GDPR Basics
The EU General Data Protection Regulation (2018) mandates that personal data be processed lawfully, transparently, and for specified purposes. Public WHOIS historically displayed home addresses—squarely within GDPR scope.
Impact on WHOIS
Post-GDPR, registrars redact personal data for EU residents and, in practice, for most global registrants. Only “technical” fields (registrar, status, dates) remain public unless you opt-out of privacy.
Legal Bases for Processing
- Contract: you need data to register domain
- Legitimate interest: preventing abuse (limited disclosure to vetted parties)
- Consent: opt-in publication if you want public whois
Third-Party Access
Law enforcement, IP lawyers, and security researchers can request data through Registrar Accreditation Agreement (RAA) 2013 spec. Requests are logged and must be proportionate—fishing expeditions are denied.
Non-EU Registrants
You can choose EU-based registrar to receive GDPR protection. Conversely, some ccTLDs (.us) require public data; GDPR individuals must provide US address or use trustee service.
Data Portability
You can export all personal data registrar holds (contact info, payment, support tickets) in machine-readable CSV. Useful when switching providers or complying with corporate audits.
Right to Erasure
Canceling domain does not automatically delete data; registrars must keep invoices for tax retention (5-10 years). You can request anonymization of support history if no legal dispute exists.
Breach Notification
If registrar leaks whois data (e.g., API bug), they must notify affected users within 72 hours and inform supervisory authority. Fines can reach 4% of global revenue—strong incentive for security.
Practical Steps
Enable privacy even if GDPR already redacts you—it adds contractual layer. Keep EU address updated; false data can void GDPR protection. Read registrar privacy notice to understand retention periods.
Future Outlook
ICANN continues crafting “Unified Access Model” for tiered whois access. Expect accreditation process for researchers and stricter audit trails—privacy is here to stay.