GDPR And Its Effects On The Whois

More privacy rights for users means more obligations and rules for companies that collect and store data.


These new rules came into effect as of the end of May 2018 in the form of the EU General Data Protection Regulation (GDPR). Consequently, this also affects an area that already raised a lot of questions beforehand and continues to be discussed:

Access to the Whois directory is significantly restricted severing the ability to find out the identity of domain owners with just a few mouse clicks. But does that actually signify a new burden or complication for domain sellers or even for prospective buyers of domains already registered?



What restrictions does the GDPR present for Whois queries?

When interested in purchasing a domain already registered, it was previously very easy to establish the contact details of the current owner before the new General Data Protection Regulation (GDPR) was applied. This uncomplicated potential of making contact with the owner or previous owner no longer exists via this method. A website's ownership data can no longer be requested via the Whois database system by a simple mouse click.

The new rule says that only justified queries are allowed. However, even before the GDPR took effect, it was not possible to use the Whois directory for inappropriate purposes. Captcha protection and other search criteria restrictions acted as safeguards against data phishing from email and telephone contacts.



What new rights do domain owners have as a result of the GDPR?

With the new data protection regulations, private domain holders are protected in the same way as Internet users. This means that domain owners no longer have to worry about being bothered on a regular basis by spam, unwanted telephone canvassing or direct mail campaigns.

Conversely, it is much more difficult to receive inquiries from potential buyers. The chances of a prospective buyer getting into direct contact with the owner are much less likely for domains that have been registered but not used for a website. However, the following applies for this aspect: Such a procedure has not been the typical practice for quite some time.

For the trading of domains, “Trusted Partners” like SEDO have long been developed as platforms that mediate between those offering and those wanting to acquire a domain. In this respect, the positive aspect of domain owners being granted more “privacy” through conservative company policies predominates.



Why is there criticism of the new Whois rules?

Not surprisingly, the new regulations governing Whois queries have attracted a lot of criticism. Security experts and criminologists point out that this restriction opens the door to the expansion of cybercrime and an increase in spam. The reason for this is that domains are often used as the sender of spam mails.

In addition, it is still hotly debated within the industry whether all Whois data should no longer be displayed or whether it could at least be shown partially - e.g. email address, but no first or last name. There still doesn’t appear to be a consensus given that the numerous registries and registrars are doing their own thing and going in different directions. Examples include Nominet, the operator of the British suffix .uk who charges a fee for limited Whois information. While Denic, which manages the German suffix .de does not display any data at all. Kevin Murphy from the domain industry blog, has drawn up a summary overview of the 33 European ccTLD administrations and how they’re applying the Whois rules.



How justified is the criticism of the new Whois regulation?

Anyone who acquires or operates a website to pursue a dishonest business model can now apparently rest assured that they will remain undetected as the responsible party. On the other hand, extensive legislative amendments are traditionally expected to undergo a number of adjustments and constant refinement over time.

It is hardly conceivable that additional data protection for Internet users and domain owners has to be permanently accompanied by the simultaneous greater abuse of Internet domains.

The annoyance of the registrars and registries at not having sufficient lead up time to make preparations at the technical and administrative level for the changeover is understandable. Right up until the last minute, no final decision was taken by ICANN with regard to what form the new Whois regulation should take, with the result that not all of those affected were able to execute the actual implementation in time.



What are the arguments in favor of the restrictions of Whois queries?

It was possible to abuse the Whois databases in the past mainly because it was not necessary to give a plausible reason for such a query. The data of domain owners were publicly accessible making it susceptible to misuse. The GDPR now stipulates that a query can only be made for plausible reasons.

Although this does not perhaps make the mass “grabbing” of information completely impossible, it will be considerably more difficult. This means it is not so much the business model of the Whois platform providers that is called into question but more the dishonest intentions of contact data “grabbers” operating in a systematic way.

In addition, each national register or domain registrar was allowed to decide how completely or to what depth they collected the domain owners’ data. Nothing has changed in this regard.



Summary and outlook:


  • The EU-wide General Data Protection Regulation restricts, among other things, automated access to the Whois directory.

  • Those making inquiries must give plausible reasons why they want to find out a domain owner’s personal data.

  • The new regulation provides private domain owners with better protection against contact data phishing and the annoying consequences of unwanted telephone inquiries and their email inboxes being flooded with spam, for example.

  • There are no new advantages or disadvantages for domain sellers or domain buyers. Sedo has long been regarded as an established intermediary for the trading of domains and one that maintains traditionally high standards in the areas of privacy policies and data protection.

  • It can be expected that a number of deficiencies and loopholes in the GDPR will be rectified over the medium to long term by way of rulings in individual cases.