In May 2018, ICANN put in place a Temporary Specification to bring existing WHOIS obligations in line with GDPR. The "Temp-Spec" and subsequent policy processes launched by the ICANN global community ensured WHOIS is compliant by creating a tiered access system.
The EDPB noted it "expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data". However, obtaining legitimate access to non-public WHOIS data necessary to enforce the laws online, including in the fight against cybercrime, remains a challenge.
The ICANN community has been actively working on a solution to balance the law’s data protection requirements with the legitimate interests of third parties seeking access to non-public gTLD registration data.
1. What are the options that can be considered to balance the law’s data protection requirements with the legitimate interests of third parties seeking access to non-public gTLD registration data?
2. What progress has been made by the community process, what challenges remain?
3. Can there be a solution that successfully meets the public interest goal that legitimate access to non-public registration data serves the legitimate interests of all parties involved, including DPAs, or must we live with the current fragmented situation?