With the growing use of the Internet more and more private persons are starting to register their own domain names with the different national and international Network Information Centers (NICs). In the course of the registration of a domain name, the NICs are collecting personal data from the applicants (like name, address and telephone number) which are regularly made publicly available in the so-called "WhoIs-databases" on the Net. In most countries, the collection and publication of these data is mandatory to register a domain name due to the service conditions of the respective NICs.

While these databases were originally intended to facilitate the technical maintenance of the network (e.g. to contact the person running a domain which produced errors hindering the functioning of the net), the development of the net towards the technical backbone of the emerging "Information Society" has created new interests of different parties in the use of these data:

Law enforcement agencies are using the databases for fighting fraud and the publication of illegal material on the net.

More recently, the World Intellectual Property Organisation (WIPO) has published a report to the "Internet Corporation for Assigned Names and Numbers" (ICANN) on Intellectual Property issues in the management of Internet names and addresses. WIPO has among other things suggested to collect personal data from every domain name holder of a second level domain in the generic Top Level Domains (gTLD) and the publication of these data in a publicly accessible database on the Internet to enable holders of copyrights and trademarks to find out and contact the responsible person in cases of a violation of these rights by a domain name holder.

This approach is also reflected in ICANN´s Statement of Registrar Accreditation Policy which demands registrars for domain names in the generic Top Level Domains to collect contact details from their applicants and provide public access to these data on a real-time basis (such as by way of a WhoIs service).

At the same time the publication of name and address of a domain name holder can also be useful for any Internet user who has experienced an infringement of his or her privacy through personal data published on a website or the use of personal data by a domain name holder. An obligation to publish name and address of the holder of an Internet-Service on its website does not exist in every country. Thus, the publication of these data by the national NICs can be a prerequisite for the user in order to exercise his right to privacy against a service provider.

Nevertheless, the collection and publication of personal data of domain name holders gives itself rise to data protection and privacy issues.

The necessity to protect individuals has been recognised for more than twenty years in the existing national data protection regimes as well as in the international community (e.g. in the OECD guidelines on Privacy of 1980, the Council of Europe Convention No. 108, and, more recently, the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data). These regulations outline similar basic principles on the fair processing of personal information. Among these principles are the obligation to inform the data subjects about the processing of their personal data, the principle of limiting the collection and use of personal data to what is essential to the purpose specified and protection against unauthorised secondary uses.

The importance of the protection of privacy for the fruitful development of the Global Information Society has also been recognised in the basic documents on the development of Electronic Commerce; e.g. in the US "Framework for Global Electronic Commerce" of , the joint EU-US statement on Electronic Commerce, the European Initiative for Electronic Commerce, and at the October 1998 OECD Ministerial Conference in Ottawa.

The current Registrar Accreditation Agreement (RAA) developed by ICANN does not reflect the goal of the protection of personal data of domain name holders in a sufficient way. The Working Group therefore recommends that the following topics be addressed in future versions of the RAA:

It is essential that the purposes of the collection and publication of personal data of domain name holders are being specified.

The amount of data collected and made publicly available in the course of the registration of a domain name should be restricted to what is essential to fulfil the purpose specified. In this respect the Working Group has reservations against a mandatory publication of any data exceeding name (which might also be the name of a company and not of a natural person), address and e-mail-address in cases where the domain name holder is not himself responsible for the technical maintenance of the domain but has this done through a service provider (as is the case with many private persons who have registered domain names).

Any additional data (especially telephone and fax number) - although they might be collected by the registry as necessary with respect to its task - should in such cases either refer to the respective service provider or only be made available with the explicit consent of the data subject. Mandatory publication of telephone and fax numbers of domain name holders would be a problem when private persons register domain names, where the number to be provided might be their home number. The right not to have telephone numbers published - as recognised in most of the national telecommunications data protection regimes - should not be abolished when registering a domain name.

At the same time, any secondary use incompatible with the original purpose specified (e.g. marketing) should be based on the data subject´s informed consent. In this respect the level of privacy guaranteed by the present RAA (cf. point II.F.6.f) is not sufficient.

Any technical mechanism to be introduced to access the data collected from the registrants must furthermore have safeguards to meet the principle of purpose limitation and avoidance of the possibility to unauthorised secondary use of the registrant's data. This demand is not met by an unrestricted, publicly available, searchable database like many WhoIs-databases currently existing. In this respect the Working Group welcomes respective proposals of WIPO in its report on the Internet Domain Name Process to make contact details of domain name holders only available for limited purposes and to take measures to discourage unauthorised secondary use e.g. for marketing purposes. The Working Group deems it necessary that filter mechanisms are developed to secure purpose limitation to be incorporated in the interfaces for accessing the database.

The Working Group further recommends that - in the absence of globally binding data protection legislation - the registries develop a uniform standard for the collection and use of personal data of domain name holders, including rules on the information of the data subjects about the purpose of the collection and of the use of their personal data and a right to access and correction of their data. Adherence to these regulations should be secured through certification procedures.

The Working Group stresses that any registrar operating within the jurisdiction of existing data protection laws and any national domain name registration procedures are subject to the existing national data protection and privacy legislation and to the control by the existing national Data Protection and Privacy Commissioners. At the same time the Working Group supports the European Commission´s efforts to strengthen the protection of personal data and privacy within a functioning Internet domain name system for the benefit of all citizens and encourages the European Commission to continue its discussion with ICANN, the US Government and all other parties.