European Data Protection Regulators have been expressing their concerns for nearly twenty years about public records of domain name ownership (commonly referred to as WHOIS data). A recent case (C37-20) on public records of company ownership (required under money-laundering legislation) suggests that the European Court of Justice would have similar doubts. But its comments on how access to such records might be made lawful could provide a useful framework for Incident Response Teams or registries wishing to obtain or provide access to WHOIS data as well.
Interestingly the Court contrasts a situation where records of ownership are public with an earlier one where such records were available to “any person or organization capable of demonstrating a legitimate interest”. The latter is the rule currently applied by many Domain Name Registries. So how might such a legitimate interest be established? First, the Court dismisses (72) the claim that the difficulty of providing a detailed definition is a justification for dropping the requirement. Instead, those wishing access need to demonstrate:
- That their need for access relates to an “objective of general interest” (46);
- That the interference with individuals’ privacy and other rights is necessary for that objective (in the usual EU sense of “could not be achieved by other means less prejudicial”) (66);
- That that interference is proportionate, in particular “capable of being offset by any benefits which might result” (85);
- And that there are “sufficient safeguards enabling data subjects to protect their personal data effectively against risks of abuse” (86). For example company ownership data “enables a potentially unlimited number of persons to find out about the material and financial situation of a beneficial owner” (42) and “the potential consequences for the data subjects resulting from possible abuse of their personal data are exacerbated by the fact that, once those data have been made available to the general public, they can not only be freely consulted, but also retained and disseminated” (43).
Incident response teams that analyse WHOIS data to detect and even prevent security incidents shouldn’t find it too hard to meet these requirements. Doing so, using the structure from the case, should reassure regulators and registries, as well as system and network users. Reducing incidents and their impact is identified as a general interest in both data protection and network security laws. CSIRTs have been applying “necessary and proportionate” tests to their activities for many years: the benefit to individuals of their data, systems and networks being secure helps to support this case. The purpose of incident response itself requires strong safeguards against information being misused or inappropriately disseminated (it would help attackers greatly if they could find out how much of their activities had been detected); though the case also highlights the need for safeguards on registers to ensure that only authorised individuals can access data.