WHOIS (pronounced as the phrase who is) is a query and response protocol that is used for the database that stores the registered users of domain names - in other words, the worldwide "domain name register".

Access to WHOIS data about domains and their holders is important in particular for rights holders (to identify potential infringers), for law enforcement agencies (to prevent crime), and interested commercial parties (to verify the owner of a particular domain).  

But questions have arisen whether the current WHOIS set-up - ICANN's system for accessing data on domains and their holders - is in line with the requirements set out by the GDPR, EU's new data privacy framework. Many types of personal data about registered domain users are being processed by registrars and fed into the WHOIS database, where such data is publicy accessible. This collides with the the GDPR's approach, which demands (inter alia) that personal data is processed only for a specified and legitimate purpose to the extent necessary, is stored not longer than necessary and is accurate, up-to-date and kept confidential.

After months of debate, ICANN had published its analysis and proposal on how to tackle this issue. ICANN's proposal included three different models for new terms, which are still being discussed by stakeholders and the community. The models represent a "layered approach" on how to make the collection, retention and access to WHOIS data compliant with the GDPR's strict requirements. 

Recently, the European Commission has provided its view on the issue. It can be found here. The position paper contains a number of considerations. In a nutshell, the Commission critizises ICANN's proposal as "too abstract" identifies "some confusion" in ICANN's efforts. It proposes clearer and more explicit provisions in relation to the conditions for users' personal data being collected, stored, published and accessed in the context of the WHOIS register.

ICANN has not much time left to solve the privacy issues of the WHOIS system, as the GDPR is set to become applicable in the EU on 25 May 2018. 

Whatever ICANN comes up with: As the Commission notes, it will be for the Member States data protection authorities and ultimately for the courts at national and EU level to assess the compliance of ICANN's new rules with the GDPR.