Correct me if I'm wrong but,
Doesn't GDPR specifically ban handing over any PII to private 3rd parties (Companies or persons) without consent? IE, handing over Whois data to "security researchers" (What does that entail anyway, how does one get the badge? I've used basic google search terms to find open IP cams. Am I now a security researcher?) or to "IP lawyers" (Again, what does this entail? How do they check someone is a both a licensed lawyer and specialized in IP cases AND working on a case that involves those specific records?) would be illegal under GDPR afaik, no matter the processes they spin up for it. The ONLY way it can be legal is handing over the data to law enforcement ONLY with the correct court orders to demand that information. All the others will first have to prove to a court they have a legitimate case and then try to convince the court to provide the correct request for Whois data.