The unexpected consequences of GDPR

According to the European Commission, “the General Data Protection Regulation (GDPR) was put into place to ensure one set of data protection rules for all companies operating in the EU, wherever they are based.”

The purpose of this important privacy regulation is to ensure that individuals, residing in EU member states, have more control over their personal data and that data collectors take required steps to protect that data.

No one can argue against the benefits of knowing the purpose for why personal data is collected and how it will be used, processed and disposed of; still, six months after the effective date of GDPR, compliance with this regulation has been a huge undertaking for organisations and businesses around the globe.

Impacts to brand protection

GDPR has affected areas such as marketing, sales, human resources, and corporate acquisitions, but for brand protection professionals and those concerned with protecting intellectual property rights, the consequences have been tremendous. While complying with GDPR may make some business operations more challenging and inconvenient, when it comes to protecting a corporate brand and enforcing IP rights online, the impact is even more acute.

Historically, WHOIS, a global database that published the contact information of every domain name registrant, provided a way to identify those responsible for brand infringements. However, the WHOIS database did not comply with GDPR and therefore much of the registrant data is now no longer public. The Internet Corporation for Assigned Names and Numbers (ICANN) is currently working on a new registrant data policy which complies with GDPR, but in the meantime it is more difficult to get registrant data.

However, it isn’t just brand protection activities that rely on registrant data. Ironically, the unexpected consequences of GDPR for groups involved in law enforcement, child protection, and cyber security mitigation has been dire. While GDPR may have intended to protect the personal data of private individuals, this same regulation may have exposed them to greater risks.

Impacts to investigations

The WHOIS/RDS2 Review Team conducted a survey of law enforcement agencies worldwide and discovered that, prior to May 2018, in 84% of cases, these agencies had used WHOIS data more than 10 times, with 19% using it over 1,000 times to aid them with law enforcement activities. Unfortunately, 67% of respondents now say that WHOIS output does not meet their investigative needs compared to 2% feeling this way prior to May 2018. Indeed, 51.85% said the lack of WHOIS information has delayed an investigation with a further 25.93% having to abandon it altogether.

Registrant data has also traditionally been used as a means to identify cyber attackers, criminal actors and victims of crimes or attacks. In another survey of cyber investigators conducted by the Anti-Phishing and Messaging and Malware and Mobile Anti-Abuse Working groups, 85% of 300 respondents revealed that they do use registrant data.

Now that WHOIS contact data has been redacted, almost 50% of the same group of cyber security experts are unaware of how to access non-public registrant data, and those that do are denied access to it with no explanation 50% of the time. In addition, when access is granted, timeframes are unacceptable â over 25% of requests took more than seven days to grant access.

Online protection moving forward

Clearly, the current state of publicly available registrant data is impacting both law enforcement and cyber security investigations to an unacceptable level. While there are no easy answers, ICANN is trying to move quickly in order to put in place a strategy which conforms to the principles of GDPR and protects an individual’s sensitive data, but also allows parties with a legitimate interest to protect those same individuals from crime in whatever form it takes.

Follow our blog for continued updates on the GDPR.