Minimum Requirements for Data Disclosure


Registrar Stakeholder Group Minimum Required Information for Whois Data Requests

This document represents the minimum requirements for Registrars to respond to data disclosure requests for registration data.  Data disclosure requests vary depending on

  • The requestor (LEA, consumer protection organizations, trademark owners etc.);
  • The nature of the request (the domain name is infringing third party rights, contents or services offered infringe third party rights or statutory law, DNS security issues etc.); and
  • The legal basis for the disclosure request and the jurisdiction of the requestor.

Depending on that, there are cases in which the Registrar

  • Must disclose data as there is a legal obligation to do so;
  • May be entitled to disclose data on a voluntary basis; and
  • May wish to disclose data to avoid contributory liability

The criteria below may be applied by Registrars in determining whether disclosure requests can be honored. However, there may be different or additional requirements based on the policies of Registrars or applicable laws. This document is neither binding nor mandatory for Registrars, and each may choose to not to abide by it, or implement as little or a much of the below as they see fit. This document is meant to aid third parties in understanding what information is frequently helpful to Registrars when processing requests for Registrant Data. This document only deals with criteria for requests made by private companies / individuals pursuing civil claims. It is not applicable to requests made by LEAs. Those need to be dealt with according to applicable laws. The document deals with requests where data may be disclosed according to Art. 6 I lit. f) GDPR, which provides the option for the Registrar to disclose data but no statutory requirement or any associated claim by the requestor for the Registrar to disclose.

Also, these criteria shall not anticipate the outcome of the policy discussion taking place in the ICANN community.

Required Data:

  1. Full Name, Affiliation and Contact Details of the requestor
  2. The domain name in question
  3. A statement (Power of Attorney), from the party you represent, that you represent them and their interests with regard to this request. If you are that party, a statement indicating that the email address used is authoritative with respect to this request. If you are a private person acting on your own behalf, a statement of that.
  4. A statement that requested data are related to a good-faith belief that you have legally legitimate need for the data, and that it is specifically required to pursue further action.
  5. Case Summary:
    • A brief description of the specific issue the request is attempting to resolve. The description shall provide information that make the infringement of rights by the registrant obvious, i.e. no further investigation or evaluation by the Registrar is necessary to determine the infringement if the facts presumed to be correct,
    • A reference to the statute or law upon which the claim is being made and information on applicability of this law and statute as well as information on the competent court in the matter
    • Any relevant documentation for the request. For example, a trademark issue would include a description of how the specific mark is being infringed, a reference to the law under which the infringement is occurring, and documentation that the specific trademark is owned or represented by the requestor
  6. A statement that any personal data received through this process will be processed and transferred in compliance with any applicable data protection law, and shall not be stored, transferred, or otherwise shared in contravention with any applicable data protection law.
  7. A statement that submission of the request is evidence that all of the above is, to the best knowledge of the declarant, complete and accurate. In case of any complaint, the declarant will be held responsible under applicable law for disclosure of data under false pretenses.