Skip to main content

Statement from Contractual Compliance

ARCHIVE - This statement is obsolete as of 17 May 2018 due to the adoption of the Temporary Specification for gTLD Registration Data by the ICANN Board.

At ICANN60, many community members expressed concerns regarding the ability of registries and registrars to comply with their WHOIS and other contractual requirements related to domain name registration data in light of the European Union's General Data Protection Regulation (GDPR). The contracted parties in particular noted the importance of identifying means to comply with their contractual obligations without running afoul of the GDPR which, beginning 25 May 2018, will include significant monetary penalties for noncompliance. They also indicated that they must begin now with the process of developing, testing and implementing any new solutions that may be necessary if they are to come into compliance with the GDPR by 25 May 2018. Finally, they expressed concern that ICANN Contractual Compliance might find them in breach of their existing contractual requirements related to registration data before clear solutions emerge.

As discussed at ICANN60, the extent of the impact of the GDPR on WHOIS and other contractual requirements related to domain name registration data is uncertain. The ICANN Board, org and community are engaged in multiple efforts to assess the impact of the GDPR on registry and registrar obligations in ICANN agreements and policies, and we continue to work with the Hamilton law firm to understand this impact. At this point, we know that the GDPR will have an impact on open, publicly available WHOIS. We have no indication that abandoning existing WHOIS requirements is necessary to comply with the GDPR, but we don't know the extent to which personal domain registration data of residents of the European Union should continue to be publicly available. At the same time, we understand that registries and registrars are developing their own models for handling registration data that they believe will comply with the GDPR. We've heard some of these ideas as we've been engaging and we'd like to understand the details so that we can submit the various models to the Hamilton law firm for further analysis.

During this period of uncertainty, and under the conditions noted below, ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data. To be eligible, a contracted party that intends to deviate from its existing obligations must share its model with ICANN Contractual Compliance and the Global Domains Division. To the extent that the party requests confidential treatment, ICANN will remove any identifying information and share only the elements of the model with the Hamilton law firm for the purpose of legal analysis against the requirements of the GDPR. The model should reflect a reasonable accommodation of existing contractual obligations and the GDPR and should be accompanied by an analysis explaining how the model reconciles the two. For clarity, Contractual Compliance would not defer enforcement if, for example, a contracted party submitted a model under which it abandoned its WHOIS obligations. In addition, a model that satisfies the conditions noted here might also require compliance with other contractual obligations or consensus policies, e.g., the Registry Services Evaluation Policy (RSEP). A model may also require further modifications if it is later determined not to comply either with the GDPR or any future community-developed policy.

Detailed guidance regarding the process and eligibility requirements can be found here. For more information, please visit our data protection/privacy page.

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as"""" is not an IDN."