On Friday 27-10-2017 the Dutch DPA formed an opinion regarding the publication of PII in the public WHOIS.
In short, it is a no go.
I copied the translation below, as for now, the opinion is only published in Dutch.
Two things stick out in the opinion of the Dutch DPA.
Disclosure of this personal information is not necessary through the public WHOIS. And let’s face it, you cannot look up car license plates on the internet to see who the owner is of a car. Sure you can if you are law enforcement, but this purpose has a legal basis.
Many of the use cases on how people use WHOIS can be either solved by technical solutions or policies or common sense.
You do not have to look up a domain name owner and email a domain name owner if the domain name is for sale. The domain name owner can either list his contact details on the website, park it through Sedo or Parkingcrew or Afternic who offer nice landing contact pages.
Or a domain name owner can put a banner on the website it is for sale. If you want to buy a house are you going to knock on everyone’s door and ask if the house is for sale, course not, there are smarter options here.
Consent is not an option according to the Dutch DPA.
And that makes sense, as it not freely given as it is part of a domain name registration contract.
That puts domain name Registrars into a problematic situation. Consent though not being a silver bullet was considered to be the legal basis to move for the Thick WHOIS migration.
This migration forced Registrars to move their registrant data to Verisign USA so it could become a Thick Registry. Just like all the other gTLD registries.
This path is a no go now. If Registrars cannot get consent, well game over there.
That leaves the Registrars in somewhat an awkward position under the ICANN regime.
If you want to transfer data outside of the EU, you have six options.
Now no of them are viable due to ICANN community regulations.
This is problematic.
This somewhat speculative, but it becomes more clear, and I mentioned this before that a lot of ICANN requirements make it very hard to comply with the GDPR.
Or any other Data Protection Laws for that matter.
We often think that the GDPR is setting the trend, but many other countries are setting up data protection laws that will exceed the EU GDPR.
In short, the ICANN community should minimize data collection.
AP: Unshielded publication of WHOIS data in violation of the law
News Release / October 26, 2017Category: Personal Data on the Internet
The unrestricted public access of WHOIS data by domain names by Dutch registries is in violation of current Dutch privacy laws. The Personal Data Authority (AP) has written this to a Dutch domain name extension administrator. WHOIS data is the name, address, email address and phone number of domain name holders.
Disclosure of this personal information is not necessary. Access to data from domain owners is obviously possible if, for technical reasons, it is necessary, or for parties such as the judiciary and the police, which are legally competent for this purpose: the so-called stepped access.
Request Dutch registry
The AP publishes this position in response to a request from a Dutch registry. Registries are parties that manually manage domain name extensions – such as .com or .nl. This Dutch registry would be obliged to publish WHOIS data from all domain namesholders unscreened, based on the rules of the worldwide domain name manager ICANN. This Dutch registry, however, offers the possibility to disclose the contact details of private domain owners, such as website owners. This is in accordance with the applicable privacy laws.
European Public Security Supervisors
The AP regularly receives signals from citizens, domain name holders, who notice that their WHOIS data is redistributed and used on all kinds of websites.
Previously, the European Public Security Supervisors, gathered in the Article 29 Working Party (WP29), are concerned about this form of unlimited disclosure of personal data of domain name holders.
Unshielded publication WHOIS data in violation of the law
When WHOIS data concerns natural persons, it concerns personal data and Dutch privacy laws apply. The unrestricted public access of WHOIS data over the Internet is a form of processing of personal data for which a legal basis is required. According to the AP and earlier also WP29, ICANN and the registries can not rely on the foundations “necessary for the execution of an agreement” and “legitimate interest”. An appeal on the basis of “permission of individual domain owners” is not possible because giving permission is a requirement for acquiring a domain name and therefore there is no free will.
As of May 25, 2018, the General Data Protection Act (AVG) applies. Also, it is unrestricted to make publicly available WHOIS data in violation of the law.