The application of the European General Data Protection Regulation (GDPR) to the DNS is a hot topic within the ICANN community. However, since the implementation of the GDPR on May 25th, 2018, there has been little public data on:
To further the factual and evidence-based discussion within the ICANN community, we gathered quantitative data about WHOIS access post-GDPR, by surveying the geoTLD registries. As these registries operate under the authority of their respective governments, geoTLDs have a particular responsibility to the public interest of their target communities, including in respect of data protection.
39 geoTLD Registries from around the globe participated in the survey. 25 out of the 39 participants are geoTLD Registries within the European Union (EU); 14 are from the rest of the world. The participating geoTLD Registries represent over 600,000 domain registrations.
The survey was performed with SurveyMonkey.com. Answers were collected between 15 Aug and 04 Oct 2018.
The GDPR has been in effect for several months, but little information has been published on its operation at the registry and registrar level. Unfortunately, this has opened up space for speculation and even “alternative facts” being used to incorrectly influence ICANN, governments and other community members in their decision-making. This study aims to provide data-driven evidence of how GDPR is working in practice, in order to ground the debate at ICANN in facts, not hypotheticals.
Overall, our findings are that while EU-based geo TLD registries take GDPR seriously and have enacted measures to protect citizens’ personal data, the number of requests to access the data is vanishingly small, and these requests are being dealt with efficiently. This study of the geoTLD registries shows there is no evidence-based need for a universal access model, based on how GDPR is working in practice.
The survey results can be summarized as follows:
GDPR Request EU geoTLDs only
This is the entire list of questions asked and answers received, with separate recognition of EU-based geoTLD Registries. The participating geoTLDs Registries are in alphabetic order: .africa .alsace .amsterdam .bayern .berlin .brussels .budapest .cat .cologne .corsica .cymru .eus .frl .hamburg .ist .istanbul .koeln .london .melbourne .mockba .moscow .nagoya .nrw .nyc .osaka .paris .quebec .rio .ruhr .saarland .scot .swiss .sydney .tirol .tokyo .vlaanderen .wales .wien .yokohama
|Results of EU geoTLDs|
|1||How does your WHOIS look like today?|
|7||5||No data is shown for Owner/Admin/Tech (closed)|
|30||19||Redacted data is shown for Owner/Admin/Tech (ICANN Temporary Specification)|
|0||0||Whois is closed off|
|2||1||Unchanged in comparison to before 25 May 2018|
|2||Are changes to your the WHOIS planned any time soon?|
|16||11||Changes are implemented and no further changes are planned|
|3||If your WHOIS shows no or redacted data, which mechanism did you implement to allow for access of legitimate interests? (multiple answers allowed)|
|6||5||Mechanism for data access is in place|
|32||20||Case by case requests only|
|1||1||Tiered access established|
|1||0||General access is allowed|
|0||0||Automated access enabled|
|4||1||No mechanism in place|
|4||In your opinion, is your WHOIS publication and your WHOIS data access mechanism in-line with national legislation?|
|2||1||Only WHOIS publication|
|0||0||Only WHOIS data access mechanism|
|5||Did you consult with your local ccTLD to harmonise WHOIS publication and access?|
|6||How many WHOIS data access requests did your Registry get since 25 May 2018?|
|7||How many WHOIS data access requests there of were legitimate?|
|8||Type of requests? (multiple answers allowed)|
|9||What was the average time to reply to a WHOIS data access?|
|1||1||> 7 days|