Privacy regulators in hotseat over future of ‘fundamental’ website owners list

Industry groups have amped up their efforts to lobby against the draft ePrivacy legislation. [ Flickr]

The internet is at risk of becoming fragmented if online databases that show who owns websites are shut down after the EU’s new data protection law takes effect next month, the head of internet domain organisation ICANN has warned.

National data protection authorities from EU member states are under pressure to spell out whether the databases, known as the WHOIS system, can stay online and continue displaying personal information like names, email addresses and phone numbers of people who registered internet domain names.

Law enforcement authorities say that information is often useful for criminal investigations, like in the aftermath of WannaCry, a major cybersecurity attack last year.

The European Commission and EU police agency Europol have lobbied Internet Corporation for Assigned Names and Numbers (ICANN), the US-based non-profit organisation that oversees the databases, to find a way to keep the website information online without breaking the strict new EU privacy law. Europol asked ICANN to make sure law enforcement authorities are excluded from any new access restrictions to the system.

Commission lobbies for police access to website owners list

The European Commission has suggested that law enforcement authorities could soon have restricted access to the WHOIS database that identifies website owners because the system is on a collision course with the EU’s strict new data protection law.

The organisation has proposed fixes like an accreditation system to control who access the databases, or a new limited version that displays less personal information about website owners. But so far, there is still no sign of what will happen to the WHOIS system.

Time is running out—the data protection regulation takes effect on 25 May—and ICANN is alarmed.

Göran Marby, ICANN’s CEO, said EU data protection regulators need to publish legal advice so that companies and people who run WHOIS databases can be sure they will not face fines under the new regulation, which is also known as the GDPR.

They have reason to be afraid: the legislation comes with record-high sanctions that could cost misbehaving companies up to €20 million, or as much as 4% of their annual worldwide turnover. The law will also give national data protection authorities an arsenal of new powers, including the ability to set those fines.

“The balance is really in their hands now to say ‘we believe that it is important for police forces to get access to this information’,” Marby told EURACTIV in an interview.

The umbrella group of regulators, known as the Article 29 working party, will meet in Brussels next week (10-11 April).

Marby said he has asked the regulators to draft a legal opinion on how the system can comply with the GDPR during the two-day session. A spokeswoman for the group declined to say whether the WHOIS showdown is on the meeting agenda because it is not yet public.

“If we don’t get clear guidance, one of the fundamental things that’s been around for a very long time, since the beginning of the internet, could be fragmented and that could have severe effects,” Marby said.

“Until we have that guidance, I will be frustrated,” he added.

National privacy watchdogs brace for new pan-EU powers

Europe’s powerful data protection regulators are banding together to coordinate how they investigate and sanction misbehaving companies before a major overhaul of the bloc’s privacy law takes effect in May.

The privacy showdown is having ripple effects. The US government has also weighed in on the potential effects that the EU’s watershed privacy law could have on WHOIS. If information is removed from the database, police outside Europe will also have access to less information about website ownership.

A Trump administration official warned at an ICANN meeting last month that “the United States will not accept a situation in which WHOIS information is not available or is so difficult to gain access to that it becomes useless for the legitimate purposes that are critical to the ongoing stability and security of the internet,” technology news website The Register reported.

But Marby said it is hard to predict what could be the immediate effects on the WHOIS system because companies operating databases need “proper implementation time” to adjust how they publish information in order to meet the privacy regulators’ demands.

If operators of WHOIS websites do not receive a legal blessing from the authorities, they might remove details from the databases according to their own interpretation of the GDPR, Marby warned.

“I don’t think that’s good for privacy and I don’t think that’s good for police forces that use that data for purposes of their own. That is our worst-case scenario,” he said.

“We don’t know today where the threshold is when it comes to the balance between the right to privacy and the need for information according to the GDPR because it has not been set.”

Commission amps up pressure on member states ahead of massive privacy overhaul

All EU countries except Germany and Austria are unprepared for a major overhaul of the bloc’s privacy rules that will go into effect in May. The European Commission is amping up pressure on the 26 member states that are lagging behind.

Subscribe to our newsletters