Preserving Whois and GDPR Readiness

Nearly four weeks have passed since my last blog post that analyzed ICANN’s three proposed GDPR compliant WHOIS models.  Since then MarkMonitor’s domain policy team and our WHOIS data group have been working hard to advocate for the continued preservation of WHOIS registration data as well as to prepare its own database for compliance with the European regulation. These efforts will continue at their current fervor until the EU’s May 25th enforcement deadline approaches and likely, beyond.

After participating in several ICANN cross-community multi-stakeholder group calls and face-to-face meetings to discuss the relative merits and shortcomings of the proposed models, on January 29, MarkMonitor submitted a detailed comment to ICANN analyzing the models and urging ICANN to adopt a model that maintains the current WHOIS system to the greatest extent possible while being in compliance with GDPR.  In its comment, MarkMonitor pointed out where the proposed models fell short of important requirements as well as suggesting a method for validating requestors needing to see the non-public WHOIS data. ICANN is reviewing MarkMonitor’s comment as well as others that were submitted. A little more than a week ago, ICANN published a graphic depicting the key elements of the proposed models:
 

GDPR

MarkMonitor will continue to work with other affected constituents in the ICANN community in the coming weeks to push ICANN toward the adoption of a single model that addresses the concerns of registrars and registries but also the needs of law enforcement and IP and brand protection companies, like MarkMonitor.
    
In addition to the advocacy work being done by the policy team, MarkMonitor is undertaking steps to prepare its own WHOIS registration data for GDPR compliance.  As a corporate domain name registrar, most of the registration data we collect and transmit to the registries is corporate information and not data concerning a natural person which GDPR aims to protect. Although MarkMonitor’s risk of non-compliance is much lower than a retail registrar’s risk, our domain team is currently scrubbing” our WHOIS data to make sure no personal data is in any of the data fields.  Clients should expect to receive a message from their Client Services Managers in a few short weeks to confirm their registrant information.
    
In addition MarkMonitor is working closely with its legal department and privacy consultants to determine which model is best for MarkMonitor to adopt while being consistent with the public position the Company has taken on the proposed models.
    
Finally MarkMonitor is evaluating its enforcement processes to identify what efficiencies may be lost should “thick” WHOIS data not be collected and made accessible. A preliminary analysis of our processes has revealed that MarkMonitor will still be able to deliver brand protection and anti-piracy services at the level to which our clients have become accustomed although to do so may require additional manual effort on the part of our CSMs.
    
ICANN is hoping to successfully steer the community toward a single model that most registrars and registries can adopt and non-contracted parties can support. MarkMonitor will support this effort. In addition ICANN has also asked the EU for an extension of the deadline in order to complete this task.  While MarkMonitor also supports this extension we are working hard to build consensus before the original deadline as well as to have our own WHOIS data in compliance. Clearly this issue will be front and center once again during the next ICANN meeting in San Juan scheduled in March which MarkMonitor will be attending.