The internet is at risk of becoming fragmented if online databases that show who owns websites are shut down after the EU’s new data protection law takes effect next month, the head of internet domain organisation ICANN has warned.
National data protection authorities from EU member states are under pressure to spell out whether the databases, known as the WHOIS system, can stay online and continue displaying personal information like names, email addresses and phone numbers of people who registered internet domain names.
Law enforcement authorities say that information is often useful for criminal investigations, like in the aftermath of WannaCry, a major cybersecurity attack last year.
The European Commission and EU police agency Europol have lobbied Internet Corporation for Assigned Names and Numbers (ICANN), the US-based non-profit organisation that oversees the databases, to find a way to keep the website information online without breaking the strict new EU privacy law. Europol asked ICANN to make sure law enforcement authorities are excluded from any new access restrictions to the system.
The organisation has proposed fixes like an accreditation system to control who access the databases, or a new limited version that displays less personal information about website owners. But so far, there is still no sign of what will happen to the WHOIS system.
Time is running out—the data protection regulation takes effect on 25 May—and ICANN is alarmed.
Göran Marby, ICANN’s CEO, said EU data protection regulators need to publish legal advice so that companies and people who run WHOIS databases can be sure they will not face fines under the new regulation, which is also known as the GDPR.
They have reason to be afraid: the legislation comes with record-high sanctions that could cost misbehaving companies up to €20 million, or as much as 4% of their annual worldwide turnover. The law will also give national data protection authorities an arsenal of new powers, including the ability to set those fines.
“The balance is really in their hands now to say ‘we believe that it is important for police forces to get access to this information’,” Marby told EURACTIV in an interview.
The umbrella group of regulators, known as the Article 29 working party, will meet in Brussels next week (10-11 April).
Marby said he has asked the regulators to draft a legal opinion on how the system can comply with the GDPR during the two-day session. A spokeswoman for the group declined to say whether the WHOIS showdown is on the meeting agenda because it is not yet public.
“If we don’t get clear guidance, one of the fundamental things that’s been around for a very long time, since the beginning of the internet, could be fragmented and that could have severe effects,” Marby said.
“Until we have that guidance, I will be frustrated,” he added.
The privacy showdown is having ripple effects. The US government has also weighed in on the potential effects that the EU’s watershed privacy law could have on WHOIS. If information is removed from the database, police outside Europe will also have access to less information about website ownership.
A Trump administration official warned at an ICANN meeting last month that “the United States will not accept a situation in which WHOIS information is not available or is so difficult to gain access to that it becomes useless for the legitimate purposes that are critical to the ongoing stability and security of the internet,” technology news website The Register reported.
But Marby said it is hard to predict what could be the immediate effects on the WHOIS system because companies operating databases need “proper implementation time” to adjust how they publish information in order to meet the privacy regulators’ demands.
If operators of WHOIS websites do not receive a legal blessing from the authorities, they might remove details from the databases according to their own interpretation of the GDPR, Marby warned.
“I don’t think that’s good for privacy and I don’t think that’s good for police forces that use that data for purposes of their own. That is our worst-case scenario,” he said.
“We don’t know today where the threshold is when it comes to the balance between the right to privacy and the need for information according to the GDPR because it has not been set.”