Data Protection and Privacy
As privacy legislation continues to evolve, ICANN has been focused on implementing policies and building systems to facilitate access to registration data related to generic top-level domains (gTLDs), while at the same time complying with the law. The ongoing goal is to strike a balance between securing individual privacy rights and maintaining the safety and security of the Internet.
Some of the key priorities are:
- To create and maintain a collaborative platform that provides visibility and clarity over ICANN org's data protection and privacy-related initiatives and projects, and allows for the formation and execution of a centralized strategy; and
- To establish a structure to aggregate information as it relates to the various data protection and privacy initiatives.
Table of Contents:
- Latest Announcements, Updates, and Blogs
- Related Correspondence
- Meetings and Work Sessions
- Government Engagement
- Legislative Initiatives
- Other Initiatives
- ICANN Organization Internal Data Protection Practices
- Resources for More Information
Latest Announcements, Updates, and Blogs
Find the latest news and information about Data Protection and Privacy here.
All correspondence related to Data Protection / Privacy issues can be found here.
Meetings and Work Sessions
All meetings related to Data Protection and Privacy issues can be found here.
ICANN org participates in a range of forums and engages with a variety of stakeholders on issues relating to ICANN's mission. The org's engagement strategy is two-pronged: 1) focusing on raising awareness, including of privacy-related aspects of ICANN's work, such as WHOIS and associated procedures; and 2) focusing on capacity development and educating local participants on Internet policymaking, technical coordination, and implementation.
ICANN org continues to meet with data protection agencies within relevant government bodies around the world to gain a better understanding of how privacy legislation, such as the General Data Protection Regulation (GDPR) in Europe and the Personal Information Protection Law (PIPL) in China, relates to the work of ICANN org and to its contracts with registries and registrars. This includes both monitoring for legislation, such as the European Union Directive on Security of Network and Information Systems (NIS2), and providing policy makers with factual information on ICANN's mission and remit. ICANN also follows developments in international law possibly affecting gTLDs, such as the negotiation and agreement of the second additional protocol to the Budapest convention.
- European Union (EU) GDPR - The GDPR was adopted by the EU on 14 April 2016 and took effect on 25 May 2018 uniformly across the EU countries. ICANN organization executives, subject matter experts from various departments, and Board members are guiding the organization's activities related to the GDPR. More information can be found here.
- EU NIS2 - The revision of the Directive on measures for a high common level of cybersecurity across the Union (NIS2) was adopted in November 2022. EU Member states will have 21 months from the entry into force of the directive in which to incorporate the provisions into their national law. The NIS2 directive imposes cybersecurity measures and cyber incident related reporting obligations to operators of essential and important entities and applies to all providers of DNS services, with the exception of root servers.
China Personal Information Protection Law (PIPL) - More information can be found here:
Council of Europe
The Second Additional Protocol to the Convention on Cybercrime and enhanced co-operation and disclosure of electronic evidence (also known as the Budapest Convention) was approved in November 2021 and opened for signature in May 2022. The protocol contains provisions related to registration data. It applies to countries and entities within those countries that have signed and ratified it.
ICANN Organization Internal Data Protection Practices
Click here for ICANN org's data protection practices related to use of the content and services available at or through any website operated by ICANN.
Resources for More Information
- FAQ on ICANN Organization's Chief Data Protection Officer Role
- ICANN's activities related to the GDPR
- Summary of ICANN Organization's Contractual Compliance Team Data Processing Activities
- European Union Data Protection website
- Registration Data
- Single Webpage for ICANN Registration Directory Services/WHOIS-Related Policies and Contract Provisions
- Registration Data Access Protocol (RDAP)
- ICANN Registration Data lookup tool that uses RDAP
- Contractual Compliance
- Developing Policy at ICANN
- Implementing Policy at ICANN
- Specific Reviews
- Board Advice