Skip to main content

ICANN Receives Data Protection/Privacy Guidance from Article 29 Working Party

LOS ANGELES – 12 April 2018 – The Internet Corporation for Assigned Names and Numbers ("ICANN") today announced that it has received a letter from the Article 29 Working Party (WP29) [PDF, 400 KB] that provides guidance on the European Union's General Data Protection Regulation (GDPR) and its impact on the collection, retention and publication of domain name registration data and the WHOIS system. ICANN organization’s response to the letter from the Article 29 Working Party will be published shortly here.

“We appreciate the guidance provided by the Article 29 Working Party on this important issue and have accepted an invitation to meet with the WP29 Technology Subgroup in Brussels on 23 April for further discussions,” said Göran Marby, ICANN president and CEO. “However, we are disappointed that the letter does not mention our request for a moratorium on enforcement of the law until we implement a model. Without a moratorium on enforcement, WHOIS will become fragmented and we must take steps to mitigate this issue. As such, we are studying all available remedies, including legal action in Europe to clarify our ability to continue to properly coordinate this important global information resource. We will provide more information in the coming days.”

A moratorium on enforcement action by DPAs would potentially allow for the introduction of an agreed-upon accreditation model and for the registries and registrars to implement the accreditation model in conjunction with the measures in the agreed final interim compliance model. It will also allow for reconciliation between the advice ICANN has received from its Governmental Advisory Committee (GAC) and the Article 29 Working Party. Unless there is a moratorium, we may no longer be able to give instructions to the contracted parties through our agreements to maintain WHOIS. Without resolution of these issues, the WHOIS system will become fragmented until the interim compliance model and the accreditation model are implemented.

A fragmented WHOIS would no longer employ a common framework for generic top-level domain (gTLD) registration directory services. Registries and registrars would likely implement varying levels of access to data depending on their interpretations of the law.

“In parallel, we will carefully consider this advice, along with all of the input we have received from the multistakeholder community, before making changes to the current iteration of the proposed interim model,” Marby continued. “As a part of this, we will explore all options as we continue dialogues with DPAs and the interested parties that comprise the multistakeholder community.”

It’s important to balance the right to privacy with the need for information. While ICANN recognizes the importance of the GDPR and its goal of protecting personal data, parts of the ICANN community have noted the negative impact of a fragmented WHOIS. For example, it will hinder the ability of law enforcement to get important information and the anti-spam community to help ensure the Internet protects end-users. It will also:

  • Protect the identity of criminals who may register hundreds of domain names specifically for use in cyberattacks;
  • Hamper the ability of consumer protection agencies who track the traffic patterns of illicit businesses;
  • Stymie trademark holders from protecting intellectual property; and
  • Make it significantly harder to identify fake news and impact the ability to take action against bad actors.

These are just a few examples from a long list of potentially adverse scenarios.

Marby also requested that the DPAs include ICANN in any proceedings relating to WHOIS, and asks that it be included in all discussions and actions of the privacy regulators with the other WHOIS data controllers. He also said that ICANN org is continuing its efforts to prepare for implementation of a new model. Additional information on ICANN’s data protection/privacy activities, including legal analyses, proposed compliance models, and community feedback is published here.  

We encourage the community to provide feedback and continue our dialogues on future activities. You may share your views with us via email at gdpr@icann.org.

About ICANN

ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."