Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Dialogues on the Evolving Data Privacy and Protection Regulations

22 June 2017
By Akram Atallah and

In addition to the ICANN Languages, this content is also available in

Data privacy and data protection regulations are currently undergoing developments that may impact specific areas of ICANN's work. In the past few months, we've had several discussions with the multistakeholder community about this topic. These dialogues took place in a few different forums, including ICANN58 in Copenhagen and at the Global Domains Division (GDD) Industry Summit held last month in Madrid.

Most of these discussions have been focused on the General Data Protection Regulation (GDPR), which was approved by the European Union (EU) Parliament and takes effect on 25 May 2018 uniformly across all EU countries. The GDPR is intended to protect all EU citizens and residents from privacy and data breaches. Further discussions with the community are needed on this topic, including determining what is within the ICANN organization's remit.

ICANN has an obligation to adhere to existing policy as developed by the community. This includes policies that may be impacted by these regulations, which will require dialogue with the community regarding how best to comply with these regulation changes. The new regulation may have effects relevant to ICANN and the domain name ecosystem in at least two areas: (1) personal data that participants in the domain name ecosystem collect, display and process, including registries and registrars pursuant to ICANN contracts; and (2) personal data that ICANN collects and processes for internal or external services.

There are a several activities that we are undertaking to help prepare contracted parties and the ICANN organization for new requirements in the GDPR, prior to the effective date.

Here's a brief update on our activities.

At the direction of ICANN president and CEO Göran Marby, we formed an internal GDPR Task Force comprised of senior leaders and subject matter experts to focus on this important matter. This team is focused on parallel tracks: contracted parties and engagement, and the ICANN organization. In relation to the latter, an internal review of our operations is currently underway.

In relation to the contracted parties and engagement, the GDD team is working with the Registries and Registrar Stakeholder Groups to understand potential issues, to ensure they maintain compliance with relevant applicable law. To be clear, this effort is related to compliance with ICANN's contracts; it is not a policy development process, nor does it replace the RDS working group.

We want to reiterate that the ICANN organization has always either expressed or implied in its agreements that contracted parties must comply with applicable laws.

It is also important to note that our work with ICANN contracted parties doesn't replace the multistakeholder policy development and implementation activities that are underway. These include efforts to enhance privacy and proxy services available to registrants, updates to ICANN's Procedure for Handling WHOIS Conflicts with Privacy Law, and activities such as developing a new policy framework to support a potential next-generation registration directory services to replace WHOIS.

Similarly, our work with the community will not change our adherence to existing policies developed by the community, and adopted and implemented at the direction of the Board.

Moreover, we continue to engage with the European community (including the European Union Article 29 Working Party), data protection agencies, and other pertinent stakeholders to gain a better understanding of the relevant aspects of GDPR related to the work of ICANN and ICANN's contracts with registries and registrars. This engagement includes other constituencies such as law enforcement, the intellectual property community and others to gain a better understanding of their views.

This topic is also on the agenda at the upcoming ICANN59 meeting in Johannesburg, including at the ccNSO's GDPR session on Tuesday, 27 June. While there, we will be updating the community on our current plans and GDD's collaborative efforts with contracted parties.

In relation to the ICANN organization, ICANN is reviewing our processes around potentially impacted data and updating any procedures as needed.

Protecting data privacy and ensuring compliance with local regulations are of the utmost concern to the ICANN Board and organization. While much of the work we are doing now is being driven by changes set forth in the GDPR, this information will also be useful for potential developments in other jurisdictions.

As a member of the domain name industry, it is essential for us to understand how data privacy and protection regulations may impact the global domain name marketplace – from governance, to stakeholders, to contracted parties. It is also important that we're engaging with all stakeholders including contracted parties, law enforcement, the intellectual property community and others.

The ICANN Board and organization will continue to engage in discussions on this important topic. We encourage you to actively contribute to these discussions by sharing your expertise and views about marketplace changes due to new regulations.

We'll continue to engage and provide an update in the next few weeks. Meanwhile, whether you are traveling to Johannesburg or not, we urge you to join the ICANN59 cross-community discussions on GDPR either in person or via remote participation.


Akram Atallah

Former President, Global Domains Division
Theresa Swinehart

Theresa Swinehart

SVP, Global Domains & Strategy