EU’s Recent GDPR Increases Threat From Illegal Online Pharmacies

June 21, 2018

By: Josh Andrews, Libby Baney, and Matthew Rubin, Faegre Baker Daniels Consulting

Last month, the European Union (EU) began implementation of its General Data Protection Regulation (GDPR). The regulation is sending shock waves through the internet community for the uncertainty it is creating on how domain name registrars handle personal information, as well as the ability for consumers and companies to better understand individuals responsible for operating a given website.

At issue is the collection and access to WHOIS data or Domain Name System information. Often referred to as the “white pages” of the Internet, this information is collected as websites are registered and informs users of the basic information about who runs the pages they are visiting. Just as this information exists for every brick-and-mortar facility you visit, it has existed for websites since the creation of the internet.

These records are used by law enforcement, cybersecurity investigators, copyright and trademark holders, consumers and their advocates, and others to determine who is operating a website, sending an email, or conducting business online. While the GDPR is only intended to impact natural EU citizens, the interpretation of this regulation by registries and registrars has led to an interim policy that affects all generic domain registration worldwide, potentially blocking public WHOIS access to citizens and organizations everywhere.

The loss of this information will make the identification and removal of harmful content or activity increasingly difficult. This is particularly concerning given the explosion of illegal online pharmacies. With an estimated 96% of the 35,000 active online pharmacy websites operating illegally in regard to federal and state law and relevant pharmacy practice standards, law enforcement and others must be able to utilize this information to identify bad actors, link the operators to other websites (including those that handle the financial transactions), and shut them down. Without this information (or even with limited access), those investigations will be severely hampered keeping those illegal sites up and in business even longer. Ensuring continuation of this transparency is critical as it relates to protection of public health and patient safety, especially as it pertains to online pharmacy websites distributing prescription drugs and controlled substances to consumers worldwide, where permitted.

In the last month, the Coalition for a Secure and Transparent Internet (CSTI) was formed, which NABP is a member of, to preserve and protect the availability of WHOIS data. CSTI has engaged lawmakers and Congressional staff on this issue to educate them on the direct impact and unintended consequences of the GDPR. The group is actively pursuing a legislative strategy as well as interim steps to protect consumers’ privacy by empowering them to know with whom they are conducting business.

If the internet has become our drug store, the GDPR threatens our ability to know who is behind the counter.