The unlimited public access of WHOIS data of domain name holders by Dutch registries violates current Dutch privacy laws. The Autoriteit Persoonsgegevens ) has written this to a Dutch administrator of domain name extensions. WHOIS data are the name, address, email address and phone number of domain name holders.
Disclosure of this personal data is not necessary. Access to the data of domain name holders is of course possible if, for example, this is necessary for technical reasons, or for parties such as the judiciary and police, who are legally authorized to do so: so-called graduated access.
Request Dutch registry
The AP is publishing this position in response to a request from a Dutch registry. Registries are parties that technically manage domain name extensions - such as .com or .nl. Based on the rules of the global domain name manager ICANN, this Dutch registry would be obliged to publish WHOIS data of all domain name holders unscreened. However, this Dutch registry allows limited disclosure of the contact details of private domain name holders, such as website owners. This is in accordance with applicable privacy laws.
European privacy regulators
The AP regularly receives signals from citizens, domain name holders, who find that their WHOIS data is being redistributed and used on a variety of websites.
Earlier, European privacy regulators, gathered in the Article 29 Working Party (WP29), expressed concerns about this form of unrestricted disclosure of personal data of domain name holders.
Unscreened publication of WHOIS data in violation of law
When WHOIS data concern natural persons, they are personal data and Dutch privacy laws apply. Making WHOIS data publicly available without restriction via the Internet is a form of processing personal data for which a legal basis is required. According to the AP and WP29, ICANN and the registries cannot invoke the grounds 'necessary for the performance of a contract' and 'legitimate interest'. Nor is it possible to rely on the basis of 'consent of individual domain name holders', because giving consent is a prerequisite for acquiring a domain name and therefore there is no free expression of will.
From May 25, 2018, the General Data Protection Regulation (GDPR) will apply. Even then, making unlimited public access to WHOIS data is against the law.
