Skip to main content

Data Protection/Privacy Issues

Data privacy and data protection regulations are currently undergoing developments that may impact specific areas of the ICANN organization's work. This page contains a current listing of ongoing projects at the ICANN organization related to data protection and privacy matters, and is intended to provide easy access to this information.

GNSO Policy Development Processes and Implementation

The Generic Names Supporting Organization (GNSO) has ongoing policy development processes related to data protection and privacy matters. Refer to the GNSO active projects list for more information.

WHOIS Conflicts Procedure

Additionally, in response to a GNSO Council request, the ICANN organization has commenced an assessment of the revised ICANN Procedure for Handling WHOIS Conflicts with Privacy Law, which was made effective on 18 April 2017.

European Union General Data Protection Regulation

The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) on 14 April 2016 and takes effect on 25 May 2018 uniformly across the EU countries. According to the European Commission, the aim of the GDPR is to protect all EU citizens and residents from privacy and data breaches1. It applies to all companies processing and holding the personal data of subjects residing in the European Union, regardless of the company's location. More information is available here.

The ICANN organization executives, subject matter experts from various departments, and Board members are guiding the organization's activities related to the GDPR.

Contractual Compliance with Registry and Registrar Agreements

The ICANN organization is investigating whether there are potential compliance issues under its agreements with registries and registrars because of the GDPR. The ICANN organization is working with contracted parties and various stakeholders to understand these potential compliance issues.

Engagement Activities Related to GDPR

The ICANN organization engages in a range of forums and with a range of stakeholders on issues relating to ICANN's mission, including privacy and law enforcement, and the interdependent issues. The ICANN organization's engagement strategy can be described as involving: 1) awareness, including privacy-related aspects of ICANN's work such as WHOIS and associated procedures; and 2) educational awareness and capacity building on policy development, technical coordination and their implementation. ICANN will continue to engage with the European community (including the European Data Protection Board), data protection agencies, and other relevant stakeholders to gain a better understanding of the relevant aspects of GDPR related to the work of the ICANN organization and its' contracts with registries and registrars.

Refer to the following information for additional details about this work:

Latest Announcements, Updates & Blogs

18 October 2017 Blog: Data Protection and Privacy Update
18 October 2017 GDPR Memorandum – Part 1 (Hamilton) [PDF, 253 KB]
27 September 2017 Announcement: ICANN Webinar: Data Protection/Privacy Activities
11 September 2017 Data Protection and Privacy: Progress Update and Next Steps
25 July 2017 Personal Data "Use" Matrix Now Available for Public Review
24 July 2017 gTLD Registration Dataflow Matrix and Information
13 July 2017 Evolving Data Privacy and Protection Regulations - UPDATE
22 June 2017 Dialogues on the Evolving Data Privacy and Protection Regulations


13 October 2017 Letter from Paul Diaz and Graeme Bunton to Göran Marby regarding General Data Protection Regulation (GDPR) Concerns [PDF, 69.1 KB]
10 October 2017 Letter from Jean-Jacques Sahel to Elena Plexida regarding Fact-finding exercise on GDPR [PDF, 361 KB]
2 October 2017 Letter from Greg Shatan to Theresa Swinehart and Akram Atallah regarding GDPR Ad-Hoc Working Group [PDF, 717 KB]
22 September 2017 Letter from Göran Marby in Response to Andrew Mack's 31 August Letter [PDF, 168 KB]
12 September 2017 Letters from Göran Marby to various Data Protection Authorities (DPAs) regarding General Data Protection Regulation (GDPR) and the Domain Name System
31 August 2017 Letter from Andrew Mack to Steve Crocker and Göran Marby regarding GDPR Compliance, WHOIS, and ICANN's GDPR Compliance Task Force [PDF, 58 KB]

Meetings & Work Sessions

4 October 2017 ICANN Webinar: Data Protection/Privacy Activities
6 July 2017 GDPR informal ad hoc volunteers dataflow matrix discussion
29 June 2017 ICANN59: GDPR and its Potential Impact: Looking for Practical Solutions
28 June 2017 GDPR informal ad hoc volunteers kick-off meeting [PDF, 151 KB]
13 March 2017 ICANN58: Cross-Community Discussion with Data Protection Commissioners

Additional Resources & Related Links

European Union GDPR website


Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."