• The geoTLD GDPR Survey 2018

    Scope of the geoTLD GDPR Survey 2018

    The application of the European General Data Protection Regulation (GDPR) to the DNS is a hot topic within the ICANN community.  However, since the implementation of the GDPR on May 25th, 2018, there has been little public data on:

    • How many WHOIS data requests have been made at the registry level, and;
    • How the registries are handling them.

    To further the factual and evidence-based discussion within the ICANN community, we gathered quantitative data about WHOIS access post-GDPR, by surveying the geoTLD registries. As these registries operate under the authority of their respective governments, geoTLDs have a particular responsibility to the public interest of their target communities, including in respect of data protection.

    Participants

    39 geoTLD Registries from around the globe participated in the survey. 25 out of the 39 participants are geoTLD Registries within the European Union (EU); 14 are from the rest of the world. The participating geoTLD Registries represent over 600,000 domain registrations.

    The survey was performed with SurveyMonkey.com. Answers were collected between 15 Aug and 04 Oct 2018.

    Findings

    The GDPR has been in effect for several months, but little information has been published on its operation at the registry and registrar level. Unfortunately, this has opened up space for speculation and even “alternative facts” being used to incorrectly influence ICANN, governments and other community members in their decision-making. This study aims to provide data-driven evidence of how GDPR is working in practice, in order to ground the debate at ICANN in facts, not hypotheticals.

    Overall, our findings are that while EU-based geo TLD registries take GDPR seriously and have enacted measures to protect citizens’ personal data, the number of requests to access the data is vanishingly small, and these requests are being dealt with efficiently. This study of the geoTLD registries shows there is no evidence-based need for a universal access model, based on how GDPR is working in practice.

    The survey results can be summarized as follows:

    • All EU-based geoTLD registries have implemented operational measures to limit the publication of registrant data by the WHOIS, in-line with national legislation.
    • Almost all EU-based geoTLD Registries have implemented measures to allow for access to unpublished registrant data by legitimate interests.
    • Although the geoTLD registries account for over 600,000 registrations, less than 50 WHOIS data access requests have been received so far.
    • The vast majority of requests was dealt with in a response time of 1–2 days. Only one request waited for 7 days.
    • The majority of geoTLD registries have received no requests for WHOIS data access since 25 May 2018; 76 % of EU geoTLDs received no access requests, and 79 % of the non-EU geoTLDs received none.
    • Of the geoTLDs that received access requests, most received fewer than ten requests. Four registries received fewer than 10 requests and two received more than 10 requests, but less than 20 each.

    GDPR Request EU geoTLDs only
    GDPR Request EU geoTLDs only

    • A majority of EU-based geoTLD registries (60 %) consulted with their local ccTLD to harmonise their WHOIS publication and access with the ccTLD practices, while non-EU geoTLD mostly (17 %) have not.
    • Across all requests, over 50 % were legitimate. They came in equal parts from law enforcement, right holders, lawyers, registrants and other parties.

    Results in Detail

    This is the entire list of questions asked and answers received, with separate recognition of EU-based geoTLD Registries. The participating geoTLDs Registries are in alphabetic order: .africa .alsace .amsterdam .bayern .berlin .brussels .budapest .cat .cologne .corsica .cymru .eus .frl .hamburg .ist .istanbul .koeln .london .melbourne .mockba .moscow .nagoya .nrw .nyc .osaka .paris .quebec .rio .ruhr .saarland .scot .swiss .sydney .tirol .tokyo .vlaanderen .wales .wien .yokohama

     

    Question Results of
    all geoTLDs
    Results of EU geoTLDs
    1 How does your WHOIS look like today? 
    7 5 No data is shown for Owner/Admin/Tech (closed)
    30 19 Redacted data is shown for Owner/Admin/Tech (ICANN Temporary Specification)
    0 0 Whois is closed off
    2 1 Unchanged in comparison to before 25 May 2018
    0 0 Open
    2 Are changes to your the WHOIS planned any time soon? 
    2 1 Yes
    21 13 No
    16 11 Changes are implemented and no further changes are planned
    3 If your WHOIS shows no or redacted data, which mechanism did you implement to allow for access of legitimate interests? (multiple answers allowed)
    6 5 Mechanism for data access is in place
    32 20 Case by case requests only
    1 1 Tiered access established
    1 0 General access is allowed
    0 0 Automated access enabled
    6 2 Other mechanism/measures
    4 1 No mechanism in place
    4 In your opinion, is your WHOIS publication and your WHOIS data access mechanism in-line with national legislation? 
    37 24 Yes
    2 1 Only WHOIS publication
    0 0 Only WHOIS data access mechanism
    0 0 No
    5 Did you consult with your local ccTLD to harmonise WHOIS publication and access?
    17 15 Yes
    22 10 No
    6 How many WHOIS data access requests did your Registry get since 25 May 2018?
    30 19 No request
    6 4 <10
    3 2 >10
    0 0 >100
    0 0 > 1,000
    7 How many WHOIS data access requests there of were legitimate? 
    30 19 No requests
    0 0 0-25
    2 1 25-50
    4 2 50-75
    3 3 >75
    8 Type of requests? (multiple answers allowed)
    30 19 No requests
    1 1 Law enforcement
    3 3 Right holders
    2 1 Lawyers
    4 2 Registrants
    6 4 Other
    9 What was the average time to reply to a WHOIS data access? 
    32 19 No requests
    4 4 1 day
    2 1 2 days
    0 0 3 days
    0 0 7 days
    1 1 > 7 days
Comments are closed.