Skip to main content

Evolving Data Privacy and Protection Regulations - UPDATE

Gdpr blog 750x425 13jul17 en

We first shared information on the ICANN organization's activities relating to the data privacy and protection regulations prior to ICANN59 in a blog post titled "Dialogues on the Evolving Data Privacy and Protection Regulations." We'd like to take this opportunity to provide an update on developments that occurred during the meeting.

While in Johannesburg, the community had a series of discussions and sessions regarding data protection and privacy, including a session on "GDPR and its potential: looking for practical solutions." You can access the presentation and a transcript here. This session was a moderated discussion on the following topics:

  1. An introduction on the GDPR and its impact on businesses.
  2. How the GDPR affects registrants and services by registries and registrars, as well as the search for practical solutions.
  3. The potential impact on current ICANN-related work.

In addition to the community's sessions, and in relation to the dialogues with ICANN's contracted parties, an informal volunteer group was established. This group will assist in populating a matrix on the use of specific data fields in our contracts for the purposes of assessing the potential impact of the GDPR on ICANN's contracts with the registries and registrars.

This effort requires input from all pertinent parties, to ensure we are not missing critical information. To that end, members of the ad hoc group are being asked to provide their input by 15 July 2017, with the objective of putting this out for public review for 30 days shortly thereafter.

The eventual goal is to provide a comprehensive set of data including how it is used, in order to inform legal analysis, as well as to engage with data protection authorities for additional guidance or support.

The ICANN organization will continue to engage with the European community (including the European Union Article 29 Working Party), data protection agencies, and other pertinent stakeholders to gain a better understanding of the relevant aspects of GDPR and how it relates to ICANN's work and the organization's contracts with registries and registrars.

ICANN is committed to understanding the implications of evolving data protection and privacy regulations on areas within ICANN's remit. We appreciate that the GDPR may affect the ICANN organization and the domain name ecosystems in at least two areas, including personal data that participants in the domain name ecosystem collect, display, and process, including registries and registrars pursuant to ICANN contracts, and personal data that ICANN collects and processes for internal or external services.

The ICANN organization's work in this area does not replace existing policy development work, including that of the Registry Directory Service (RDS) group.

Lastly, we want to assure you that the ICANN organization will continue to work within our mission and scope and remain transparent as we work with each group to seek practical solutions, whether it affects the European realm or other jurisdictions and so that we can remain proactive where there is dialogue centered around data protection.

There will be more updates on this subject over the next few weeks and months, and we will continue to keep everyone apprised on the situation and what we're facilitating regarding GDPR. Meanwhile, we invite you to visit the new Data Protection/Privacy Issues landing page on


    Heather Malcomess  22:11 UTC on 16 July 2017

    For those who are interested I have been doing research on data breaches for the lat 2 years

    Daniel Blanco  00:36 UTC on 27 July 2017

    Soy un usuario español residente de Estados Unidos, la ley debe cumplirse pues me he encontrado muchas paginas que no tienen dicha ley.

    Volker Greimann  05:37 UTC on 17 August 2017

    First of all, it is great that ICANN is finally realizing that there is a problem with the utter disregard for data privacy of private individuals as currently mandated by its policies and contracts. However, it is worthwhile pointing out that any policy work designed to adress this (and I include the RDS PDP WG) will only produce their end results and new policy recommendations in a couple of years time, whereas legal requirements and enforcement deadlines are much more short-term. Therefore, temporary solutions that allow contracted parties to remain or come into compliance with data privacy requirements on the short term that could be superseded by ongoing policy work later would be advisable. That said, I applaud the work that is ongoing to understand and develop potential solutions to these privacy issues and hope that they will bear fruit soon.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."