Publishing Web Address Owner Data Violates Privacy: Dutch Regulator

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By George Lynch

Providing unlimited public access to the personal data of Dutch internet domain name registrants violates privacy law, the Netherlands’ privacy office said in a recent letter to the organization that maintains the Dutch directory.

The Dutch Data Protection Authority’s letter to the Dutch administrator of .amsterdam and .frl internet domain suffixes concludes that the data of website registrants published by the Internet Corporation for Assigned Names and Numbers (ICANN), the worldwide administrator of domain names, lacks a legitimate legal basis, the regulator said in an Oct. 30 statement. The personal data is normally published in ICANN’s Whois database, a publicly searchable database that contains information such as the names, addresses, email addresses, and telephone numbers of domain name registrants.

In addition to violating Dutch privacy law, the ICANN rules also violate the forthcoming European Union privacy regime, the General Data Protection Regulation, which takes effect in May 2018, the regulator said.

The case illustrates “how that Dutch/European view clashes with that of a non-European entity like ICANN,” Quinten Kroes, a telecommunications, media, and technology attorney at Brinkhof N.V. in Amsterdam, told Bloomberg Law Nov. 2.

Limited Impact

ICANN sets the general rules for internet domains and oversees the process by which individual domain registers such as GoDaddy.com in the U.S. operate to log owners of specific internet addresses used to identify websites.

Access to such data should be limited to that “necessary for technical reasons, or for law enforcement when it is legally entitled to such access,” the privacy office letter said.

The practical consequences for Dutch companies will be limited, however, because only a relatively limited number of website addresses have been registered that use the .frl and .amsterdam domain name extensions, Thomas de Weerd, information technology and privacy partner at the Houthoff law firm in Amsterdam, told Bloomberg Law Nov. 2.

Dutch Registrar Request

The letter was drafted in response to a request by an unnamed Dutch domain name registrar that, under ICANN rules, would have been required to publish all Whois data on the internet with unlimited access. The registrar asked if it would be in violation of privacy law if it complied with the ICANN rules.

It is unusual for the privacy office to make public an opinion at the request of an interested party when the office isn’t doing so in the context of an enforcement action, Kroes said. But the regulator made an exception since the publication of Whois data affects so many individuals, he said.

Publication of the data is a form of processing that requires a legal justification, the privacy office said. ICANN cannot rely on performance of a contract, legitimate interest, or consent for the publication of the data, it said.

Wanne Pemmelaar, senior associate at Allen & Overy LLP in Amsterdam, told Bloomberg Law Nov. 2 that the privacy office is “correcting a flaw in the system that has existed ever since people started registering domain names.”

The Article 29 Working Party, which is made up of privacy regulators from each of the EU member countries, has expressed concerns about the unlimited publication of internet domain holder personal data as far back as 2003.

To contact the reporter on this story: George Lynch in Washington at gLynch@bna.com

To contact the editor responsible for this story: Donald Aplin at daplin@bna.com

Copyright © 2017 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security