This article explains how OpenSRS handles WHOIS data under the GDPR, including what is shown in the public WHOIS, what is held in the gated WHOIS, and how law enforcement access works for privacy-protected domains. Resellers can access full WHOIS contact data for their end users in the Reseller Control Panel; only technical data continues to appear in the public-facing lookup. OpenSRS applies these WHOIS changes platform-wide, so all registrants receive the same level of data protection regardless of citizenship or location.
Warning: WHOIS policy evolves with ICANN and registry guidance. Confirm current display rules and law enforcement access procedures with the OpenSRS Support team before acting on the details below.
WHOIS public visibility
Under the GDPR, personal data may only be collected and processed when there is a legal basis to do so. One such basis is a contract; another is explicit consent from the data subject (the person the data pertains to). Data can only be shared when necessary to fulfill the intended purpose of the data collection, which means the legacy public WHOIS system is incompatible with the principles of data privacy that the GDPR affirms.
Note: The domain privacy number continues to be displayed in the public WHOIS because it is not considered personal data.
OpenSRS provides a WHOIS publicity tool that allows registrants to opt in to displaying their details publicly.
Gated WHOIS
Registrant contact data — held on a contract basis or under consent — is displayed in the gated WHOIS unless the domain is privacy-protected. When a domain uses the OpenSRS WHOIS Privacy service, the privacy masking data is displayed both publicly and within the gated WHOIS.
The gated WHOIS is a portal where accredited third parties can access full WHOIS information. The output here includes personal data that is hidden from the public WHOIS.
The WHOIS output for domains with WHOIS Privacy remains the same as before May 2018, in both the public and gated WHOIS. Contact Privacy details — including a contact privacy email — are displayed for domains with WHOIS Privacy in the gated WHOIS.
Law enforcement and privacy-protected domains
The current system requires law enforcement to have warrants or legal grounds to obtain WHOIS information for a privacy-protected domain.
Access to the gated WHOIS only reveals information that was public before May 25, 2018. It does not reveal WHOIS information for privacy-protected domains.
The WHOIS output for privacy-protected domains is the same in both the public and gated WHOIS. OpenSRS continues to require a court order or other legal documentation for access to this information.
Next steps
Review your public WHOIS messaging for registrants. Make sure registrants know how to opt in to public visibility if they want their contact details listed.
Document your law enforcement response process. Confirm that your support team knows to escalate WHOIS data requests for privacy-protected domains.
Confirm that WHOIS Privacy is offered consistently. Review your storefront and support content so registrants understand what WHOIS Privacy does and does not protect.
Questions? Contact OpenSRS Support.
How helpful was this article?
Thanks for your feedback!
Do you still need help? If so please submit a request here.