European Data Protection Board

The European Data Protection Board endorsed the statement of the WP29 on ICANN/WHOIS.

Generic picture Icann
Sunday, 27 May, 2018

The European Data Protection Board endorsed the statement of the WP29 on ICANN/WHOIS during its first plenary meeting on 25 May.

 

WP29 statement regarding WHOIS

 

“WP29 recognizes the important functions fulfilled by the WHOIS service. 
 
WP29 has been offering guidance to ICANN on how to bring WHOIS in compliance with European data protection law since 2003 (see WP29 opinion of 2003 available here). ICANN’s GDPR compliance process appears to have been formally initiated in the course of 2017, which may be part of the reason why stakeholders are concerned over the entry into application of the GDPR on 25 May 2018.
 
The GDPR does not allow national supervisory authorities nor the European Data Protection Board (the WP29 will become the EDPB on 25 May 2018) to create an “enforcement moratorium” for individual data controllers. Data protection is a fundamental right of individuals, who may submit complaints to their national data protection authority whenever they consider that their rights under the GDPR have been violated. 
 
Data protection authorities may, however, take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving such complaints.


As expressed also in earlier correspondence with ICANN (including this letter of December 2017 and this letter of April 2018),  WP29 expects ICANN to develop and implement a WHOIS model which will enable legitimate uses by relevant stakeholders, such as law enforcement, of personal data concerning registrants in compliance with the GDPR, without leading to an unlimited publication of those data.

 

The WP29 recognizes the recent efforts undertaken by ICANN to ensure the compliance of the WHOIS system. The WP29 will continue to monitor ICANN’s progress closely and its members may engage further with ICANN to ensure that the legal requirements under EU data protection law are properly addressed.