Issues relating to the determination of the identity of registrants of internet domains in the light of applicable personal data protection regulation

The article was published at the International Scientific Conference – Kopaonik School of Natural Law, in the official conference publication, 2022:

Authors:

Dejan Đukić

Dragan Milić

Abstract: In situations in which the rights of third parties have been infringed by someone’s website or by the registration of a specific domain name, in order for legal protection to be pursued and the appropriate proceedings set in motion one of the first steps must be determining the identity of the person purporting to be the registrant of the given Internet domain which has been registered or on which the website is located. With the institution of new personal data protection laws in the EU and the Republic of Serbia, accessing data on the registrant as an individual has been made considerably more difficult and limited to only those persons with a legal basis for processing these personal data. How these rights are exercised and under what conditions, what current practice looks like, and what problems are encountered by persons seeking to exercise their rights are the subjects of analysis in this article, in addition to a brief clarification of the structure of the Internet and the legal nature of Internet domain names there will also be an explanation of the basic institutes and principles of personal data protection, with consideration of the legal basis of lawful processing of registrant data, as well as current solutions implemented by Internet domain name registries.

Key words: personal data; intellectual property; Internet law; Internet domains; Internet

INTRODUCTION

Use of the Internet and the services provided on it has never been more intense, which means in turn that the violation of subjective rights and of the public interest are to a similar extent shifting from the analogue to the digital world, testing the limits of existing models and practices in the exercise of these rights and in the protection of the rights of other persons and of common interests. In order for rights to be exercised, the first step after learning of a violation is to establish the identity of the offending party. Owing to the characteristics of the Internet and its use across borders, this process is not always easy. The regulations safeguarding other human rights, such as the right to privacy, can hinder this process even more to a greater or lesser extent.

The way in which European regulations and Serbian positive law have put data protections in place leaves a great deal of the decision-making to the registries which manage Internet domains, to be governed by their internal regulations within the framework of the principles laid down by these laws. These solutions inevitably lead to differing interpretations and differing practices. Nevertheless, following the recommendations of relevant organizations that manage the structure of the Internet, these rules can to a great extent be harmonized.

MANAGING INTERNET ADDRESSES

In order for us to be able to address the issue of the responsibility of Internet domain name registrants and of establishing their identity, we first need to explain the administrative structure of the Internet and the technical and legal nature of Internet domain names.

Although the Internet is frequently said to be free by its nature and to belong to us all, nevertheless this complex system does not function by itself and has not reached the point at which its structure is automated. In view of this, Internet governance today comprises a complex set of structures and processes that to a certain extent dictate regulations and policies which relate to the Internet.

Just like the Internet itself, the system behind it is multi-layered. The “bottom layer” is the infrastructure – the physical, tangible part of the Internet, consisting of, among other things, networked computing devices. The “top layer” is what we see on the Internet, the content available on it. Of particular interest for the topic of this article is the “middle layer” of the Internet’s structure, comprising the system of IP addresses and Internet domain names and including the services of Internet providers that make Internet access possible.[1] The administrative system within the “middle layer” itself is also complex and hierarchically ordered. The system of top-level domains is managed by Internet domain registries, to whom administrative and technical authorization to manage those domains is delegated by the organization responsible for the management of the global structure of the Internet, of the numerical designations of the protocol, and of the root DNS servers, called ICANN – the Internet Corporation for Assigned Names and Numbers.[2]

THE LEGAL AND TECHNICAL NATURE OF INTERNET DOMAIN NAMES

The registration of Internet domain names is conducted on the basis of a contract entered into between the registrant and the registrar or registry, depending on the solution that is in place. By way of explanation, a registry is an organization that actually manages the top-level Internet domain and carries out registration of domain names, most often through registrars who sell to end users. In practice, there are situations, though rare, in which registration is carried out directly with the registry. The domain name registration agreement usually states that the registrant has acquired the right to use the registered domain name, and to do so in the manner agreed on. Registries may have various ways of formulating this type of legal relationship, but what they all have in common is that no registry will state in its terms and conditions that by registering a domain the user gains ownership of it.[3] The relationship is a type of user agreement whereby the registrant acquires the right to use the Internet domain name for a specified period of time, which in practice is between one and ten years.

Network devices and locations communicate with one another using Internet protocols for identification. These involve numbers that function as addresses, and which they use to distinguish one another and share more detailed information about themselves. These protocols are called IP (Internet Protocol) addresses. Since people using the Internet do not function the same way as computers, having a different way of perceiving things and a different system of recognition and information retention, the use of IP addresses would be severely limiting and a major obstacle for us. For this reason, the system of Internet domain names was introduced. These are verbal or symbolic expressions of the IP address which is easier for humans to remember and connect with other information. This system of “translation” operates with the help of the Domain Name System (DNS), another system that is multi-layered and depends on the type of Internet domain name and the authority responsible for managing it. The subject matter of Internet domain name registrations is in the majority of cases an area governed by the statutes of private law. The Internet domain system is a primary Internet service that performs the translation of textual addresses into numerical ones and vice versa.

The key characteristic of the Internet domain name system is that it enforces uniqueness, meaning that within a particular address space, it is not possible to register the same domain name twice. Accordingly, the main reason behind disputes relating to domain names tends to be this aspect of uniqueness, where multiple entities involved in various types of business may have the need to register the same domain name. Disputes relating to domain name registrations can be divided into two basic groups – disputes between good-faith parties and disputes with bad-faith domain name registrants. Good-faith registrants may get into a dispute where two trademark owners want to register the disputed name as their own domain name, however in accordance with the principle of “first come, first served” by which domain names are registered, only one will be successful. These types of disputes can also arise where one party owns the trademark while the other does not hold such rights but is using the domain in good faith. The other type of dispute is with bad-faith registrants, most commonly where someone has registered a domain name that is identical or significantly similar to someone else’s trademark in order to profit in some way by transferring this name to an interested party. Some bad-faith registrants also register these domains in order to prevent the trademark owner from registering the domain or in order to leverage the recognition factor of the trademark to attract users to their own websites.[4]

THE WHOIS SERVICE

The Internet domain industry relies in great part on processing personal data, and with the introduction of the regulations discussed in this paper has had to undergo significant changes. Although the changes introduced by these regulations have been wide-ranging, where Internet domains are concerned their application has largely been limited to changes to the WHOIS service which is used to display data on registered domain names. In view of the considerable strictness of the regulations, the sense of even retaining WHOIS as a service has been called into question, given that the very purpose of the service is access to data and that the set of data actually available by these means has been reduced to a barely useful minimum. This issue is particularly relevant given that third parties are most often interested in data on domain names registered by individuals – cases where a legal entity is involved in rights being violated by way of a registered domain name are rare.[5]

In order to gain a better and more thorough overview of these issues, we need to take a look at the genesis and development of and changes undergone by the service intended for access to data on registrants as made available by the registry. The WHOIS service is intended for use by interested parties wanting to learn certain information about the registrant of a domain name. Over time the functionality of this service and the way it operates have changed, which we will look at now. The service dates back to the time of the ARPANET[6] network, when there was a need to establish contact with the operator of a domain name – these were persons who had limited time allocated for the use of computers in the given network. Over time this service turned into a directory that no longer held a limited number of system administrators in its database but hundreds of millions of domain names. On the other hand this simple, accessible-to-all system containing data on registrants and administrative contacts for domain names is very complex, especially in regard to personal data protection.[7]

Publication of registration data is often considered a breach of privacy since it can be abused in a variety of ways. The development of regulations relating to personal data protection, primarily in Europe under the General Data Protection Regulation, has had a profound impact on the processing of personal data of domain name registrants, something of a victory for advocates of greater user privacy but somewhat a loss for investigating authorities.[8] The use of personal data for purposes other than those for which they were collected is legally prohibited, other than in those situations stipulated by law, but in practice, we can point to numerous departures from this.[9]

RESPONSIBILITY OF THE INTERNET DOMAIN NAME REGISTRANT AS A REASON FOR SEEKING TO ESTABLISH THEIR IDENTITY

Building a virtual identity and an Internet presence, both on the part of individuals and legal entities has long ceased to be a new and upcoming trend and has become standard practice, a real need, and a precondition for the development of business projects and a prerequisite for business success. On the other hand, the public interest and the subjective rights of other persons are frequently violated in the course of online activity, advertising, presentation of one’s business, or all kinds of content publication. Accordingly, in order to pursue their rights, injured parties or representatives of the public interest need to trace the entity behind the particular act, or in whose name the injury has been caused.

Where users of major platforms such as Facebook or YouTube are concerned, identification of users or requests for removal of content or closure of accounts must be done via those platforms or with their assistance. Unlike these users, the registrants of Internet domain names and persons who control the websites situated on these domains are directly responsible for violations of rights incurred by the registration itself or through the publication of content. However, despite this direct responsibility, there is still the organization that manages Internet domain names, whose rules registrants must accept when registering them, which stands between the person wishing to exercise a right or make a claim and the registrant, website owner, or, for example, the person renting the hosting service on which the website has been set up.

THE EU GENERAL DATA PROTECTION REGULATION AND THE REPUBLIC OF SERBIA PERSONAL DATA PROTECTION ACT

Until recently, the way registrant data was accessed was that the interested party would simply enter the Internet domain name into the WHOIS service and get information on the registrant, their contact, and the administrative and technical contacts appointed for the particular Internet domain name. Access to this information was only partially limited in the event that the registrant had activated a special “WHOIS privacy” service for which they paid an additional fee. In all other cases, data on the registrant was easily accessed by interested parties. However, since the new regulations entered into force in the EU and in many other countries seeking to more rigorously protect personal data, access to this information has no longer been possible by these simple means, which has led to a great many problems in practice, both to the organizations managing Internet domain names and to interested third parties.

The entry into force of the EU’s General Data Protection Regulation (hereinafter: the Regulation or GDPR)[10], as well as the Serbian Personal Data Protection Act (hereinafter: ZZPL)[11] which has taken on the provisions of the GDPR, has presented a challenge to many practices relating to personal data processing which until then had functioned smoothly, and has resulted in their re-examination and limitation or abolition.

Some of the objectives of the Regulation are to significantly protect personal data and make their processing more transparent, reduce it to the minimum necessary amount, and limit it to those cases where there is a legitimate and lawful basis. These objectives are promoted through principles that are applied directly to the data controller and the data processor.

Before we enter into an analysis of the legality of processing the personal data of registrants on the part of registries, it is important to differentiate between two types of processing, that is, two different purposes for which this processing is performed. The first is processing performed for the purpose of registration of the domain itself and determining the identity of the registrant, making it possible to establish contact with the registrant and control over the leased Internet domain name. The second purpose is processing which concerns the release of data to an interested third party at their request, which we will discuss further below.

It is important to note that the GDPR is only applicable to the personal data of natural persons, not legal entities, and in practice, the changes only relate to those Internet domain names registered by natural persons.[12] However, in the course of domain name registration, data on the registration of a particular domain name registered to a legal entity may also comprise personal data, and thus a strict line is very hard to draw. For example, registration data for a domain registered to a company will comprise data on the company as registrant, but may also comprise data on the individual designated as the technical or administrative contact.

Categories of registrant personal data processed by registries

The range of data processed significantly differs from registry to registry. However, with the enactment of the General Data Protection Regulation, this range of data has been synchronized at the European Union level, and now, for example, almost no registry processes data by requiring copies of identification documents. However on other continents such as Asia or Africa, the practice is quite different, and registries there can even retain copies of personal identification documents in their databases. As regards the Serbian registry, the data collected from individuals are as follows: name and surname, address of residence, email address, and telephone number. These data are not made publicly available but are kept in the registry’s database in order to exercise the terms of the contractual relationship relating to the domain name registration.[13]

Processing of registrant personal data by registries and at the request of third parties

In practice, a range of situations may arise in which there is some private or public interest for registrant’s personal data to be processed. A request may be filed by a state authority or body possessing public authorizations, aimed at collecting evidence in order to discover the perpetrator of some crime or misdemeanor, or for protection of the public interest in general. The interest in learning the identity of the registrant may also be expressed in terms of the need to protect someone’s subjective rights. In such a case the applicant may be a natural person or legal entity who does not have public authority. The purpose of such applications is very often in order to file civil proceedings and other proceedings before a court of law, the public prosecutor, or an administrative body.

Thus data processing can be conducted in order to act on the request of a third party approaching the registry responsible for the management of Internet domain names in order for the latter to supply information on the identity and contact details of a registrant of a domain. For both types of processing, there must be an appropriate legal basis for processing to be lawfully conducted.

Processing of registrant personal data may also be conducted internally, by the registry itself, for the purpose of providing registration services, without any application by a third party and with no supply of data to a third party for their inspection or use.

The principle of lawfulness and legal grounds for the processing of registrant personal data

One of the basic principles of the Regulation and the ZZPL is that of lawfulness (lawfulness, fairness, and transparency), and processing is lawful only if one of the following conditions have been met: (1) the data subject has consented to processing of their personal data;

 (2) processing is necessary for the performance of a contract where the data subject is a contracting party; (3) the need for compliance with the legal obligations of the controller intending to perform processing (e.g. legally required processing);

 (4) processing is necessary in order to protect the vital interests of the data subject or of another natural person; (5) the necessity of processing with the aim of carrying out tasks in the public interest or executing the official powers of the controller; (6) processing is necessary with the aim of realizing the legitimate interests of the controllers or of a third party, except where the personal data protection interests and rights of the data subject prevail over such interests.[14]

The necessity of processing for the purposes of performance of the contract entered into with the registrant as the legal basis for processing. – Processing carried out for the purposes of registering an Internet domain name and proper maintenance of the registry is based on the need for performance of contractual obligations between the registry and the registrant, where the rights and obligations of each are laid out in detail in the terms and conditions of service to which the registrant agreed when carrying out the registration. This type of processing is thus not done on request but rather by registries for the purposes of provision of services, beginning from the moment of registration of the Internet domain name.

The necessity of processing for the purpose of performing tasks in the public interest or exercising the legally mandated authorities of the processor as the basis for processing. In situations in which a need to process personal data arises on the part of a third party who is not conducting processing on the basis of the performance of contractual obligations, this person must actively seek a legitimate legal basis to justify his or her right to process these personal data, since he or she is not a party to the contractual relationship between registry and registrant. If the entity requesting the information is a state authority with official authorization, such an entity will ground its legal basis in the necessity of processing based on the right of the controller to discharge his/her official authorizations, i.e., where “processing is necessary with the aim of carrying out of tasks in the public interest or executing the legally prescribed powers of the controllers”[15].

The necessity of the controller discharging their legal obligations as the basis for processing. – This basis relates to situations in which a specific law or delegated legislation requires the controller to process the personal data in question. In practice, this happens in situations where registries need to bill registration services and issue receipts and are required to process these data in accordance with the law. This basis should not be confused with that relating to the need for the performance of contractual obligations, even though there is a certain amount of overlap between the categories of data processed on both grounds. Specifically, the registry processes those data required by law which must be displayed on bills for services rendered. Most of these data are also needed for the proper provision of the service. The result is that the same personal data may be processed for two different purposes and on two different legal grounds. When one legal basis terminates and the purpose ceases to exist (e.g. registration ends), the need for the provision of services as a basis for processing of certain data may no longer be used as a reason for processing, but processing may continue on other grounds – the necessity of discharging the controller’s legal obligations – for as long as the law requires the related invoices and accounting records to be kept.

The consent of the registrant is a legal basis for processing. – There is no legal obstacle to the consent of the registrant being used as the grounds for processing personal data. However, since consent must be voluntary, specific, informed, and unambiguous[16], we may conclude that this legal basis is not particularly applicable in practice. Since the reason for filing data processing requests and/or supplying data on the registrant is in the majority of cases a violation of rights, one can scarcely expect the registrant to permit the registry to supply their data to a third party. Regardless, some registries, in those situations when they receive an application for information on the identity of a registrant, first contact the latter requesting consent or refusal for these data to be provided to the third party. Only once the registrant has declined do they move on to assessing whether there are other grounds on which data may be provided to the third party. In practice, this may entail very lengthy procedures with some registries, especially when the organization in question resides in a completely different legal jurisdiction to that of the one requesting the data.

The necessity of protecting the vital interests of the registrant or of another natural person as the basis for processing. – Although the possibility of filing a request for the processing of personal data of a registrant on these grounds can be quite legitimately considered, it is doubtful to what extent it is applicable in practice. It boils down to certain situations when somebody’s vital interests depend on the registration of an Internet domain name or the content published on such an Internet domain. However, in this situation too, a state authority applying for such processing might just as well file such an application using its official authorization as its legal basis, while a private entity can always call upon its legitimate interest as the basis for the processing of personal data.

The necessity of processing for the purposes of exercising the legitimate interests of the controller or a third party as the basis for processing. – If the entity seeking access to the personal data of the registrant is a private subject – a legal entity or natural person – one of the most straightforward grounds that may be applied in this situation is that of legitimate interest.

The ZZPL defines legitimate interest as a basis for processing as follows: “Processing is lawful, inter alia, where it is necessary for the aim of pursuing the legitimate interests of the controllers or of a third party, except where the interests or the fundamental rights and freedoms of the data subject for which personal data processing is required prevail over such interests, and in particular where the data subject is an underage person.[17]

The legal definition begs the question as to what is meant by “legitimate interests of the controllers or of a third party”. Further analysis of this legal provision prompts one to ask how a boundary is to be drawn where legitimate interest ends and the private interest of the data subject begins. This question, and the question of whose interests should prevail (those of the controller or of the data subject) and in which situations processing may be deemed essential, can only be answered in terms of the legal norms thus formulated if we break down and analyze each of its elements.[18]

Three elements of the definition relating to legitimate interest may be discerned in the legal regulation, or rather three conditions that need to be met in order for processing on these grounds to be in harmony with the principle of lawfulness. Firstly there is the necessity of processing, secondly, there is the existence of a purpose expressed in the legitimate interests of the controller or third party, and the third condition that must be met is that the legitimate interests of the controller or third party must prevail over the interests of the individual to whom the data relates.

If we go by these separate elements of the legal definition, assessment of the existence of a legitimate interest and determination of the lawfulness of processing may be conceived as a three-part test, that is the facts relating to the specific processing request may be placed in the context of the three stated conditions. This three-part test consists of the following tests: test for verifying the existence of legitimate interest (test of purpose), test of necessity, and test of balance.[19]

Thus when the registry managing the Internet domain name receives a request for data on a registrant they must take into consideration all three elements of this definition before deciding whether legitimate interest is applicable as grounds for processing the personal data.

As part of the test of necessity, they must verify whether the processing in question (releasing registrant data) is the only way to achieve the purpose of the person requesting the information and whether the same purpose might be achieved using other or fewer data, i.e. whether there is some form of processing which would intrude on the privacy of the registrant to a lesser degree[20]. Only once it has been established that this processing is necessary in order for the exercise of the rights of the person requesting it may the test of necessity be deemed passed.

Next, it is necessary to test for the presence of an interest on the part of the party wishing to perform the processing or of a third party – the test of purpose. They need to define what is hoped to be achieved by receiving the requested information. Whose interests will be protected and who will benefit from approval to see personal data, if it is given? After considering the purpose that is hoped to be achieved and evaluating the justification for this purpose, the register decides whether or not to approve the disclosure of the data. In order to give this question due consideration it is important to also determine who benefits from disclosure/processing of the information. Is it one person, multiple people, or the broader community? Will the intended processing protect the subjective rights of one person or of the wider public, that is, the public interest? The result of this test depends on the answers to these questions. The greater the benefit from processing, and the more people there are who would benefit from the processing, the greater the chance that the test will deem the purpose to be justified.

Finally, under the test of balance, it is important to compare the interests of the person requesting the information and those of the registrant and to determine whose rights prevail. Does the interest fall on the side of the request for processing or on that of the registrant’s privacy? We can also phrase it thus: Would the proposed processing infringe on some right or personal asset of the registrant? For example, an Internet domain name can say a lot about the registrant themselves, their interests, their orientation, or their business or private goals, and thus processing these personal data, in combination with identifying data such as name and surname can indirectly give rise to processing of sensitive personal data such as religious or political affiliation, sexual orientation, etc. This is why such circumstances must also be taken into account when attempting to resolve the test of balance in assessing legitimate interest.

In addition to the presented three-part test, the registry may consider a range of other circumstances, either as part of the tests or separately, and request evidence and authorizations in order to collect as much information as possible on which to base a decision regarding the request.

EXISTING SOLUTIONS AND CURRENT PRACTICE

Solutions and practice of the Serbian National Internet Domain Name Registry (RNIDS)

The national registry which administers the .rs Internet domain, following changes to European and national regulations concerning personal data protection, in 2018 amended its General Terms [21] for the registration of .rs Internet domains, stipulating the following: “RNIDS may allow relevant authorities, other entities and agencies access to information from the Registry collected by RNIDS in accordance with these General Terms, including data for which protection from public exposure has been activated if they have the right to access this information under the applicable regulations of the Republic of Serbia. Information required for the initiation and conduct of court proceedings or alternative dispute resolution proceedings connected with a domain name, including information for which protection from public disclosure has been activated, shall be supplied by RNIDS on official request by the relevant court or alternative dispute resolution body.”

As regards additional protection from public disclosure, the same document states that if a third party files a request for supply of information on a domain name for which protection from public disclosure has been activated, RNIDS shall request that the registrant respond within 15 days regarding consent to supply the requested information to the applicant. If the registrant is in agreement, RNIDS shall supply the requested data for the given domain name to the person making the request, and shall also forward correspondence submitted to RNIDS for that purpose by a third party to the contacts for the domain via e-mail.

Current comparative solutions and policies

If a third party is interested in information on the identity of an Internet domain name registrant, they must seek it solely via the registry that administers that type of Internet domain name or via accredited registrars who have access to such data and authorization to disclose this information. The Serbian registry stores data on registrants in its database, both individuals and legal entities. However, for individuals no identifying data is publicly available and if those data are needed by any person or agency they can be requested from the registry. The Registry will allow relevant authorities, other entities, and agencies access to data from its database collected in accordance with its General Terms provided these entities have the right to access this information under the applicable regulations of the Republic of Serbia. Also, data required for the initiation and conduct of relevant disputes regarding domain names will be provided by RNIDS in response to a request received through official channels from the relevant court or alternative dispute resolution body.[22]

The practice of the Serbian registry is to provide the required data on natural persons in response to a properly filed request by local attorneys. The registry has based this practice on the local Legal Profession Act according to which an attorney has the right to request information that they require in order to provide legal counsel and to receive it in a timely manner, from state bodies, companies, and other organizations, as well as documents and evidence held or controlled by them.[23]

However, the practice of ICANN and other registries varies in regard to this issue. Legal frameworks differ significantly from country to country and it would be difficult to adopt a stance regarding the optimal solution. For example, ICANN can disclose data on individuals at the request of a state agency if they are being collected for legally prescribed purposes.[24] The Netherlands registry, SIDN, has adopted a similar stance, and data can be obtained from this registry’s database by competent authorities and by the user/registrant themselves.[25] As regards the question of misuse of domain names, registries have their own procedures for addressing these issues. The Montenegrin registry has somewhat different rules – this registry is managed by an international company operating in the domain industry and so the way it operates and its rules are most probably defined at the global level. This registry no longer publishes data on individuals in the WHOIS service, an approach based on the General Data Protection Regulation. In addition to standard provisions relating to the list of entities to this registry that may disclose data from the database, its General Terms also contain the provision that it will cooperate with the competent authorities of Montenegro as well as with private persons in cases where the registry deems it necessary for the purpose of protecting rights and property.[26]

As regards the disclosure of personal data to third parties, the British registry provides very clear and specific guidelines on who can expect to receive these data if they request them. They state that data can be requested by trademark owners for the purpose of conducting disputes in relation to domain name registrations. Additionally, lawyers representing clients whose intellectual property rights have been infringed on by the actions of the registrant.[27] Data will also be disclosed at the request of competent state authorities. As previously stated, registries have significantly changed their practices and rules since the General Data Protection Regulation came into force, and personal data are no longer made available via the WHOIS service. In this regard, there are few variations and practice here is largely uniform. However, rules pertaining to whom data on users may be disclosed vary significantly. Some limit the disclosure of data solely to competent authorities, while others allow for the possibility of data also being supplied to trademark owners and their legal representatives if they can prove suitable legal interest.

A problem in practice

One of the problems that come up in practice is that domain name registries do not always have correct data on their users. These are entities that in most cases do not verify data by comparing them with those in personal identification documents, and without this, there can be no guarantee that data is accurate. Additionally, the registries of generic domain names (.com, .net, etc.) refuse to disclose these data even if they are in possession of them. These registries are often major international corporations[28], which is not the case where national registries are concerned (.rs, .de, etc.).

CONCLUSION

As we have seen, registries, whether national or generic, base their course of action on the need of the trademark owner for protection of certain of their rights, whilst respecting the limitations imposed by regulations governing personal data protection. We have seen that practices vary in terms of whether data are disclosed to parties and their legal representatives or only to competent authorities. However, what all these registries have in common is that the legal assistance for which the data are being requested must be directed towards specific protection of the rights of a particular person. In our opinion this approach by registries is entirely proper since regulations governing personal data protection stipulate, inter alia, that processing must be done in accordance with the principles of the Law and of the GDPR. Firstly, processing must be lawful and based on appropriate legal grounds such as legitimate interest or the right to execute official authorizations (the principle of lawfulness). It also must be in proportion to the purpose, that is, reduced to the necessary minimum, whereby respect is ensured for the principle of “limitation relating to the purposes of processing” and the principle of “data minimization”.[29]

In any case, the action of competent registries is very much a balancing act, weighing the rights and interests of the parties requesting information on registrants against the rights and interests of registrants through the establishment of good practices and procedures, whether based on guidelines received from umbrella organizations such as ICANN or on practices that have proven most appropriate in the experience of other registries. Registry policies and regulations need to reconcile the protection of user rights by preventing the disproportionate processing of personal data with the need, on the other hand, not to close their system to the extent that the subject whose rights have been infringed on cannot pursue appropriate legal protection.

Dr. DEJAN ĐUKIĆ

CEO at Serbian National Internet Domain Registry

DRAGAN MILIĆ

Attorney at law

Sources

Popović D; Jovanović M; Pravo interneta – odabrane teme, Pravni fakultet Univerziteta u Beogradu, 2017.

Popović D; Registracija naziva internet domena i pravo žiga, Pravni fakultet univerziteta u Beogradu, 2014.

Milić D; Legitimni interes kao osnov obrade podataka o ličnosti, Zaštita podataka o ličnosti u Srbiji – zbornik radova, Institut za uporedno pravo, 2020.

Đukić D; GDPR kao pretnja po WHOIS kakav poznajemo, https://www.domen.rs/sr-latn/gdpr-kao-pretnja-po-whois-kakav-poznajemo

Đukić D; Zaštita podataka o ličnosti sa osvrtom na novo zakonodavstvo evropske unije u ovoj oblasti, Pravni zapisi.

Crocker S; A Framework for Expressing Registration Data Directory Services (nee WHOIS) Rules, Edgemoon Research Institute.

General Data Protection Regulation (EU) 2016/679.

Zakon o zaštiti podataka o ličnosti, Sl. glasnik RS, br. 87/2018.

https://raf.edu.rs/citaliste/internet/3623-istorijski-razvoj-interneta-i-racunarskih-mreza

Opšti uslovi o registraciji naziva nacionalnih internet domena

Zakona o advokaturi, Sl. glasnik RS, br. 31/2011 i 24/2012 – odluka US

ICANN Privacy Policy, https://www.icann.org/privacy/policy/#

General Terms and Conditions for .nl Registrations, https://www.sidn.nl/downloads/d_7zdiiDQvOGbSo1FGCcqw/f57718560799beca227a665e615e0b85/General_Terms_and_Conditions_for_nl_Registrants.pdf

Privacy Policy .me, https://domain.me/privacy-policy/

Nominet Privacy Notice, https://www.nominet.uk/privacy-notice/releasing-your-personal-data-to-third-parties/

Verisign https://www.verisign.com/en_US/company-information/index.xhtml  

[1] Dušan Popović, Marko Jovanović, Pravo i internet – odabrane teme, University of Belgrade Faculty of Law, 2017, 11.

[2] Link to the organisation’s website: https://www.icann.org/

[3] Popović, Jovanović, 11.

[4] Dušan Popović, Registracija naziva internet domena i pravo žiga, Belgrade University Faculty of Law, 2014, 81-82.

[5] Dejan Đukić, GDPR kao pretnja po WHOIS kakav poznajemo [GDPR as a threat to WHOIS as we know it], https://www.domen.rs/sr-latn/gdpr-kao-pretnja-po-whois-kakav-poznajemo, 30^th August 2022.

[6] This was the first computer network, read more here: https://raf.edu.rs/citaliste/internet/3623-istorijski-razvoj-interneta-i-racunarskih-mreza, 22^nd September 2022

[7] Steven Crocker, A Framework for Expressing Registration Data Directory Services (nee WHOIS) Rules, Edgemoon Research Institute, 3.

[8] Ibidem, 6.

[9] Dejan Đukić, Zaštita podataka o ličnosti sa osvrtom na novo  zakonodavstvo evropske unije u ovoj oblasti, Pravni zapisi, 2017, 52.

[10] General Data Protection Regulation (EU) 2016/679.

[11] Personal Data Protection Act (Official Gazette of the Republic of Serbia no. 87/2018).

[12] Ibidem. art. 1

[13] Article 6 of the General Terms and Conditions for National Domain Name Registration

[14]Article 12 Personal Data Protection Act (Official Gazette of the Republic of Serbia no. 87/2018).

[15] Ibidem.

[16] Ibidem. Article 4

[17] ZZPL, Article 12

[18] Dragan Milić, Legitimni interes kao osnov obrade podataka o ličnosti, Zaštita podataka o ličnosti u Srbiji – zbornik radova, Institut za uporedno pravo, 2020, 49.

[19] D. Milić, op. cit. 52.

[20] For example some registries, seeking a minimalist approach, implement a solution along precisely those lines, and the person requesting data on a registrant is provided with a solution which is less intrusive on the privacy of the registrant. A special contact form enables the interested party to send a message to the registrant without the identity and email address of the registrant being disclosed to them.

[21]General Terms and Conditions for National Domain Name Registration,  https://www.rnids.rs/registar_dokumenata/2018_12_15-opsti-uslovi-registracije-domena.pdf,  25/09/2022.

[22]Article 14 of the General Terms and Conditions for National Domain Name Registration.

[23] Article 36 of the Legal Profession Act, Official Gazette of the Republic of Serbia, no. 31/2011 and 24/2012 – Constitutional Court decision.

[24] ICANN Privacy Policy, https://www.icann.org/privacy/policy/#5, 5^th September 2022

[25] General Terms and Conditions for .nl Registrations, 2.3., https://www.sidn.nl/downloads/d_7zdiiDQvOGbSo1FGCcqw/f57718560799beca227a665e615e0b85/General_Terms_and_Conditions_for_nl_Registrants.pdf, 5^th September 2022

[26] Privacy Policy .me, https://domain.me/privacy-policy/, 5^th September 2022

[27] Nominet Privacy Notice, https://www.nominet.uk/privacy-notice/releasing-your-personal-data-to-third-parties/, 5^th September 2022

[28] One example of such a company is Verisign, https://www.verisign.com/en_US/company-information/index.xhtml, 10^th September 2022

[29]Personal Data Protection Act, Official Gazette of the Republic of Serbia no.  87/2018, Article 5.