Skip to main content

Data Protection and Privacy Update

Data protection privacy update 753x425 18oct17 en

There has been a lot of activity since our last update on 11 September. Here's a brief recap on where we are and a look-ahead at upcoming activities.

On 4 October we held a webinar to discuss data protection/privacy activities related to the European Union's General Data Protection Regulation (GDPR). If you missed it, we have published the presentation, audio recordings and transcripts in multiple languages, and responses to unanswered questions on our data protection/privacy page. The user story matrix can also be found on this page.

As previously communicated, we engaged the European law firm Hamilton to provide an independent legal analysis, that will be developed in phases.

We are pleased to note that the first part of the initial independent legal analysis was published [PDF, 252 KB] today, which includes an appendix with the general questions we provided to Hamilton as "food for thought" in analyzing GDPR in relation to gTLD registration data.

This first memo focuses on potentially challenging areas with existing requirements for registries and registrars to provide open, publicly available WHOIS services. It provides a general overview of key concepts in the GDPR (e.g. personal data, consent, the role of data controllers and processers and data protection authorities, etc.) and how these concepts relate to gTLD WHOIS services.

The memo highlights the complexity of these issues in the domain name space, and concludes that the current open, publicly available WHOIS services cannot remain unchanged. The WHOIS system has to become adaptable to address the GDPR from the European perspective, as well as other changing regulations around the world.

Since GDPR will likely effect how WHOIS data is displayed, it could impact our ability to maintain a single global WHOIS system. In turn, this will likely impact either ICANN's agreements or its ability to enforce contractual compliance of its agreements using a single and consistent approach. In the short term, we need to work together to understand the scope of this impact and find the right balance between maintaining the current WHOIS services and compliance with local laws.

On the engagement front we continued to interact with a range of stakeholders to raise awareness about ICANN's privacy- and data protection- related work. We participated in the annual international DPAs conference in Hong Kong, the European Commission's High Level Group on Internet Governance and the CENTR General Assembly in Brussels, where GDPR was a major topic of discussion. These events provided a further opportunity to hear many perspectives and learn about existing practices in this area.

Next up is ICANN60, which will be held in Abu Dhabi, and is just around the corner. We encourage you to attend the cross-community "General Data Protection Regulation (GDPR) Implications for ICANN" session, which is planned for Thursday, 2 November at 10:30am local time (UTC +4). Remote participation is offered if you can't be there in person.

A Look Ahead

ICANN, like many other organizations, is looking at the new regulation to see how it is relevant and determine how best to comply with the new framework with respect to the data we collect and process for internal and external services, as well as the implications for the ICANN community and its policies and procedures more widely.

As a reminder, this legal analysis is intended to serve as building block for community discussions about how to approach GDPR issues in the domain name space.

Here's where we need help from the multistakeholder community:

Please review the initial legal analysis and provide feedback. This includes identifying possible questions, and how best to interact with data protection agencies and others to get to the next step of the analysis.

It will be helpful to receive your feedback at the earliest opportunity, so as to inform the upcoming discussions at ICANN60, and to feed into future iterations of the legal analysis. Either reach out to us directly or email

For those of you traveling to Abu Dhabi, we wish you safe travels and look forward to seeing you in person. If you aren't making the trip, we hope you will participate remotely.


    Domain Name System
    Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."