoselectordesignthepurposeormeansofprocessing,theyare
considered to be controllers jointly with the contractor and correspondingly have additional
obligations.7
Thepurposeof processing is an “expected result that is intendedor guides planned actions”. The
meansofprocessingisthe“typeandmannerinwhicharesultorobjectiveisachieved”8.
Processorsmustbedistinguishedfromjointcontrollersbasedonthefollowingcriteria:
• Apersonthathasnolegalorfactualinfluenceonthedecisionconcerningthepurposesforandmannerinwhichpersonaldataisprocessedcannotbeacontroller.
• Apersonthataloneorjointlywithothersdecidesonthepurposesofprocessingisalwaysacontroller.
• Thecontrollermayalsodelegatethedecisionconcerningthemeansofprocessingtotheprocessoraslongascontent-relateddecisions,e.g.concerningthelegitimacyofprocessing,arereservedforthecontroller.
7KlabundeinEhmann/Selmayr„Datenschutz-Grundverordnung“Art.4marg.no.298Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.16,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf
36
• Processorsareindependentlegalpersonswhoaredifferentfromthecontrollerandwhoprocessdataonbehalfofthecontroller(s)withoutdecidingonthepurposesofprocessing.9
(ii)Distinctionbetweenjointandco-controller
ItcanalsonotbeassumedthatICANNandthecontractedpartiesareco-controllersfortheprocessing
ofdata,ratherthanjointcontrollers.Aco-controllershipwouldrequiretwoormorepartieswhichare
completelyindependentofoneanother,cooperativelyworkingtogetherintheprocessingofdatabut
fordifferentpurposes.
Asdiscussedbelow,theprocessingofregistrationdataiscoveredbytheoverarchingpurposeofthe
registrationofadomainnamebyallthreepartiesinthisprocess.
(iii)PurposeofArt.26GDPR
The regulation is to primarily serve the protection of the rights and freedoms of data subjects.10
Specifically with regard to complex constellations, a clearer allocation of responsibilities is to be
guaranteedfordatasubjects.Inmorecomplexroleallocations,e.g.intheareaofdomainregistration
withseveraldistributionlevels,thedatasubject’srightofaccessandotherrightsaretobeguaranteed
acrosslevels.11
“Thedefinitionoftheterm“processing”listedinArticle2lit.boftheguidelinedoesnotexcludethe
optionthatdiverseactorsparticipateindiverseoperationsorsetsofoperationsinconnectionwith
personaldata.Theseoperationscanbeexecutedsimultaneouslyorindiversestages.Insuchacomplex
environmentitisevenmoreimportantthatrolesandresponsibilitiescanbeeasilyallocatedtoensure
that the complexityof joint control doesnot result in an impractical divisionof responsibility that
wouldaffecttheeffectivenessofdataprotectionlaw.”12
Recital79GDPRfurthermoreclarifiesthattheregulationistosimplifymonitoringbythesupervisory
authorities.
Thefactualcontrolofthedataprocessaswellascontroloverexternaleffectsvis-à-visthedatasubject
isdecisivewhenreviewingresponsibility.
9Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.18,39,40,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf10BertmanninEhmann/Selmayr“Datenschutz-Grundverordnung”Art.26,marg.no.111Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.27,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf12Art.29DataProtectionWorkingParty,Statement1/2010of16February2010,p.22,availableathttp://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2010/wp169_de.pdf
37
Only the registrar appears vis-à-vis the registrant, as it coordinates the complete handling and
maintenanceoftheregistration.Theregistryhandlestechnicalimplementationoftheregistrationand
reviewsspecialrequirementsconcerningregistration(eligibilitycriteria),insofarassuchexist.
Equaldistributionisnotnecessarywhenallocatingresponsibility.
(iv)Setofoperations
Furthermore,processingshouldnotbeartificiallydivided intosmallerprocessingsteps,butcanbe
uniformlyconsideredasasetofoperations.Inthisrespect,datacollection,passingontotheregistry,
reviewandimplementationandongoingmanagementoftheregistrationcanbeconsideredasoneset
of“domainregistration”operations,becauseitpursuestheoverallpurposeofregisteringthedomain
foranewregistrant.
This also applies if diverse agencies pursue different purposes within the processing chain, when
engagedinthedetailofsmallerprocessingstepsonamicrolevel.Onamacrolevel,thesamepurpose
ispursuedoverallwithall small steps in the chain, so that auniformsetofoperations specifically
applieshere(Art.29GroupWP169,p.25).
Differentiation is required when considering the operation of collecting and processing the data
collectedby the registrar from itscustomers inorder tocreatean invoice, tomaintainacustomer
account, and to manage the contractual relationship with its customers. This data fulfils another
purposethatisnotcodeterminedbytheregistry.
(v)Assessment
Registry,registrar,andICANNmustbeassessedasjointcontrollersforthesetofoperationsofdomain
registration (Art. 4 no. (7) GDPR). Due to the factual and legal separation between registrar and
registry,adomainregistrationcanmandatorilybeperformedonlybybothentitiesjointly.
In this respect, itmust be assumed that registrar and registry jointly determine the purposes and
meansof processing that are compulsory for domain registrationoverall. In this respect, both are
responsibleforthissetofoperationspursuanttoArt.4no.(7)and26GDPR.
This also corresponds to the legislative intent to have clear and simple regulations concerning
responsibility in caseofmultiple participants and complexprocessing structures, and toprevent a
splittingofresponsibilitiestoprotectthedatasubjectsinsofaraspossible.
38
PursuanttoArticle1Section1.1oftheICANNbylaws,ICANNhasresponsibility:
“toensurethestableandsecureoperationoftheInternet'suniqueidentifiersystemsasdescribedin
thisSection1.1(a)(the"Mission").Specifically,ICANN:
(i)CoordinatestheallocationandassignmentofnamesintherootzoneoftheDomainNameSystem
("DNS")andcoordinatesthedevelopmentandimplementationofpoliciesconcerningtheregistration
ofsecond-leveldomainnamesingenerictop-leveldomains("gTLDs").Inthisrole,ICANN'sscopeisto
coordinatethedevelopmentandimplementationofpolicies:
• Forwhichuniformorcoordinatedresolutionisreasonablynecessarytofacilitatetheopenness,interoperability,resilience,securityand/orstabilityoftheDNSincluding,withrespecttogTLDregistrarsandregistries,policiesintheareasdescribedinAnnexG-1andAnnexG-2;”
Asalreadystated,ICANNfulfilsthisresponsibilityamongotherthingsbycontractuallyspecifyingfor
thevariousparticipantsthedatawhichmustmandatorilybecollectedandretained.Withthese
legitimateprovisions,ICANNspecifiesapurposefortheprocessingoperationoverallandthus
becomesjointcontrollerinadditiontoregistryandregistrar.
ItshouldbenotedthatICANN´sresponsibilityisunaffectedbythefactthatcertainrequirements
havebeendiscussedbymanystakeholdersorhavebeenacommunityeffort.Suchjointdiscussionor
draftingofcertainpoliciesofrequirementsdonotaffectICANN´sroleastheentityultimately
requiringthecontractedpartiestoactinaccordancewiththepoliciesissuedbyICANN.
(vi)Legalconsequence
Asalegalconsequence,Art.26GDPRreferencesthatthecontrollersreachaclearunderstandingin
particularwithregardtotheirperformanceoftheirdutiesundertheGDPRaswellastheirjointcontrol
andmustdiscloseit.
(1) Liability
Thequestionarisesastohowregistryandregistrarunderjointcontrolareliableforpossiblebreaches
intheprocessingoperation.
39
(2) Datasubject’sclaims
Pursuanttojointresponsibility,thedatasubjectinaccordancewithArt.26(3)GDPRmayasageneral
rulefullyassertitsclaimsvis-à-visallcontrollers,regardlessofthecontractualallocation.
Evenwithacleardistributionof theresponsibilitybetweenthecontrollers,bothare liablevis-à-vis
externalpartiesfortheoverallprocessingoperation.
Inthisrespect,Art.82(4)GDPRmandates jointandmultiple liability forthedatasubject’srightto
compensationandsupplementstheliabilityregulationsofArt.26(3)GDPR.Thefactualresponsibility
maybeadjustedonlyinterpartes.Therefore,havingclearallocationsbetweenthepartiesisevenmore
importantinterpartes.
(3) Fines
However,suchjointandmultipleliabilitydoesnotapplytofinesunderArt.83(4)lit.a)GDPR.Inthis
respect,registryandregistrarareliablepursuanttotheirroleallocationforbreachesintheirareaor
againstdutiesundertheGDPR,whichwereincumbentuponthemwithinthescopeofthecontractual
basis.
(4) Agreement
Jointcontrollersmustfurthermorespecify,inatransparentform,whofulfillswhichdutiesvis-à-visthe
datasubjects,aswellaswhothecontactpointfordatasubject’srightsis(Art.26(1)p.2GDPR).
However,thedatasubject isauthorizedtoaddressanyoftheparticipatingresponsibleagenciesto
assertitsrights,regardlessofthespecificationconcerningcompetence(Art.26(3)GDPR).
TheagreementistoregulatethespecificcontrollersthataretofulfillthedutiesprescribedbyGDPR.
PursuanttoRecital79GDPR,thefollowingmustbespecificallyregulatedinatransparentform:
• howtherelationsandfunctionsofthecontrollersamongeachotheraredesigned,• howrolesaredistributedbetweencontrollerstofulfilldatasubjectrightsofregistrants,• onwhichcontrollerssupervisoryauthoritiesexecutesupervisoryandmonitoringmeasures.
Allcontrollersmustfulfill informationobligations independentlyfromeachother.However,Art.26
GDPRsuggeststhatmultiplecontrollersfulfillinformationobligationscentrally.
(5) Jointcontactpoint
GDPRsuggeststhatajointcontactpointissetupfordatasubjects;however,thisisnotcompulsory.It
issuggestedthatthiscontactpointislocatedattheregistrar,becausetheregistrarmaintainscontact
withtheregistrant.
40
(6) Procedurerecord
Further,pursuanttoArt.30GDPR,eachcontrollermustseparatelylistitsjointcontrollersintherecord
ofprocessingactivities.
cc)Responsibilityforotherdata
Responsibilityforcustomerdatacollectedbytheregistrarmerelyforitsownpurposesliessolelywith
theregistrar.Inthisrespect,nojointdecisionismadeconcerningthepurposesofprocessing.Here,
onlytheregistrardeterminesthepurposeofprocessing.
CantheRegistraradddataelements?
NoinvolvementofRegistry,ICANN,orEscrowAgents
Attheirownrisk
III. DRL1registrarandregistrywitheligibility/nexusrequirements
1. ObligationSpecificrequirementsthatarenecessaryforregistrationundertherelevantTLD(e.g..law,.nrw,.berlin,
etc.)exist.Inthisrespect,thereareTLDswitheligibilityrequirements(e.g..law,.versicherung,.autos,
.organic and .bank) where verification of the admission as an attorney or similar is necessary for
registration authorization under the TLD, e.g. for .law/.abogado. Additionally, there are TLDswith
nexus requirements (e.g. .berlin and .paris), where a geographical reference must be given for
registration authorization under the relevant TLD. Today, there aremore than 200 gTLDs that are
markedas“restricted”.Inthisrespect,additionaldataisnecessaryfortheregistriesinordertoreview
41
theregistrationauthorizationundertheseTLDsorhavethevalidationdonebyavalidationagentacting
ontheirbehalf.
EvenmoredataelementswhichdonotbelongtoDRL1canbeaddedbytheregistry.However,all
registryrequirementsgoingbeyondtheminimumdatasetneedtobeexplicitlyspelledoutintheRRA.
WherenosuchrequirementexistsintheRRA,theregistrarwillnotcollectortransfertotheregistry.
2. Purpose
The purpose of these additional requirements for the registration authorization is to protect the
requirementsoftherelevantTLDsystem.Forexample,onlyadmittedattorneysandprofessionallegal
associations(lawfirms,lawschools,barassociations,andcourts)arepermittedandrecognizedunder
theeligibilityrequirementsfortheTLD“.law”and“.abogado”.Thiscreatesanexclusiveonlinespace
forInternetusersthatpromotestrustintheprofessionallegalassociationandoffersInternetusers
thesecurityoflocatinginformationonrecognisedattorneysandprofessionallegalassociations.
TLDswithnexusrequirementscreateanonlinespaceforInternetusersinwhichtheycantrustthat
therelevantoffershaveageographicalreferencetotherelevantTLD.
The purpose of the respective additional necessary data resides specifically in maintaining the
exclusivityoftheserelevantonlinespacesandofofferingsustainableaddedvaluetoprovidersand
usersoftheseoffersbymaintainingquality.
42
Here, the relevant verification requirements aredependenton the respectiveTLDand the specific
requirementsoftheverification.DuetothemultitudeofTLDsandtheirrequirements,itisnotpossible
heretoenumerateallTLDsandtheiradditionalrequirements forregistrationauthorization ineach
individual case; hence, we can only offer an abstract and generalized illustration for additional
requesteddata.
3. ResponsibilityTheresponsibilityfortheadditionalrequesteddataforverificationoftheregistrationauthorization
lies with the registry because the registry specifies the requirements concerning the relevant
verification.Thisalsoappliestooutsourcingofthereviewofrequirementsspecifiedbytheregistryto
avalidationagent.Becauseevenifthereview,whenusingavalidationagent,isnotperformedbythe
registryitself,itisinanycaseperformedonbehalfofandattheinstructionoftheregistryvis-à-visthe
validation agent. The validation agent in this respect is the processor of the registry in terms of
performingthereviewoftheverificationoftheregistrationauthorization.
When collecting and transmitting the additional requested data, the registrar also acts exclusively
uponinstructionoftheregistry,sothattheregistrarisalsoprocessoroftheregistryforthisadditional
data.Theregistrardoesnothaveitsowninterestsintheseadditionaldataoranydiscretionofitsown
concerningthepurposeormeansofcollectionandtransmissionoftheadditionalrequesteddata.
4. AuthorizationThe registries are authorized to demand all data required to review the registration authorization
pursuanttoArt.6(1)lit.b)GDPR.
Theadditionalrequesteddataisalsojustifiablynecessarydata.Incomparisontothedatarequiredby
ICANNforallregistries,theadditionaldatarequiredherebytheregistriesisjustifiablyrequireddata
because the respective additional required data for the relevant TLDs with eligibility/nexus
requirementsarerequiredspecificallytoperformtheregistrationauthorizationundertheseTLDs.In
the process, these additional requirements specifically fulfill the purpose of creating an exclusive
onlinespaceinwhichprovidersaswellasuserscanprofitparticularlyfromtheexclusivityofthisonline
spaceandtheresultingtrustintherelevantoffers.Therequirementsforadditionaldataaretherefore
fullyjustified.
43
UndertheprincipleofdataminimizationpursuanttoArt.5(1)lit.c)GDPR,contractperformancealso
requires a transmissionof theadditional data requestedby the registry to the same,because this
constitutes a compulsory prerequisite to review the registration authorization. It is not feasible to
outsourcethereviewoftheregistrationauthorizationtotheregistrarinsuchawayastoallowthe
registrar to independently determine themeans and purposes of the collection of the additional
requirements for the registration authorization nor to undertake an independent review of the
additionalrequirementsunderitsownbehestunderdataprotectionlaw,because,inthisrespect,itis
incumbentupontherelevantregistry itself toensuretheexistenceoftherequirementsdemanded
itselffromtheregistrationauthorization.
Furthermore,inthisrespectitisalsonecessarythattheregistryincaseofnotificationofapossible
caseoffraudisabletoreviewtherelevantauthorizationcriteriabasedonthesubmitteddocuments.
IV. DataEscrow
1. ObligationBasedonClause3.6oftheRAA2013,theregistrar(forgTLDs)isobligatedtopassonthedataretained
withregardtotheregistereddomaintoaneutralthird-party(“escrowagent”).Alldatastoredatthe
relevantregistrarshallbecontinuouslypassedon.BasedonClause2.3oftheRAinconjunctionwith
the“specification2”oftheRA,theregistryisobligatedtopassitsownretaineddataontoanescrow
agent.
2. Purpose/necessityICANNisresponsibleforthesecurity,stability,andresiliencyoftheDNS.Tomeetthisresponsibility,
ICANNamongotherthingsimposedthestatedobligationsonthebasisoftheregistry/registrardata
escrow program. This is intended to specifically create a protection for registrars against loss or
unavailabilityofthedomainregistrationdata.
3. RegistrarDataispassedontosafeguardthedomainsystemintheeventthataregistrarfailsduetoanerror,
problem,orpossiblediscontinuationofbusiness.Alossofdomainregistrationsorallocationproblems
inlightofaspecificdomainforacertainperiodistobeprevented(cf.RegisterFly),becausetheclear
allocationisalsocompulsory,nottomentionworthyofprotectionforeconomicreasons.
Thesameappliestotheregistrydataavailableattheregistry.
44
4. AffecteddataTofulfillthepurposeofsafeguarding,itisofcoursenecessarythatallregistrationdataretainedbythe
registrarwith regard to the registereddomains is transmitted to thedesignated thirdparty. In the
presentmodel,thedatacollectedandstoredinDRL1isspecificallyreducedtotheabsoluteminimum
quantitynecessary.Inthisrespect,logically,thetransmissionofallthisdataisalsocompulsoryinorder
toachievethepurposeofsafeguardingintheeventofaloss.Thisappliesequallytothedataretained
bytheregistry.
Inthiscontext,however,itisnotnecessarytotransmitcustomeraccountdataretainedbyaspecific
registrarforitscustomersforhandlingthecontractualrelationshiptotheescrowagent.Intheevent
thataregistrarfails,theretaineddatafromtheescrowagentmustbetransmittedtoICANNoranother
registrar.
5. ResponsibilityAsdescribed,ICANNbearsresponsibilityforthesecurity,stability,andresiliencyoftheDNS.Inthis
respect, ICANNdeterminesthepurposeoftheprocessingoperation“dataescrow”.Theregistrarin
thisrespectimplementstherequirementsofICANNandmerelyhastheinterestoffulfillingitsown
contract vis-à-vis ICANN concerning data transmission to the escrow agent, but has no real own
interestwithregardtosecurityandstabilityofthedomainsystemintheeventofitsfailure.Thisapplies
equallytotheregistry.
Withregardstoregistraraswellasforregistryescrows,escrowagentsasdatacontrollersaretherefore
processorsforICANN.
ItshouldbenotedthatICANNmustonlypassondatareceivedfromtheescrowagenttoagaining
registrarortheEBEROafterhavingverifiedthatthegainingentityisGDPRcompliant.
45
ProcessorController
6. AuthorizationDataforwardingtotheescrowagentrequireslegallegitimacy.Thespecificrequirementsaredeemed
tobelegitimatebecausetherequirementsofICANNvis-à-vistheregistrarandregistryarenecessary
tosafeguardthedomainsystem.Inthisrespect,dataforwardingbytheregistrarandtheregistryto
theescrowagentsisnecessaryforfulfillmentofthecontractandjustifiedthroughArt.6(1)b)GDPR.
V. EBERO
1. Obligation
Asalreadystated,ICANNisresponsibleforsecurity,stability,andresiliencyoftheDNS.ICANNwishes
tomeet this responsibilitywith EBEROs. In caseof emergencyeventsof a registry failure, EBEROs
providethebackendservicesfortheoperationofaTLDoriginallyprovidedbytheregistry.
Inemergencyevents,thedataarchivedbytheregistryattheescrowagentistransmittedtothesame
uponinstructionbyICANNandfromittotheEBERO.
Assoonasandinsofarasanyemergencyeventoccursthataffectsdataofdatasubjectsthatisretained
attheescrowserviceandfallsundertheGDPR,aGDPR-compatibleEBEROisnecessary.
46
2. AffecteddataPursuanttothedatamodelpresentedherebyus,theescrowagentretainsonlythedatadepositedby
theregistryitself(seeabovePartBII.2.).Tofulfillthepurposeofguaranteeingtheoperationofthe
registry,itisofcoursenecessarythatalldatathenretainedattheescrowagentistransferredthrough
ICANN to thedesignatedEBERO. In the suggestedmodel, thedata collectedand stored inDRL1 is
reducedtotheabsoluteminimumquantitynecessary.Inthisrespect,thetransferofallthisdatais
logicallyalsocompulsoryinordertosafeguarditintheeventofafailure/fault.
3. ResponsibilityTheresponsibilitywithregardtoalldatatransferredtothedesignatedEBEROlieswithICANN.The
EBERO in this respectwill also become active at the instruction of ICANN and does not have any
discretionofitsown,sothattheEBEROisactiveasaprocessorofICANN.
ProcessorController
VI. ResellersituationInsofarasthedomainregistrationorderisreceivedbytheregistrarthroughareseller(oramultitude
ofresellers),variousdataprocessingoperationswithvariousresponsibilitiesexist.
47
1. ResponsibilityTheresellercollectsthesamedataattheregistrantthattheregistrarwouldalsocollectdirectly13and
thusinparttakestheplaceoftheregistrar.However,theresellershouldnotandcannotreplacethe
registrarbecauseonly the registrar is accreditedandalso contractually affiliatedwith the relevant
registries.
Accordingly, theresellerenters intotherelationshipwiththecustomer insteadof theregistrarbut
cannotreplaceitwithregardtodomainregistration.Therefore,itmustbequalifiedasaprocessorof
theregistrar.
ProcessorController
a) AccountData
Inthisregard,thecontractualpartner’saccountdataiscollectedbytheresellerinitsowninterestand
forthepurposesofperformingitscontractualrelationshipwiththecontractualpartner.Accordingly,
theresellerhereisthesolecontrollerfordataprocessing.
b) Registrationdata
Theresellercollectsregistrationdatafromtheregistrantforthepurposeofdomainregistration.Inthe
process,theresellercollectssolelythedatanecessaryforregistration.Therelevantregistryandthe
registrardecideuponwhichdataistobecollectedandthereforetheychieflydecideonthepurposes
ofdataprocessing.
13SeeabovePartBII.1.
48
Accordingly,theregistry,theregistrar,andICANNarejointcontrollers,evenincaseswhereresellers
areinvolved.
Joint responsibilitywith theresellerwouldherenotbe in thereseller’sbest interests,becausethe
reseller does not codetermine the purpose of processing but only executes that which the other
participantsrequireinthisrespect.
Theresellercollectsthisdatainsteadoftheregistrarandthusonitsbehalf;intheprocess,itactsonly
upontheregistrar’sinstructionandtransmitsthecollecteddataforregistrationtoit–atransmission
which can only be performed by the registrar. In this respect, the reseller is a processor for the
registrar.
2. Resellerchains
Intheeventofmultipleresellersinsequence,theresellerindirectcontactwiththeregistrantisthe
processor and the registrar is the contractor as described above. The additional resellers utilized
betweenthetwoare thereforesubcontractorsof therespective reseller,becauseallparties in the
chain are merely active pursuant to the original instruction of the registrar with regard to the
registrationdata.
VII. DRL2–Transferofregistrantdatatotheregistry
IntheDRL2category,asdistinctfromthepresentmodelforDRL1,amoreextensivetransmissionof
datafromtheregistrartotheregistrytakesplace.Inthismodel,theregistrymightwishtoreceiveall
theregistrantfields:
RegistrantFields• Name • Organization(opt.) • Street • City • State/province • Postalcode • Country
49
• Phone • Phoneext(opt.) • Fax(opt.) • Faxext(opt.) • Email
Theremaybeotherdata that the registrymay claim tobe able toprocess, basedona legitimate
interest.Here,wehaveusedtheexampleofsecuritycheckstoestablishpatternsofabusive/criminal
behaviorandstabilityoftheDNS.Thelistisofcoursenotexhaustiveandcanbeaddedtoonacase-
by-casebasisasrequiredbytherespectiveregistry,aslongasthecriteriaoflegitimateinterestare
met.
1. Authorization
The data listed here are not data that are obligatory for contract fulfillment under the model
suggested.A justificationofthisprocessingunderArt.6(1)b)GDPRasdatanecessaryforcontract
fulfillmentisthereforenottakenintoconsideration.
ThisdataisthusprocessedbasedonArt.6(1)lit.f)GDPR.
PursuanttoArt.6(1)lit.f)GDPRprocessingisnecessaryforthepurposesofthelegitimateinterests
pursuedbythecontrollerorbyathirdparty,exceptwheresuchinterestsareoverriddenbytheinterests
orfundamentalrightsandfreedomsofthedatasubjectwhichrequireprotectionofpersonaldata,in
particularwherethedatasubjectisachild.
Thepermissibilityofprocessingthereforedependsonthelegitimateinterestsofthecontroller,which
musttakeprecedenceintheprocessofbalancingthedatasubject’sprotectedinterests.
Various purposes are considered by the registries, inwhich a balancing decision of the legitimate
interestsprevailsovertheprotectedinterestsofnon-processing.
a) MitigatingAbuse
Alegitimateinterestoftheregistrytoalsoreceivetheregistrant’sdatalistedabovemayfollowfrom
thefactthatcertainpatternsattheregistereddomainsmustbereceivedforasuccessfulmitigationof
abusewithinthescopeoftheregistrationofdomains.Forthispurpose,itmaybespecificallynecessary
50
thattheregistryreceivedataofallregistrantsfromvariousregistrars.Otherwise,aneffectiveabuse
controlcouldnottakeplace,becausetheindividualregistrarscouldonlyreviewtheirownregistrants’
data for possible abuse. Extensive monitoring and sustainable recognition of patterns would be
impossible.Pursuant toRecital47p.6GDPR, theprocessingofpersonaldata to theextent that is
compulsoryforthepreventionoffraudconstitutesajustifiedinterestoftherelevantcontroller.
Additionally,allregistrieshavevaryinglegalrequirementsandrestrictionsfortheregistrantslaidout
intheirAcceptableUsePolicies(“AUP”).Inmanycases,theregistriesthemselvesaretheonlyproper
partytocontrolandenforcecompliancewiththeAUPunderthelawsoftheapplicablejurisdiction,as
most registrars offer domain name registrations from many different registries, including many
differentAUPandjurisdictions.
b) Centralmanagement
Thecentralmanagementintermsoftheequivalenttoacommercialregister, landregister,orbirth
register,aswellas thepatentand trademark register,mayalsobe regardedasanother legitimate
interest.Insofarastheregistrydesiresthecentralmanagementofthedataofallregistrants,thiscould
bedefinedasacentralmanagementlocationandmanagementofacentralregister.Thisincludesthe
operationofacentralWhois repositoryat theregistry level (notingthat thedisclosureofdatawill
occuraccordingtothestandardsdescribedinPartCofthispaper).
Theregistryasresponsibleentityforthenamespaceoperatedbyitcanalsoassertalegitimateinterest
intheabilitytoallocateandidentifytherelevantregistrantsforwhichitprovidesservicesunderits
remit for the namespace. In the process, central management always also brings with it certain
advantages,e.g.maintainingdataaccuracyinonelocation.Technicalandorganizationalmeasuresto
maintainconfidentialityandintegrityofthisdatamayinthiscasebetakenbytheregistryitselfatits
ownresponsibility.
Thisalsodoesnotcontradictthedataminimizationprinciplestandardized inArt.5 (1) lit.c)GDPR,
because in this respect, theregistry isalso justified in retaining thisdata,basedonthepurposeof
centralmanagementandprocessingofdatabytheregistryaswell.Basedonitsowninterestforcentral
datamanagement, the registry alsohas a legitimatepurpose fordataprocessing thatexceeds the
purposeunderDRL1.
51
c) Securityandstability
The current thick whois system is based on redundancies regarding failure controls. As described
above,thefailureofoneofthecontractedpartiescangenerallybecoveredbythedataescrows,which
istheirsolepurpose.However,incasearegistrarfailstoproperlyescrowitsregistrantdata,asecond
fallbackoption for recovering thisdatacan increase thestabilityandsecurityof thedomainname
systemimmensely.Ifinthiscasethedatahasbeentransferredtotheregistry,itcanactasasecond
safeguardbesidesthedataescrowtoprotecttheregistrants.
Itshouldbenoted,thatthecurrentthickwhoismodelhasbeentheresultofacommunitywidemulti-
stakeholder effort, via the ThickWhoisWorkingGroup, to improve the resiliencyof theDNS. This
community effort also included representatives ofmany if not allmember states of the European
Union via the Governmental Advisory Board and can therefore not be ignored when discussing
legitimateinterest.
d) Result
Asdescribedabove, the legitimate interestsdescribedwithin thisdocumentareonlyexamplesof
common purposes and interests that registries might have, which we believe to be generally
acceptableasalegalgroundforthetransferofdatatotheregistry.Thisdoes,however,notexempt
thecontroller,i.e.theregistry,fromreviewingandevaluatingthelegitimateinterestsintheirindividual
case.
Also,althoughtransferofdatatoregistriescanbebasedonlegitimateinterestsbytheregistry,these
purposesand interests shallnotbeenforcedby ICANN in theirpoliciesand requirementswith the
contractedparties.
2. ResponsibilityTheresponsibilityforcollectionandtransferofthisdatafromtheregistrartotheregistryliesinthis
casewiththeregistry.
Inthisrespect,theregistrarisactiveinthecollectionofthepreviouslylisteddatarecordswithadual
purpose,becauseitreceivesthedataforitselfanditsowncontractfulfillmentontheonehand,but
on the other hand also collects this data at the instruction of the registry. The registrar therefore
collectsthedataatitsownresponsibilityandsimultaneouslyasaprocessorfortheregistry.
52
The informationobligationunderArt. 14GDPR in this respect in particular applies to the registry,
becausethecollectionoftheregistrants’dataisnotdirectlycollectedbytheregistrybutthedatais
collectedbytheregistrarandtransferredtotheregistry.
3. RiskIntheprocessingofpersonaldatabasedonabalancingdecisionunderArt.6(1)lit.f)GDPR,thedata
subjectisentitledtoarighttoobjectpursuanttoArt.21GDPR.Art.21GDPRrequires“groundsrelating
tohisorherparticularsituation”fromthedatasubjecttoexerciseitsrighttoobject.
Therequirementsthataretobeplacedtothespecialsituationarecurrentlynotforeseeable.However,
it now already follows from the formulation “particular situation” that in comparison to other
constellations,significantlyhigherrequirementswillbeplacedundertheGDPR.
Whenassertingsuchaparticularsituation,theresponsibleentitythengenerallymuststopprocessing
thepersonaldataunlessitcanverifycompulsorygroundsworthyofprotectionforprocessing,which
outweigh the interests, rights,and freedomsof thedata subjector serve toprocess theassertion,
exercise,ordefenseoflegalclaims.
4. Conclusion
Thecollectionofdataby theregistrarand forwardingto theregistrypursuant toDRL2takesplace
exclusivelyandtotheextentasprovidedbytheregistry,subjecttothejustifiedinterestintheRRA.
Thisistogivetheregistrartheopportunityofreviewingtheplausibilityofajustifiedinterest.
If theregistrydoesnotspecifyparticularrequirements inthisrespect, theregistrarmuststopdata
processing. Iftheregistrar isoftheopinionthattheinformationconcerningjustifiedinterest isnot
sustainable,registryandregistrarmustclarifythisbywayofnegotiation.Ifajustifiedinterestexists
onthesideoftheregistry,data isprocessedbytheregistrar infulfillmentofthecontractwiththe
registry,i.e.theRRA.
Under no circumstances should the processing of data be specified or enforced pursuant to this
regulationbyICANN.
53
VIII. DRL3–Datacollectedbasedonconsent
Evenwithregardtodataminimizationandthedatamodeldescribedabove,theremaybeaspecific
interestforregistriestoobtain(anddisclose)personaldatainexcesstothedescribeddatasets,e.g.
someregistrantsmaywishtopublishtheirdatainapublicWhoisdirectorytoincreasetrustintheir
services.Suchspecial interestsbyregistries(orotherparticipants)canonlybelegitimizedbasedon
consentbythedatasubjectsasalloftheprovisionsmentionedabovedonotapply.
SuchdataprocessesarealwayspossibleincaseavalidconsentasrequiredbyGDPRiscollectedfrom
thedatasubject.
PartC–DisclosureofData
Mostregistriesoperateaso-calledThickWhois.While,fromatechnicalpointofview,thismodelisto
bemaintained,fewerdatafieldsarepopulatedand,unlesstheregistrydefinesspecialrequirements,
thedataof the registrant is alsonotpassedon to the registry. Therefore, thequestion is towhat
recipientrequestsforinformationaretobeaddressedandhowsuchrequestscanbeanswered.As
alreadydiscussed,allprocedures relating to theprocessingofpersonaldatamustcomplywith the
principleofdataminimization.Thus,aregistrywouldonlybeabletoprovidelessdatainthecontext
ofaWhoisserviceofsomekindthanaregistrar.
Inordertoallowfortheconsistentprovisionofinformation,informationfromdifferentsourcesshould
becompiledbymeansofRDAP(delegatedWhois).Furthermore,itneedstobeclarifiedthat,evenat
this point, registries and registrarsmight havemore information than they provide via theWhois
service.However,disclosureaccordingtothispaper,wouldonlygoasfarasrevealingtheregistrant
datafieldsascurrentlyshowninthepublicWhois.Thatmeansthatdataofaprivacyorproxyservice
willbeshownwheretheregistrantusessuchservices.Disclosurebyprivacyorproxyserviceswould
bebasedontheprinciplesappliedtodayandremainunaffected.
Inaccordancewiththisprinciple,itisexaminedwhichinformationmayberetrievedpubliclyorinthe
contextof inquirers informing themselves andwhich informationmustbe subjected toa separate
54
assessmentbeforebeingreleased.Furthermore,wewould liketopointoutthatthetermWhois is
usedbothfortheWhoisprotocolandtheWhoisdata.Inthecontextofthispaper,weusetheterm
merelywithregardtothedata,since,asatechnicalvehicle,RDAPispreferablefortheprovisionofthe
dataovertheWhoisprotocol.
GiventhattheWhoisservesasaglobaldatabase,theinternationaltransferofdataundertheGDPR
isoffundamentalimportanceformanypotentialdisclosureprocesses.Againstthisbackground,itis
importanttounderstandthateachtransferofWhoisdataoutsidetheEEArequiresitsown,separate
legalbasisinadditiontothelegalbasisfortheprocessingofpersonaldata.Inotherwords:Havinga
legalbasisfortheinternationaldatatransferdoesnotsubstitutetherequirementofalegalgroundfor
thedataprocessingitself.
Please do also note that Chapter 5 of the GDPR provides only potential legal grounds for the
international transfer of data by entities like registries, registrars, private stakeholders or non-law
enforcementauthorities.Theregulationdoesnotapplytotheprocessingortransferringofpersonal
data by law enforcement agencies.14 This is rather regulated by the European Directive on the
protectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthorities
forthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesorthe
executionofcriminalpenalties.15
TheEWGfinalreporthasestablishedalistofWhoisusersandtheirrespectiveinterestsinaccessing
Whoisdata16.ThegTLDRegistrationDataflowMatrixandInformationdocumentalsolistsusersand
usecases17,allofwhichhavebeenreviewedbythedraftingteamofthispaper.However,asoutlined
above,requestsforinformationfromallthoseusergroupsrequirealegalgroundfortheproviderofa
Whoisdatabasefordisclosure.Inthispartofthepaper,wefirstpresentthatapubliclyaccessiblewhois
directorycannotbejustifiedundertheupcomingGDPR(I.).Inasecondstep,thecriteriafordisclosure
fordifferentpurposesaretobeexamined(II.),followedbythanalysisofthelegalrequirementsfor
internationaldatatransfer(III.).Afterdevelopingaprocedureforhandlinginformationrequestsand
14SeematerialscopeoftheGDPRaccordingtoArt.2(2)d.15Directive(EU)2016/680oftheEuropeanParliamentandoftheCouncilof27April2016.16ICANN:EWGfinalreportongTLDDirectoryServices,p.21.17ICANN:DraftdTLDRegistrationDataflowMatrixandInformation.
55
disclosureofWhoisdata inpractice(IV.),wefinally provideaproposalforaTrustedDataClearing
Houseforthedomainindustry(V.).
I.NoJustificationforaPublicWHOISundGDPRAlreadyunderthecurrentEuropeanlegaldataprotectionframework,therearedoubtsastowhether
ornotthepublicationofpersonaldataofdomainownersviaapubliclyaccessibleWHOISdatabaseis
admissible.However,oncetheGDPRcomesintoeffectinMay2018,itwillhavetobeassumedthat
theWHOISdatabaseswillnotbeabletocontinuetoexistintheircurrentform.18
1. LegallyIneffectiveConsentSection3.7.7.5,theRAA2013requiresthattheregistrantmustconsenttothedataprocessingalso
including thepublicationofWhoisdata.However, thereare significantdoubtsas towhether such
consentwillstillbeabletobeconsideredlegallyvalid.
AccordingtoArt.4no.11GDPR,consentofthedatasubjectmeans
“anyfreelygiven,specific,informedandunambiguousindicationofthedatasubject’swishes
bywhichheorshe,byastatementorbyaclearaffirmativeaction,signifiesagreementtothe
processingofpersonaldatarelatingtohimorher”.
Inaddition,Art.7(4)GDPRfurtherstatesthat,
"whenassessingwhetherconsent is freelygiven,utmostaccountshallbetakenofwhether,
interalia,theperformanceofacontract,includingtheprovisionofaservice,isconditionalon
consenttotheprocessingofpersonaldatathatisnotnecessaryfortheperformanceofthat
contract."
This provision prevents that data controllers withhold or offer a degraded version of service for
subjectswhorefuseor(later)withdrawconsent.Consentbasedonthecontractualobligation(Section
3.7.7.5,theRAA2013)willthereforenotbevalid.
18 cf. Nygren/Stenbeck, gTLD Registration Directory Services and the GDPR - Part 1, p.10 ff.;Voigt/Pieper,ImpactoftheGDPRregardingWHOISsystem,p.3etseqq.
56
2. NoJustificationunderStatutoryLawLikewise,noneofthestatutorylegalgroundsoftheGDPRisabletojustifytheWhoisdirectoryinits
currentform,inwhichalldataismadeavailableonlinetothegeneralpublic.
The publication of data in a freely accessible directory is not necessary for the performance of
contractualrelationbetweentheregistrantandtheregistrar/registrysothatajustificationunderArt.
6(1)lit.b)GDPRisnotpossible.
Furthermore,contrarytowhatisthecaseforpublictrademarkandcommercialregisters,thereisno
specific legal basis legitimizing or even requiring the operation of a public domain directory. The
coordinationofinternetcommunicationand,therefore,alsoofdomainregistrationhasalwaysbeen
performedonthebasisoflegalrelationsbetweenprivateindividuals.Thisiswhyapublicregulatory
framework,whichwoulde.g.alsorequireapublicdirectory,doesnotexist.Consequently,itcannot
bearguedthatapublicWhoiscanbejustifiedunderArt.6(1) lit.e)GDPR.Thedefinitionofpublic
interests is also subject to legislative action, which has not taken place in relation to a publicly
accessibleWhoisdata.
Ultimately,thecurrentpublicWHOISdirectorywillalsonotbeabletobejustifiedonthebasisofArt.
6 (1) lit. f) GDPR. The circumstances described therein require a weighing of the interests in the
respectivedataprocessingontheonehandandtheinterestsofthedatasubjectontheotherhandon
acase-by-casebasis.Itistruethatthereareavarietyofreasonswhycertainauthorities,individualsor
groupsofindividualshaveprofoundinterestinaccessingWhoisdata,thereforejustifyingdisclosure
(e.g.foridentificationofapersonwhohasregisteredacertaindomain)undertheGDPR.19However,
theseindividualinterestsdonotjustifythepublicationofpersonaldatainapubliclyaccessibleWhois
directory,sincethepublicationisnotnecessaryforotherpurposesortopersonsotherthantheholder
ofalegitimateinterest.
19 cf. in this regard ICANN: EWG final report on gTLD Directory Services, available at:https://www.icann.org/en/system/files/files/final-report-06jun14-en.pdf; ICANN: Draft dTLD RegistrationDataflow Matrix and Information, available at: https://www.icann.org/en/system/files/files/gdpr-dataflow-matrix-whois-11sep17-en.pdf.
57
Forthesereasons,aclosedWhoissystemwhichcanbeaccessedinindividualcasesonly(namelyif
disclosurecanbejustifiedunderdataprotectionlaw)and/orfromwhichinformationisprovidedin
individualcaseswillberequiredoncetheGDPRentersintoeffect.Compliancewiththeprovisionsof
theregulationisparticularlyimportantforanyproviderofaWhoisdatabase,asviolationssuchasnon-
justifieddisclosurecancausesignificantfinestobeimposedbydataprotectionauthorities.
II.LegalGroundsforDisclosureofRegistrationDatato3rdPartiesTherearedifferentgroupsof3rdpartieswhichmayhaveaninterestinthedisclosureofregistration
data.DisclosurethroughdatatransferisatypeofdataprocessingwithinthescopeofArt.4no.(2)
GDPR.InthecontextofdisclosureofWhoisdata,Art.6GDPRexhaustivelynamestheprerequisites
underwhichtheprocessingofpersonaldatashallbelawful.IntherelevantcontexthereArt.6(1)lit.
b),c)andf)GDPRarecrucial.Inthisregard,itmakessensetodistinguishbetween3rdpartiesfrom
thepublicandtheprivatesector,respectively,asdifferentlegalgroundshavetobeconsidered.
1. Art.6(1)lit.b)GDPR-PerformanceofaContract–(PrivateSectorOnly)
AccordingtoArticle6(1)lit.b)GDPRdisclosurecanbejustifiedwhere
"processingisnecessaryfortheperformanceofacontracttowhichthedatasubjectisparty
orinordertotakestepsattherequestofthedatasubjectpriorenteringintoacontract."
Thecontractualbasisofdomainregistrationalsocontains,interalia,provisionsthatsubjectregistrants
to certain conflict resolution regimes aiming to avoid and to resolve potential conflictswithin the
domainnameregistrationecosystem.Onlythosedomainnamescanberegisteredandtheregistration
of domain names can only be retained if there is no violation of third party rights. To the extent
necessaryfortheassessmentofpossiblelegalconflictsrelatedtothedomainnames,dataprocessing
including disclosure of personal data - can therefore be seen as being admissible under the
performance of a contract clause. This especially concerns these following two programs that are
includedinthecontractualrelationshipbetweentheregistrantandtheregistrar/registry:
• UniformDomainNameDisputeResolutionServiceforGenericTop-LevelDomains(UDRP)
• UniformRapidSuspensionSystem(URS)
58
Totheextentthatthedisclosureofpersonaldataisrequiredwithintheseprocedures,inparticularfor
thepreparationofclaimsorinquiriesbyanyonewhocrediblydemonstratestohavealegalposition
subjecttotheseprograms,WhoisdatamaybedisclosedonthebasisofArt.6(1)b)GDPR.20
2. Art.6(1)lit.c)GDPR(PublicSectorOnly)
Disclosure ofWhois data is further justified under Art. 6 (1) c) GDPR to the extent necessary for
compliancewithalegalobligationtowhichthecontrollerissubject.Art.6(1)c)GDPRitselfdoesnot
constitutealegalbasisfordataprocessing,butinsteadrequiresalegalobligationinthelawsofthe
EUortheMemberStates.21Fromthis,itcanbeinferredthatlegalprovisionsofthird-partycountries
whichhavenotbeenadoptedbytheEUortherelevantMemberState,forexamplebytransforming
internationaltreatiesintonationallaw,cannottriggeranylegalobligationwithinthescopeofArt.6
(1)c)GDPR.Therefore,adisclosurerequestsofpublicauthoritiesofnon-EUstatescannotbejustified
onthebasisofArt.6(1)c)GDPR.Foreignauthorities,however,mayrequestpersonaldataofEUdata
subjectsfromEuropeanlawenforcementagencies.Theseagencieswouldthenhavetocheckwhether
thereisalegalbasisavailablethatallowsdatatobepassedontotheforeignauthority.22Duetothe
globaldomainnamesystemandthefactthatnon-Europeanlawenforcementauthoritiesalsohave
interestsinregistrationdata,which,atleasttheoretically,mightalsocontaindataofEUcitizens,this
constitutesatremendouschallengetotheproperdesignofaconsistentdisclosureprocess.
Theterm"legalobligations"inthemeaningofArt.6(1)lit.c)GDPRdoesnotnecessarilyrequireanact
ofparliament.23Differentkindsofsubstantivelawprovisionscanbeconsideredassufficientlegalbasis
forprocessingofdata(e.g.regulationsandstatutesonthebasisofwhichpublicauthoritiessuchas
lawenforcementauthoritiesorfinancialauthoritiesaregivencompetencesorinvestigativerights).As
ageneral rule,however, thesestatutoryprovisionsmustnot fall shortof thedataprotection level
guaranteedbytheGDPR;withtheexceptionofcaseswheretheGDPRitselfprovidesforlimitationsof
the relevant rights to private life and data protection arising from Art. 7 and 8 of the Charter of
FundamentalRightsoftheEuropeanUnion.SuchanoptionforpossiblelimitationsisprovidedbyArt.
23 GDPRwhichmentions, inter alia, national and public security or the prevention, investigation,
20Pleasenotethatthislegalassessmentdoesnotconcernthequestionofwhethersuchanagreementcanbelegallyvalidlyagreedbetweentheparties,butrelatessolelytoquestionsofEuropeandataprotectionlaw.21Recitals40and45.22Pleasenotethatalsotheprovisionsforinternationaldatatransfersapply(seebelowIII.).23TherequirementsforthelegalbasisarespecifiedinRecital41;withregardtotheprinciplesofArt.5(1)aGDPR(lawfulness,fairnessandtransparency),theexplanationsinRecital39aretobetakenintoconsideration.
59
detectionorprosecutionofcriminaloffencesandtheexecutionofcriminalpenaltiesaswellasthe
protection of other important objectives such as taxation matters or social security. Provisions
regardingthedataprocessingbyauthoritiesforthepurposeofpreventing,investigating,detectingor
prosecuting criminal offences as well as for the execution of criminal penalties are regulated in
Directive(EU)2016/68024.Legalbasisinthisregardwouldbetherespectiverulesundernationallaws
ofthememberstatestransformingtheprovisionsoftheDirectiveintonationallaw.
Art.6(3)GDPRprovidesacatalogueofcriteriawithregardtotheproperdesignoftherequiredlegal
basis. These criteria can be used as a guideline for the assessment ofwhether or not a provision
satisfiestherequirementsfora“legalobligation”withinthescopeofArt.6(1)lit.c)GDPR.
Theprovisionshouldspecify
● whichgeneralconditionsgovernthelawfulnessofprocessingbythecontroller,● whichtypesofdataaresubjecttoprocessing,● whichdatasubjectsareconcerned,● towhichentitiesandforwhatpurposesthepersonaldatamaybedisclosed,● whichpurposelimitationthedataissubjectto,● howlongdatamaybestoredand● whichprocessingoperationsandproceduresmaybeused.
Whether and to what extent processing is necessary depends on the purpose for which data is
processed.Therefore,thelegalobligationmustpreciselyspecifythepurpose.25
Itis,ofcourse,notadatacontroller´sobligationtorevieweverypossiblelegalbasisforcompliance
with these requirements.However, theoutlined standardsprovidevaluable indicationsas towhat
standardsinformationrequestsformgovernmentagencieshavetomeet.
For the operationalization of requests from public authorities, we recommend to check for the
followingformalcriteria:
24Directive(EU)2016/680oftheEuropeanParliamentandtheCouncilof27April2016ontheprotectionofnaturalpersonswithregardtotheprocessingofpersonaldatabycompetentauthoritiesforthepurposesoftheprevention,investigation,detectionorprosecutionofcriminaloffencesortheexecutionofcriminalpenalties,andonthefreemovementofsuchdata,andrepealingCouncilFrameworkDecision2008/977/JHA.ThisdirectivewaspassedtogetherwiththeGDPR,however,itisnotapplicabletoactivitiessubjecttoUnionlaw(Art.2(3)bGDPR).SincepublicsecurityisnotgovernedbyUnionlaw,therightsofdatasubjectsmayonlybelimitedbyEUprovisionsoutsidethescopeofpublicsecurity.25Cf.Recital41;alsoconsiderRecital45,pursuanttowhichalawcanalsobethebasisforseveralprocessingoperations.
60
● therequestingorganizationorauthoritywouldhavetoelectronicallysubmittherequestonaletterheadofitsorganizationshowingwheretherequestforinformationcomesfrom.
● therequestmustshowwhichauthorizedrepresentativehassignedtherequestandhowsaidrepresentativecanbecontactedbytelephoneoremail.
● therequestmustbesigned.● thelegalbasismustbespecifiedfromwhichtherighttoaccessWhoisdatacanbeinferred.● Itmustbeaffirmedthatthedatawillonlybeviewedandusedinthecontextofthestatutory
competencesoftherespectiveorganizationorpublicauthority.
3. Art.6(1)lit.f)GDPR–LegitimateInterests(PrivateSectorOnly)
Insomecases,thedisclosureofWhoisdatamayalsobejustifiedundertheGDPRdueto“legitimate
interests”.AccordingtoArt.6(1)f)GDPR,disclosureofdatacanbejustifiedwhere
"processingisnecessaryforthepurposesofthelegitimateinterestspursuedbythecontroller
or by a third party, except where such interests are overridden by the interests or
fundamental rightsand freedomsof thedatasubjectwhich requireprotectionofpersonal
data,inparticularwherethedatasubjectisachild"
Withregardtotheinformationrequestsfromforeignauthorities,therearenodifferencescompared
tothesituationunderArt.6(1)lit.c)GDPR.Disclosureofinformationtoforeigncountryauthorities
cannotbejustified.Recital47oftheGDPRclearlystatesthatdataprocessingofthepublicsectormust
notbebasedonlegitimateinterestsbutonalegalbasisunderArt.6(1)lit.c)GDPR:
"Giventhatitisforthelegislatortoprovidebylawforthelegalbasisforpublicauthorities
to process personal data, that legal basis should not apply to the processing by public
authoritiesintheperformanceoftheirtasks."
Nothingdifferentcanapplytoforeignauthorities.Otherwiselowerdataprotectionstandardswould
apply to foreign authorities than to authorities of the EU or EU Member states. It is up to the
competentlegislatorstoprovidelegalgroundsforjustifyingdisclosureofdatatoforeignauthorities.
Only within the limited scope of Article 49 (1) lit. d) GDPR, where international data transfer is
necessaryforimportantreasonsofpublicinterest,disclosuretoforeignpublicauthoritiesbejustified
underlegitimateinterests(seebelowPartCIII2).
61
a)"LegitimateInterests"
Hardlyanyindicatorscurrentlyexistastohowtheundefinedlegaltermof“legitimateinterest”willbe
interpreted by data protection authorities and courts after the entry into force of the GDPR. The
regulationitselfdoesnotcontainadefinitionofthistermandprovidesonlyveryfewindicationson
whichinterestsmaybedeemedtobe“legitimate”.However,severalreferencesspeakforthefactthat
abroadinterpretationofthetermcanbeassumed.Restrictions,proposedinthelegislativeprocess,
havenotbeenreflectedinthefinaldraft26.Recital47furthermorementionscustomerrelationsand
theservicerelationshiponlyasexamplesforlegitimateinterests(“e.g.ifthedatasubjectisacustomer
ofthecontrollerorinitsservice”)andthusleavesabroadmarginforinterpretation.Thecharacterof
Art.6(1)lit.f)GDPRasa"catchallelement"alsospeaksforabroadunderstandingoftheterm.Against
thisbackground,allinterestsincludingfactual,economic,andimmaterialinterestscanbedeemedto
be“legitimate”.
Themain purpose of any data processing operation in connectionwith domain registration is the
provision of the services associated with domain registration within the scope of the contractual
relation.However,theactivityoftheenterpriseparticipatingindomainregistrationcannotbereduced
tothissingularpurpose.Rather,theregistrationofdomainsisaservice,which-jointlywiththeservices
ofothercompanies-guaranteestheoverallfunctionalityoftheInternet(namelyconveyingcontent
available in theWorldWideWeb). The special roles of registrar and registrywithin this technical
ecosystemisalsoreflectede.g.inthefactthattheyaresubjecttocertaindutiesasoperatorsofcritical
infrastructures.27Theactivityofregistryandregistrar-inthislight-alsoservesotherpurposesbeyond
themeredomainregistrationforcustomers,inparticularalsowithregardtothefunctionalityofthe
technical infrastructure as such. Registrar and registry therefore also have to a certain extent a
regulatory function, which for example may include participation in the prosecution of legal
infringementscommittedunderusageofthisecosystem.Againstthisbackgroundwewouldconsider
processing of data for the purpose of maintaining security measures or technical analysis (also
operatedbythirdpartyproviders)as likely(dependingontheindividualcase)beingjustifiedunder
Art.6(1)lit.f)GDPR.
26cf.Voigt/Pieper:ImpactoftheGDPRregardingWHOISsystems",p.11etseq.27cf.e.g.inGermanlawSec.5oftheCrisisDirectiveoftheGermanFederalOfficeofSecurityinInformationTechnology,BSI-KritisV,implementingDirective2008/114/EC
62
b)BalancingofInterests
However,thirdpartyinterestsindataprocessingmustbebalancedagainsttheinterestsofthedata
subject.Thepersonalrightsofthedatasubjectaswellastheeffectsforthedatasubjectarisingfrom
thisprocessingoftherelevantdataisthestartingpointofthebalancingofinterestwithinthescope
ofArt.6 (1) lit. f)GDPR,which iscontrastedby the interestsof the thirdparty in thespecificdata
processing.Toputitinanutshell:Themoresubstantialtheinterestofthethirdparty,themorelikely
disclosurecanbejustified.
However,statingthatthereisageneralinterestforapubliclyaccessibleWhoisdatabaseconsidering
theroleregistriesandregistrarsareplayingforthefunctioningofthe internet(asoutlinedabove),
wouldbeatoobroadinterpretationofthelegitimateinterestclause.InitsinterpretationofArticle7
ofthecurrentDirective95/46/ECthatalsoincludesalegitimateinterestclause,theArticle29Data
ProtectionWorkingPartymadequiteclearthatonlythoseinterestmaybejustifiedthatcanbe
formulatedinasufficientlyconcretemanner,asalackofconcretenesshindersanybalancingof
interests.
"An interestmust be sufficiently clearly articulated to allow the balancing test to be
carriedoutagainsttheinterestsandfundamentalrightsofthedatasubject.Moreover,the
interestatstakemustalsobe'pursuedbythecontroller'.Thisrequiresarealandpresent
interest,somethingthatcorrespondswithcurrentactivitiesorbenefitsthatareexpected
intheverynearfuture.Inotherwords,intereststhataretoovagueorspeculativewillnot
besufficient."28
AlthoughthisopinionwasformulatedinviewofthecurrentDirective,thisinterpretationislikely
toalsoapplytotheinterpretationofArticle7(f)oftheGDPR,astherehasbeennochangeinthe
needforabalancingtest.
AnimportantindicatorforhowtobalanceinterestsfollowsfromRecital47p.1,3.Accordingtoit,a
balancing of interestsmust also consider whether a data subject at the time of collection of the
28Article29DataProtectionWorkingParty:WP2017,p.24.
63
personaldataandinlightofthecircumstancesunderwhichitwascollectedcanreasonablyforesee
thataprocessing for thispurposewill possibly takeplace. This generally limits thepossibilities for
justificationofdataprocessingactivitiesbasedonArt.6(1)lit.fGDPR.Althoughitwillnotbepossible
toclarifytheexpectationsthatweretiedtodataprocessinginthespecificindividualcase(sothatan
objectifyingconsiderationoftheseexpectationsmusttakeplace)itfollowsfromthisthatprocessing
cannotbe justified if it takesplace forpurposes thatwerenot foreseeableby the registrantupon
registrationofthedomain.AlthoughtheexistingpublicWhoisisbasedontheregistrant'scontractual
consent,itcanbearguedinthiscontextthatregistrantsknowaboutpublicdisclosure(atleastofparts
of) registrant data and therefore must assume that personal data provided when registering the
domainwillbemadepubliclyaccessible.
TheGeneralDataProtectionRegulationitselfprovidesfurtherindicationsastowhichinterestscan,in
principle,bedeemedtobejustified.Art.21(1)GDPRexpresslystatestheestablishment,exercise,or
defenseoflegalclaimsasjustificationfordataprocessingdespiteanobjectionofthedatasubject.In
thecontextofArticle21(1)GDPR,however,itisreferredtodataprocessinginthecontextofadata
controller´sownclaimsandresponsibilities.However,fromthisstandarditcanalsobeinferredthat
Europeandata protection law considers data processing in the context of legal claims as interests
worthyofprotection.Thislegalvaluationevenappliestothetransmissionofdatatonon-European
countries,Art.49(1)lit.e)GDPR(seebelowPartCIII1).Thismustalsoaffectthebalancingofinterests
withinthescopeofArt.6(1)lit.f)GDPR.
c)NecessityofDataProcessing
Asageneralrule,disclosureofregistrantdatato3rdpartiescanonlybejustifiedtotheextentthatitis
necessaryforthefulfillmentoftherespectivelegitimateinterest.Thisprincipleof"necessity"limits
theextentofdatadisclosuretotheminimalmeanswithwhichthepurposeofdataprocessingcanbe
reached.AnydataprocessingexceedingthisextentcannotbejustifiedunderArt.6(1)lit.f)GDPR.For
thisreasonalone,arestrictionofthedisclosureoftheWHOISdatatothedatacontainedinDRL1is
necessary. Further limitations may be necessary depending on the individual interest in data
processing.29However, thedataprovided inthissetofdata isatthesametimerequiredasabare
minimumtoensurethefulfilledofthelegitimateinterests.30
29Formanythirdpartyinterests,identificationofregistrantswillbesufficient.Thereforeitcanbearguedthatemailaddresseswouldhavetoberemovedfromthedatabeingdisclosed,cf.Voigt/Pieper,ImpactoftheGDPRregardingWHOISsystem,p.3etseqq.30FordetailsonDLR1PartBII.above.
64
d)RighttoObject,Art.21GDPR
UnderArt. 21GDPR, everydata subject is entitled toobject at any timeagainst theprocessingof
personaldatabasedonArt.6 (1) lit. f)GDPRongrounds relating tohisorherparticular situation.
However,thespecific legalmeaningof“particularsituation”remainsopen.Therecitalsalsodonot
contain any further indications.However, itmust be assumed that only atypical constellations fall
underthisclause.Fordatacontrollershowever,theregulationmeansthatitmusttakemeasuresto
ensurearesponsetotheobjectionofadatasubjectintheindividualcaseandthatthisdataisdisclosed
only if (i) compelling legitimategrounds for theprocessingwhichoverride the interests, rightsand
freedomsofthedatasubjector(ii)fortheestablishment,exerciseordefenseoflegalclaims(ofthe
controller).However,theatypicalconstellationsthatauthorizeanobjectionintheindividualcaseand
thecompulsorygroundsworthyofprotectionthatintheindividualcasejustifythedisclosureofdata
issubjecttoacase-to-casereview.
e)Legitimate3rdPartyInterestsforDisclosureofWhoisData
Againstthebackgroundofthelegalstandardsoutlinedabove,itcanbeassumedthatthebalancingof
interestswilltypicallyjustifydisclosureofWhoisdatainthefollowingcontexts:31
3rdpartygroup 3rdpartyinterest CriteriaforDisclosure Datatobedisclosed(IPR)AttorneysRightholders andTrademarkAgents
Legal action against(IP)lawinfringements
• proof of admission tothebar
• credibledemonstration of lawinfringement relatedtoacertainDomain
DRL1
Consumer ProtectionAssociations
Legal Action againstconsumer protectionlawinfringements
• proof of entitlementto prosecution ofconsumer protectionlawinfringements
• credibledemonstration ofconsumer protectionlaw infringementrelated to a certaindomain
DRL1
CertificationAuthorities
VerificationofDomainOwnership
• proof of operation ofcertification services
DRL1
31 Cf. in this regard also Voigt/Pieper: Impact of the GDPR regarding WHOIS systems", p. 16;Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part1,p.13;;Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part3,p.8etseq..
65
(orknowncertificationauthority)
• proof for request forcertification byRegistrant
Althoughweseestrongargumentsthatdisclosurecanbejustifiedintheabovementionedcontexts,
thisdoesnotnecessarilymeanthatacontrolleratthesametimeisunderanobligationtodoso(e.g.
registrarsmaychoosetotakedownawebsiteratherthantodiscloseregistrantdata).
Finally,weshouldnotethatthelimitationsimposedbyGDPRwillhavesignificantimpactoncompanies
andindividualsworkingonsafetyandsecurityissues.TheselimitationsshouldbediscussedwithDPAs
withthegoaloffindingsolutionsthatallowforefficientworkonITandnetworksecurity.
4. Otherrequests
With regard to third party requests, the justifications for disclosure of data outlined above are
exhaustive.Anyotherthirdpartyrequests,suchasgeneral inquiriestotheregistrantcannot justify
disclosureofregistrantdata.Itisthereforeadvisablethatregistrarsoffereitherananonymizedemail
addressfortheregistrantsviaawebinterfaceorawebformwheremessagesfortheregistrantscan
beenteredandwillthenbeforwardedtotheregistrant’semailaddresstoensureanonymity.
5. Note:DataSubject´sRights,Art.12etseq.GDPR
GDPRalsocontainsanumberofsocalleddatasubject´srights.Inparticular,itmustbeensuredthat
theperson,whosepersonalisbeingprocessed(i.e.inparticulartheregistrant)receivesinformation
abouthispersonaldataprocessedbythedatacontrolleronrequest,Art.15GDPR.Furtherdatasubject
rightsrefere.g.tothedeletion(Art.17GDPR)orrectification(Art.16GDPR)ofdata.Consequently
registriesandregistrarsmustensurecorrespondingprocedures.Themostconvenientwaytoprovide
thosefunctionswithinprotectedcustomerareas.
6. Disclaimer
ThelegalrequirementsfordisclosureofWhoisdatadescribedaboveexclusivelyrefertotheprovisions
oftheGDPR.Pleasenotethattheremightbeadditionallimitationsofwhatdatacanbedisclosedunder
nationallawsacontractedpartymightbesubjectto.Theotherwayaround,lawsofnon-EUmember
states may entail legal obligations for disclosure of data (e.g. for criminal law enforcement). The
resulting conflicts between thedifferent legal systemsarenotpart of the legal assessment in this
paper.
66
III. InternationalTransferofDataAsnotedabove,furtherlegalrequirementsapplytodisclosureof(Whois-)dataincasedataisbeing
transferredoutsidetheEEA.Asthecurrentdataprotectiondirective,theGDPRstipulatesasetofrules
forinternationaldatatransferstoensureanadequatelevelofdataprotection,evenifdataisbeing
transferredabroad.Theserequirements(Articles44et.seq.GDPR)apply inadditiontothegeneral
rulesonthelawfulnessofdataprocessingassuch(esp.Article6GDPR,seePartCIIabove).Thismeans
inpractice,onceprocessingofdata(inthiscase:disclosure)canbejustifiedunderArt.6GDPR,this
doesnotnecessarilymeanthattransferofWhoisdatatonon-EUMemberStatescanbejustified,too.
Similar requirements to thoseofGDPRexist for thedata transfer fromEuropean lawenforcement
authoritiestothoseofthirdcountriesonthebasisoftheDirective(EU)2016/680.
1.InternationalDataTransferunderGDPR
TheGDPRprovidesvariouspossibilitiestojustifytransferofdataoutsidetheEU,suchas
• Article45GDPR:DatatransferonthebasisofanadequacydecisionbytheEUCommission
(non-EUstatescanapplyfortheEUCommissiontoissueanadequacydecisionthatrecognises
thelevelofdataprotectionascomparabletoEUstandards).
• Article 46 GDPR: "appropriate safeguards", such as legally binding and enforceable
instrumentsbetweenpublicauthoritiesorbodies,bindingcorporaterules("BCRs")withina
groupofcompanies,StandardContractClauses("SCCs")providedbytheEUCommissionor
safeharbourcertification.
More importantly, theGDPRprovides furtherexceptions for internationaldata transfers in certain
contexts,Art.49GDPR.Datatransfercanbejustifiedwithouttheneedforanadequacyassessmentor
appropriate safeguards, among other things, if the transfer is necessary for the performance of a
contractbetweenthedatasubjectandthecontroller(Art.49(1)lit.bGDPR),forimportantreasonsof
publicinterest(Art.49(1)lit.dGDPR)orifitisnecessaryforestablishing,exercisingordefendinglegal
claims(Art.49(1)lit.eGDPR):
Article49(1)lit.b)GDPRreflectstheconcept,alreadylaiddownforjustificationofdataprocessing
underArt.6(1)lit.b)GDPR.Accordingtothisprovisiondataprocessingisjustifiedwhereitisnecessary
fortheperformanceofacontract(seeabovePartCII1).Article49(1)lit.b)GDPRextendsthislegal
valuation to international data transfers. Consequently, where data transfer is necessary for the
67
performanceofthedisputeresolutionprograms"UDPR"and"URS",atransfertothenon-EUcountry
maybeconsideredasbeingjustified.
Article49(1)lit.d)GDPRjustifiesinternationaldatatransferifitisnecessaryforimportantreasonsof
publicinterest.Article49(4)GDPRfurtherclarifiesthatanythirdcountryinterestpresentedinorder
tojustifydatatransferunderArticle49(1)lit.d)GDPRmustalsoberecognisedeitherinEUlaworin
the laws of the respective EUMember State. The scope of this provision is quite limited as only
particularlyimportantpublicinterestscanbetakenintoaccount.Inthisrespectrecital112explicitly
names international data exchange between competition authorities, between tax or customs
administrations,betweenfinancialsupervisoryauthoritiesandbetweenservicescompetentforsocial
securitymatter or for public health. Furthermore, an excessive use of this justification clause for
transferstoforeignpublicauthoritiesmayunderminelegislativedecisionsfororagainstinternational
cooperationwiththirdcountries.Internationaldatatransferforpubliclawenforcementpurposesis
regulatedwithinDirective(EU)2016/680andisthereforeoutsidethescopeoftheGDPR.
Article49(1)lit.d)GDPRfurtherallowsinternationaldatatransferstonon-EUstatesifitisnecessary
fortheestablishment,exerciseordefenceoflegalclaims.ThisprovisionenablescontrollersofWhois
datatosatisfyinformationdemandsrelatedtoprivate(IP-)lawenforcementfromoutsidetheEU.The
wordingoftheprovisionisnotlimitedtoadatatransferinthecontextofcourtproceedings.Therefore,
theprovisionalsopermitsdatatransfertoprivatepartiesorpublicauthorities,aslongasthisatransfer
serves the purpose of establishing, exercising or defending of a legal claim (e.g. in administrative
proceedings).
Theexceptionforatransferofpersonaldataaccessiblewithinpublicregisters(Art.49(1)lit.g)GDPR),
however, does not apply to a publicWhois directory. This provision only covers registers that are
intendedtoprovideinformationtothepublicunderthelawsoftheEUortheMemberStates,suchas
commercialorlandregisters.ThisisnotthecasewithprivatedirectoriesliketheexistingpublicWhois.
2.InternationalTransferofWhoisDatatoNon-EULawEnforcementAgencies
According to Directive (EU) 2016/680, EuropeanMember States should ensure that a transfer by
Europeanlawenforcementagenciestoathirdcountryortoaninternationalorganisationtakesplace
onlyifnecessaryfortheprevention,investigation,detectionorprosecutionofcriminaloffencesorthe
executionofcriminalpenalties, includingthesafeguardingagainstandthepreventionofthreatsto
publicsecurity,andthatthecontrollerinthethirdcountryorinternationalorganisationisacompetent
authorityaswell.SimilartotherequirementsforinternationaldatatransferaccordingtotheGDPR,
68
suchtransfersmaytakeplaceforinstanceincaseswheretheEuropeanCommissionhasdecidedthat
thethirdcountryorinternationalorganisationinquestionensuresanadequatelevelofprotectionor,
intheabsenceofanadequacydecisionandofappropriatesafeguards,certainderogationsforspecific
situationsapply(e.g.inordertoprotectthevitalinterestsofthedatasubjectoranotherpersonorfor
thepreventionofan immediateandserious threat topublicsecurityofaMemberStateora third
country).
IV. ProceduralAspects
a)CertificationofPublicAuthorities
Allinall,evenifthecriterialistedabove(PartCII2)areusedasabasisforthedisclosuredecision,
theremaystillbealargevarietyoflegalbasesand,therefore,ofpublicauthoritiesactingonthebasis
of such. In practice, this would lead to the result that, in case of information disclosure requests
submitted to registrars or registries, the assessment of the legal basis to be performedmight be
extremelycomplexanddifficultandrequiresignificantadministrativeeffortsandtime,forwhichquite
anumberofresourceswouldhavetobeprovided.Saideffortandtimeincreaseswiththenumberof
expectedrequests.In2014,forexample,DeutscheTelekom,alone,disclosedtheownersof733,377
69
IPaddresses,whichinaccordancewithEuropeanlawmustalsobeconsideredpersonaldata,tolaw
enforcementauthorities32.
Inaddition, in caseof the investigationandprosecutionof criminaloffences ithas tobegenerally
assumedthattherequestofthepublicauthorityisurgent.Anindividualassessmentofallrequestsfor
informationwouldstandinoppositiontotheurgentneedfor informationofthepublicauthorities;
evenmisjudgmentsoftheassessorcouldnotbeexcluded.
Aregistrationand/orcertificationofpublicauthoritieslenditselfasapossiblesolutionforpreventing
this.Thus,acase-by-caseassessmentbasedonthecriteriashownabovewouldnotbenecessaryand
quickaccessforthepublicauthoritieswouldbeensured.
Inthiscontext,inaregistrationand/orcertificationprocess,firstofallanassessmentbasedonformal
criteriacanbeconducted inordertoassesswhetherornottherespectivepublicauthoritymaybe
entitledduetoalegalbasistorequestinformationontheownershipofadomain(atthesametime
constitutesjustificationfordatadisclosureunderArt.6(1)lit.c)GDPRfortheregistry/registrar).
Afterthecertification,thepublicauthoritieswouldbeabletoviewtheDRL1dataofsuchdomains
whicharerelevante.g.inconnectionwiththeinvestigationofacriminaloffense.
Inapolicyfortheuseofthedata,anypublicauthoritywouldfurthermorebeobligated
● nottoperformabusiveormassdatainquiries,● nottoforwardtheobtaineddatatounauthorizedthirdparties.
Oncecertificationtookplaceonthisbasis,accesstoDRL1datacanbegivenwithinthescopeofterms
ofuse.
Althoughdisclosureofdatawouldnotbestrictlylimitedtoindividualregistrantdata,theeffectstothe
registrant arising from a certification model compared to a generally publicly accessible WHOIS
directory significantly lowers the impact on the data subject due to strict access restrictions and
32 Cf. https://www.telekom.com/en/corporate-responsibility/data-protection-data-security/archiv-datenschutznews/news/transparency-report-2014---cooperation-with-government-agencies-362418.
70
purpose limitations. The impact to the registrant´s right and freedoms can be further reduced by
implementingtechnicalmeasureslike
• limitationtoinquiriesforindividualdomains
• limitationsofthetotalnumbersofqueries
• localizationoftherequestbasedonIPaddress
• theuseofCAPTCHAs
However, there are also critical voices about such a model. Their argument is that access by
"automatically qualified parties" that have beenqualifiedwithin a certification process cannot
replace the required legal assessment in each individual case.33 This argument cannot be
completelydismissed.However,evenifdirectaccessbasedoncertifiedaccessonlyshouldnotbe
legallypossible,certificationofthoseauthoritiesbeingentitledtorequestinformationatallwould
alreadybeaconsiderablefacilitationoftheprocessjustifyingtheeffort.
b)CertificationofPrivate3rdParties
Such certificationmodel could also be used for information requests fromprivate 3rd parties. The
certificationprocesswouldneedtofulfillataminimumthefollowingcriteriatojustifydisclosureof
registrantdata:
Firstly,thecertificationwouldfromthestartberestrictedtothelimitedgroupof3rdpartiestypically
havinglegitimateinterestsindisclosureofWhoisdata(asoutlinedabove).
Fortheregistrationitself,theapplicantwouldneedtoprovideevidenceconcerningtheassociation
withoneofthose3rdpartygroups.Thismaytakeplacee.g.throughelectronictransferofanattorney’s
ID card or the excerpt of the register of the association or the chamber of commerce, aswell as
providingdetails likeorganization’swebsitesetc.Theprecisemodalitiesofregistrationcanalsobe
orientedtowardtherespectivenationalspecifications(e.g.reviewingthelistinginapubliclyaccessible
attorney’sdirectory,ifavailable).
Further,therequestwouldhavetobefiledbyapersonauthorizedtorepresenttherespective3rdparty
group.Inapolicyfortheuseofthedata,anyapplicantwouldfurthermorebeobligated
● nottoperformabusiveormassdatainquiries,33Cf.Nygren/Stenbeck,gTLDRegistrationDirectoryServicesandtheGDPR-Part3,p.11.
71
● nottoperformdatainquiriesforadvertisementordirectmarketingpurposes;● onlytoviewdataifthisisnecessarytoestablish,exerciseordefendlegalclaims,● nottoforwardtheobtaineddatatounauthorizedthirdparties.
Oncecertificationtookplaceonthisbasis,accesstoDRL1datacanbegivenwithinthescopeofterms
ofuse.
Althoughdisclosureofdatawouldnotbestrictlylimitedtoindividualregistrantdata,theeffectstothe
registrant arising from a certification model compared to a generally publicly accessible WHOIS
directory significantly lowers the impact on the data subject due to strict access restrictions and
purpose limitations. The impact to the registrant´s right and freedoms can be further reduced by
implementingtechnicalmeasureslike
• limitationtoinquiriesforindividualdomains
• limitationsofthetotalnumbersofqueries
• localizationoftherequestbasedonIPaddress
• theuseofCAPTCHAs
Note:
RDAPmakes it possible for CAs to issue certificates granting tiered access basedonpre-defined
parameters.Certificationcanthereforebegrantedformultiplecontractedpartiesandmustnotbe
conductedwitheachandeverycontractedparty.
c)LogicalStructureofaDisclosureProcess
IfarequestortypesinaWhoisqueryonadomainname,theWhoisquerywillreturndatathatcomes
fromtheregistrar,including
• Domain Name, Registry Domain ID, RegistrarWhois Server, Registrar URL, Updated Date,
Creation Date, Registry Expiry Date, Registrar, Registrar IANA ID, Registrar Abuse Contact
Email,RegistrarAbuseContactPhone,DomainStatus,NameServer,DNSSEC,NameServerIP
Address,LastUpdateofWhoisDatabase.
Incasearequestorisinterestedinfurtherinformationaboutaregistereddomain,heisprovidedwith
thefollowingoptions:
72
Certifiedusergroupssuchaspublicauthoritiesandthirdpartiesthatcanpresentlegitimateinterests
canaccessDRL1dataviatheCertifiedRequestorProgram:
73
ForothergeneralquerieswheredisclosurecannotbejustifiedunderGDPR,requestorwillbeprovided
withananonymizedemailaddressorawebformfromwhichmessagescanbesenttotheregistrant
emailaddress.
V. ProposalofaTrustedDataClearinghouse(TDC)
AGDPRcompliantWHOISsystemmandatorilyresultsinthefactthatamoreefficientprocessmustbe
found,whichatthesametimecontinuestoprovideaccesstotheauthoritiesand3rdpartiesoutlined
above.
Theoutlinedprocedureforprocessinginformationrequestswillentailanextremeorganizationaland
procedural effort both for the requesting party aswell as for the responsible entity, because the
inquiring partywould first have to research the competent registrar or registry for the respective
domain towhich itmustaddress its request for information.The relevantcontactpartnersand its
contactinformationmustthenbediscovered,inparticularinurgentcases.
Anexpertlyqualifiedandtrustworthyinstanceasaneutralinformationbrokercouldcoordinateaccess
totherelevantWHOISdataandhandletheparties’relevantobligationstodatadisclosuretounifythis
processonagloballevelforallplayersparticipatinginit.ThisTrustedDataClearinghouse(hereinafter
“TDC”)wouldoperateaplatformonwhichtheoutlinedregistrationcertificationprocesswouldbeset
upfortheidentifiedgroupofauthoritiesand3rdpartygroupsauthorizedtoreceiveinformation.
OnlydatacategoryDRL1wouldbeaccessiblethroughthisplatform.Thiscategoryincludesinparticular
nameandcontactdetailsoftheregistrantaswellasthetimeofdomainregistrationandthusprovide
authorized entities with the information concerning the entity that is legally responsible for
registrationofthedomain.Basedonthis,interestsconcerningpubliclawenforcementaswellasthe
legitimate interest in theestablishment, exerciseordefenseof legal claimsunder civil law (e.g. to
prosecutecopyrightortrademarkviolations)wouldbepossible.
Further,acommunicationtoolcouldbesetup fornon-certifiedrequestors throughwhichtheTDC
mediatescontacttothedomainownerandleaves ituptothedomainownertoeithercontactthe
inquiringpartyortoconsenttothedisclosureofitsdata.
74
With regard to information for the prosecution of claims under civil law, this system would be
restricted only in cases in which the registrant asserts its right to object under Art. 21 GDPR. As
presentedabove,Europeanregistrantsareentitledtoobjecttotheprocessingoftheirpersonaldata
forgroundsrelatingtotheir“particularsituation”.
The TDC could also handle the processing of these objections. The registrars and registrieswould
provideacorrespondingemailaddresswithinthescopeoftheirobligationtorefertotheexistenceof
thisrighttoobjectintheirprivacynotice.Anyobjectionsreceivedatwouldthenbelegallyanalyzed
bytheTDCtoreviewwhetherarighttoobjectexistsintheindividualcase.Ifthatisthecase,datacan
be anonymized, or at least disclosure of such data to requestors can be denied. Art. 21 (1) GDPR
generallyprovidesthattheinterestsoftheresponsibleentityindataprocessingcaninparticularbe
predominantiftheprocessingservestheassertionoflegalclaims,buttheregulationheremeanslegal
claimsintherelationshipbetweentheresponsibleentityandthedatasubject,notlegalclaimsofthird
partiesdecisivehere,e.g.oforiginatorsortrademarkowners.
PartD–Outlook
Ideally,thecontractedpartieswouldagreeonajointdatamodelwithICANN.
Implementationoftheplaybookmodelinatimelyfashionposesanadditionalchallengetoallparties
involved.Technicalimplementationneedstobedone,registryrequirementsneedtobedefinedboth
contractuallyaswellasinEPP.Registrarsmightneedtowaiveorshortennoticeperiodsforchanges
ofregistryrequirements.Itwouldbeadvisabletodefinedifferentclassesofregistryrequirementsand
centrallydefineEPPandRRAstandardizedlanguage.