Abel Torres Abel Torres
Executive Director, Center for Global Regulatory Cooperation, U.S. Chamber of Commerce
Evangelos Razis
Former Director, Center for Global Regulatory Cooperation


May 19, 2020


Europe’s top privacy regulators have insisted that the General Data Protection Regulation (GDPR)—a recently implemented data privacy standard for the EU—would not inhibit the response to the coronavirus pandemic. However, recent events show GDPR is falling short in the fight against cybercriminals looking to cash in on the crisis.

Malicious websites, disinformation, and the online sale of counterfeit goods connected to the coronavirus have surged in recent weeks, while the European Data Protection Board (EDPB)—the EU body responsible for implementing GDPR—has been inexcusably silent. The problem can be traced back to how the GDPR hobbled the Internet directory known as the WHOIS database.

The aptly named WHOIS database, maintained by ICANN, is a critical tool for discovering who is behind Internet websites. Just imagine it: having an address on the Web from which you could launch attacks, spread disinformation, or hawk counterfeit goods without having to declare who you really are. It’s a nefarious dream for those who want to cause harm or profit off others misfortune—especially during a global pandemic.

Information about the real owner of a URL is essential for law enforcement, intellectual property owners, investigators, and public safety officials combating online cybercrime and abuse. It is also a key tool of the cybersecurity community’s efforts to fight malware, botnets, and spam. As the use of digital technologies continues to grow, the WHOIS is foundational to ensuring the stability and security of the global Internet.

However, since GDPR’s passage, the ability to maintain a global “phone book” of who operates the world’s websites has been put on hold. Despite unquestionable public interest, the EU has been reluctant to give ICANN a forthright answer as to whether WHOIS is GDPR compliant. Meanwhile, the EDPB has shown little urgency to approach this matter pragmatically.

While issuing reams of COVID-19 related guidance, the EDPB remains a central obstacle to reviving the WHOIS database as a tool for combatting domain name abuse. Likewise, the European Commission has refused to take ownership of this urgent multilateral issue and work with their partners and the business community to secure reliable access to legitimate domain registration data.

Europe’s refusal to perform due diligence here and address the negative impact the GDPR is having on law enforcement’s ability to combat cybercrime has gone on far too long. The rise in COVID-19 related Internet abuses demonstrates the urgency of this matter. It’s time for the EU to stop dodging its responsibility and act now to validate the WHOIS database as a key weapon in the fight against cybercriminals.

About the authors

Abel Torres

Abel Torres

Abel Torres serves as Executive Director in the Center for Global Regulatory Cooperation (GRC) at the U.S. Chamber of Commerce.

Read more

Evangelos Razis

Evangelos Razis is former Director at the U.S. Chamber of Commerce’s Center for Global Regulatory Cooperation.