On 25 May 2018, the European Union's General Data Protection Regulation (GDPR) went into effect. In response, ICANN adopted the Temporary Specification for gTLD Registration Data (Temporary Specification) and the Interim Registration Data Policy for gTLDs (Interim Policy). This blog provides highlights of a report, which explains how GDPR has impacted ICANN organization's (org) enforcement of registrars' registration data accuracy obligations in generic top-level domains (gTLDs). For the full report click here.
ICANN's Contractual Compliance team manages the enforcement of gTLD registrars' obligations in ICANN policies and agreements. Through ICANN's 2013 Registrar Accreditation Agreement, registrars are required to take steps to ensure the accuracy of registration data associated with their sponsored gTLD domain names. This includes obligations relating to the investigation of allegations of inaccuracy, contact information verification, and data format validation.
These contractual data accuracy obligations, and ICANN org's enforcement of these obligations, have not changed in response to the GDPR. Once the law took effect, however, the volume of complaints diminished significantly because personal registration data became unavailable as a result of GDPR compliance efforts. ICANN org and potential complainants now lack direct access to much of the registrant contact information in registration data, making it much more difficult to identify instances of registration data inaccuracy or to take action to correct them.
Complaints Before GDPR
From January 2017 to May 2018, the Contractual Compliance team received a monthly average of 2,774 complaints related to the accuracy of the registration data. For this same time period, the Contractual Compliance team initiated 20,834 investigations into registration data accuracy obligations of registrars. For more information, read the full report here.
Complaints After GDPR
From June 2018 to December 2020, the Contractual Compliance team received a monthly average of 1,003 complaints.
The decrease in complaint volume occurred after the adoption of GDPR. The reasons are that ICANN org received fewer external complaints and ICANN org no longer released reports from the WHOIS Accuracy Reporting System (ARS). The percentage of complaints received which lacked evidence of noncompliance also increased.
From June 2018 to December 2020, the Contractual Compliance team initiated 4,417 investigations into registrar compliance with registration data accuracy obligations. For more information, read the full report here.
While the number of investigations initiated decreased considerably after the adoption of GDPR, the outcomes were similar to those investigations conducted prior to the GDPR taking effect. The majority of complaints resulted in the suspension of domain names, and a significant percentage of the data was corrected.
After GDPR, no formal breach notice has been issued concerning registration data accuracy obligations.
ICANN org understands the importance of access to accurate data for Internet users, including registrants, law enforcement, intellectual property owners, and cybersecurity researchers. We will continue to enforce our agreements and the community's policies concerning registration data accuracy. However, as a result of GDPR, potential complainants and the Contractual Compliance team now lack direct access to registration data. This makes it much more difficult to identify instances of registration data inaccuracy or to take action to correct them.
