Read ICANN Blogs to stay informed of the latest policymaking activities, regional events, and more.

Evolving Data Privacy and Protection Regulations - UPDATE

13 July 2017
By Akram Atallah and

In addition to the U.N. six languages, this content is also available in


We first shared information on the ICANN organization's activities relating to the data privacy and protection regulations prior to ICANN59 in a blog post titled "Dialogues on the Evolving Data Privacy and Protection Regulations." We'd like to take this opportunity to provide an update on developments that occurred during the meeting.

While in Johannesburg, the community had a series of discussions and sessions regarding data protection and privacy, including a session on "GDPR and its potential: looking for practical solutions." You can access the presentation and a transcript here. This session was a moderated discussion on the following topics:

  1. An introduction on the GDPR and its impact on businesses.
  2. How the GDPR affects registrants and services by registries and registrars, as well as the search for practical solutions.
  3. The potential impact on current ICANN-related work.

In addition to the community's sessions, and in relation to the dialogues with ICANN's contracted parties, an informal volunteer group was established. This group will assist in populating a matrix on the use of specific data fields in our contracts for the purposes of assessing the potential impact of the GDPR on ICANN's contracts with the registries and registrars.

This effort requires input from all pertinent parties, to ensure we are not missing critical information. To that end, members of the ad hoc group are being asked to provide their input by 15 July 2017, with the objective of putting this out for public review for 30 days shortly thereafter.

The eventual goal is to provide a comprehensive set of data including how it is used, in order to inform legal analysis, as well as to engage with data protection authorities for additional guidance or support.

The ICANN organization will continue to engage with the European community (including the European Union Article 29 Working Party), data protection agencies, and other pertinent stakeholders to gain a better understanding of the relevant aspects of GDPR and how it relates to ICANN's work and the organization's contracts with registries and registrars.

ICANN is committed to understanding the implications of evolving data protection and privacy regulations on areas within ICANN's remit. We appreciate that the GDPR may affect the ICANN organization and the domain name ecosystems in at least two areas, including personal data that participants in the domain name ecosystem collect, display, and process, including registries and registrars pursuant to ICANN contracts, and personal data that ICANN collects and processes for internal or external services.

The ICANN organization's work in this area does not replace existing policy development work, including that of the Registry Directory Service (RDS) group.

Lastly, we want to assure you that the ICANN organization will continue to work within our mission and scope and remain transparent as we work with each group to seek practical solutions, whether it affects the European realm or other jurisdictions and so that we can remain proactive where there is dialogue centered around data protection.

There will be more updates on this subject over the next few weeks and months, and we will continue to keep everyone apprised on the situation and what we're facilitating regarding GDPR. Meanwhile, we invite you to visit the new Data Protection/Privacy Issues landing page on ICANN.org


Akram Atallah

Former President, Global Domains Division
Theresa Swinehart

Theresa Swinehart

SVP, Global Domains & Strategy