The disclosure of contact details of the private .ee domain owner
The General Data Protection Regulation (GDPR), which came into force in 2018, requires the personal data of private individuals to be hidden online unless explicit consent has been provided for its publication. However, there are situations where it may be necessary to contact the owner of a .ee domain. For example, this could occur if a domain appears to have been registered by an unauthorized person or if misleading information is displayed on the associated website. How should one proceed in such cases, and under what conditions does the Estonian Internet Foundation (EIF) disclose the data of private domain owners? Let’s take a closer look.
Contact Information of the .ee Domain Owner
In line with European domain registry practices, including those in Estonia, the personal and contact data of private domain registrants are not published by default. Under GDPR, the contact information of private individuals can only be made public with the domain owner’s consent via the WHOIS database. However, such information can be disclosed to parties with a legitimate interest, provided they submit a formal, signed request.
The contact details of legal entity domain owners, on the other hand, are publicly accessible. EIF has adopted this practice based on an analysis of the Estonian Business Register, which already makes the official representatives of legal entities publicly visible. Since this information is publicly available, EIF applies a similar approach to .ee domains registered by legal entities.
To find domain and registrant information, users can use the search bar on the homepage of internet.ee. The available domain-related information is displayed there.
Disclosure of Private Domain Owner Data
Although the contact information of private .ee registrants is not publicly accessible, there are measures in place to facilitate contact. These include:
Using the “Contact Registrant” button displayed in the domain search result.
Submitting a signed request to EIF for the publication of the registrant’s contact details, supported by legal justification.
EIF evaluates each request for data disclosure through a three-step assessment. This process weighs the rights and interests of both the domain owner and the requesting party (the data inheritor). Disclosure is permitted only when the legitimate interest of the requesting party outweighs the privacy rights of the domain owner. Mere curiosity or general interest does not constitute a legitimate interest.
EIF will disclose the data of a private domain owner to a third party if the domain is identical or misleadingly similar to the third party's name, business name, or intellectual property rights (e.g., trademark, patent). For example, data disclosure might be necessary for a third party to file a claim with the Domain Disputes Committee or in court to assert ownership of a domain. A signed request must be submitted to EIF, detailing the reasons and providing supporting evidence. If the request is made by a lawyer or attorney, the appropriate authorization must also be attached.
EIF may also release data in other cases, depending on the specific circumstances. For instance, if a third party has paid for the domain registration, renewal, or web hosting, the situation may involve a substantive legal dispute, necessitating access to the domain owner's contact information. If you are uncertain about whether your interest qualifies as legitimate, please contact EIF’s lawyer at helen@internet.ee for guidance.
Misleading Information Displayed on the Website
There are instances when a .ee website presents information that a third party finds objectionable or believes violates their civil rights. Examples include unauthorized use of trademarks, registration and related operations, not for website content management. This limitation is defamatory content, or incorrect information about a person or company.
These issues do not directly concern the domain name itself. However, it may seem reasonable to request the contact details of the domain owner from EIF to address such concerns. Unfortunately, EIF collects personal data of domain owners solely for the purpose of domain explained in detail on EIF’s website.
Before approaching EIF, the third party must demonstrate that they have taken all reasonable steps to contact the domain owner, such as using the WHOIS contact form, contacting the domain registrar, or reaching out to the web service provider. If these attempts are unsuccessful, EIF can be approached as a last resort. Even then, a justified request must be submitted, explaining why access to the personal data is necessary. EIF will evaluate the request using its three-step assessment process.
In cases involving illegal content, consumer deception, or other violations punishable by law, the appropriate law enforcement agency should be contacted. EIF shares private domain owner data with entities such as the Estonian State Information System Board (RIA, CERT), the Police and Border Guard Board (PPA), and the Consumer Protection and Technical Regulatory Authority (TTJA). Data may also be disclosed to courts or other authorized entities under applicable laws.
Final Note
Each request for the disclosure of private domain owner data is evaluated individually, based on the principles outlined above. A legitimate interest and proper justification are required for obtaining such data; mere interest or curiosity is insufficient. These practices align with those of many domain registries worldwide.
For additional questions, please contact EIF’s lawyer, Helen Aaremäe-Saar, at helen@internet.ee.