Statement from Contractual Compliance
At ICANN60, many community members expressed concerns regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union's General Data Protection Regulation (GDPR). The contracted parties in particular noted the importance of identifying means to comply with their contractual obligations without running afoul of the GDPR which, beginning 25 May 2018, will include significant monetary penalties for noncompliance. They also indicated that they must begin now with the process of developing, testing and implementing any new solutions that may be necessary if they are to come into compliance with the GDPR by 25 May 2018. Finally, they expressed concern that ICANN Contractual Compliance might find them in breach of their existing contractual requirements related to registration data before clear solutions emerge.
As discussed at ICANN60, the extent of the impact of the GDPR on WHOIS and other contractual requirements related to domain name registration data is uncertain. The ICANN Board, org and community are engaged in multiple efforts to assess the impact of the GDPR on registry and registrar obligations in ICANN agreements and policies, and we continue to work with the Hamilton law firm to understand this impact. At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don't know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available. At the same time, we understand that registries and registrars are developing their own models for handling registration data that they believe will comply with the GDPR. We've heard some of these ideas as we've been engaging and we'd like to understand the details so that we can submit the various models to the Hamilton law firm for further analysis.
During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division. To the extent that the party requests confidential treatment, ICANN will remove any identifying information and share only the elements of the model with the Hamilton law firm for the purpose of legal analysis against the requirements of the GDPR. The model should reflect a reasonable accommodation of existing contractual obligations and the GDPR and should be accompanied by an analysis explaining how the model reconciles the two. For clarity, Contractual Compliance would not defer enforcement if, for example, a contracted party submitted a model under which it abandoned its WHOIS obligations. In addition, a model that satisfies the conditions noted here might also require compliance with other contractual obligations or consensus policies, e.g., the Registry Services Evaluation Policy (RSEP). A model may also require further modifications if it is later determined not to comply either with the GDPR or any future community-developed policy.