ARTICLE 29 – DATA PROTECTION WORKING PARTY ON THE PROTECTION OF INDIVIDUALS WITH REGARD TO THE PROCESSING OF PERSONAL DATA

Opinion on the application of the data protection principles to the WhoIs Directories

(ORIGINAL DOCUMENT AS .PDF)

1. Introduction:

The WhoIs directories raise several issues from the data protection perspective. WhoIs data relates to those who have registered a domain name and it contains in particular information as to the name of the contact-point for the domain name, including phone number, e-mail address and other personal data. These data were originally made publicly available to give people who operate networks a way of contacting the person technically responsible for another network, another domain, when there was a problem. This purpose is in itself a legitimate purpose.

The Working Party is conscious of the growing importance of the WhoIs discussion as more and more individuals (private persons) are registering their own domain names and there have been complaints about improper use of the Whois data in several countries. The registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names, as it will be explained more in detail later on in this opinion.

The Working Party has therefore followed with interest the work of the ICANN WhoIs Task Force concerning the Whois directories as well as the work undertaken by the International Working Group on Data Protection in Telecommunications concerning this matter[2].

The Working Party is aware of the fact that a Whois discussion will take place in the framework of the ICANN/GAC conference that will be held in Montreal at the end of June. It would like to contribute to this discussion through this opinion that aims at underlying a number of fundamental questions arising from the application of the data protection principles to the Whois directories.

This opinion focuses on the Whois directories but, to the extent that the same or similar circumstances relate to them, the same considerations apply to other registries of domain names and IP addresses at regional level such as RIPE for Europe, AP-NIC for Asia and so on.

2. The application of the data protection principles to the Whois directories:

• From the data protection viewpoint it is essential to determine in very clear terms what is the purpose of the Whois and which purpose(s) can be considered as legitimate and compatible to the original purpose. The reports of the Whois Task Force have failed to address these questions. This is an extremely delicate matter as the purpose of the Whois directories can not be extended to other purposes just because they are considered desirable by some potential users of the directories.

Some purposes that could raise data protection (compatibility) issues are for example the use of the data by private sector actors in the framework of self- police activities related to alleged breaches of their rights e.g. in the digital right management field.

• Article 6c of the Directive imposes clear limitations concerning the collection and processing of personal data meaning that data should be relevant and not excessive for the specific purpose. In that light it is essential to limit the amount of personal data to be collected and processed. This should be kept particularly in mind when discussing the wishes of some parties to increase the uniformity of the diverse Whois directories.

The registration of domain names by individuals raises different legal considerations than that of companies or other legal persons registering domain names.

– In the first case, the publication of certain information about the company or organization (such as their identification and their physical address) is often a requirement by law in the framework of the commercial or professional activities they perform. It should be noted however that, also in the cases of companies or organizations registering domain names, individuals can not be forced to have their name published as contact-point, as a consequence of the right to object.

– In the second case, where an individual registers a domain name, the situation is different and, while it is clear that the identity and contact information should be known to his/her service provider, there is no legal ground justifying the mandatory publication of personal data referring to this person. Such a publication of the personal data of individuals, for instance their address and their telephone number, would conflict with their right to determine whether their personal data are included in a public directory and if so which3. The original purpose of the Whois directories can however equally be served as the details of the person are known to the ISP that can, in case of problems related to the site, contact the individual[4].

• In the light of the proportionality principle, it is necessary to look for less intrusive methods that would still serve the purpose of the Whois directories without having all data directly available on-line to everybody. As it was already mentioned in the introduction, the Internet Service Providers can and are playing in some countries an important role in this field. In any case filter mechanisms should be developed to secure purpose limitation in the interfaces for accessing the directories.

• The fact that personal data are publicly available does not mean that the requirements of the data protection directive do not apply to that data. On the contrary, as it has been already stated in previous opinions of the Working party[5], it is perfectly clear from the wording of the data protection legislation that it applies to personal data made publicly available: even after personal data are made public, they are still personal and as a consequence the data subjects can not be deprived of the protection they are entitled to as regards the processing of their data.

• The Working Party is particularly concerned about the proposals regarding more searchable Whois facilities. In that context it would like to mention the conclusions of its Opinion 5/2000 on The Use of Public Directories for Reverse or Multi-criteria Searching Services (Reverse Directories)6: the processing of personal data in reverse directories or multi-criteria searching services without unambiguous and informed consent by the individual is unfair and unlawful.

• The Working Party wishes to state its support for the proposals concerning accuracy of the data (which is also one of the principles of the European Data Protection Directive7) and limitation of bulk access for direct marketing issues. Bulk use of Whois data for direct marketing is by no means in line with the purpose for which the directories were set up and are being maintained. In the light of the provisions of the electronic communications directive[8] any use of e- mail addresses for direct marketing must be based on opt-in only.

The Working Party encourages ICANN and the Whois community to look at privacy enhancing ways to run the WhoIs directories in a way that serves its original purpose whilst protecting the rights of individuals. It should in any case be possible for individuals to register domain names without their personal details appearing on a publicly available register.

Done at Brussels, on 13 June 2003 For the Working Party,
The Chairman
Stefano RODOTA