ICANN and the European Union General Data Protection Regulation
The General Data Protection Regulation (GDPR) was adopted by the European Union (EU) on 14 April 2016 and took effect on 25 May 2018 uniformly across the EU countries. It applies to all companies processing and holding the personal data of subjects residing in the EU, regardless of their location.
The GDPR fundamentally changed the public's access to generic top-level domain (gTLD) registration data. As a global resource that serves the public interest, accurate and up-to-date gTLD registration data must be maintained by gTLD registry operators and ICANN-accredited registrars, pursuant to their agreements with ICANN and stakeholder-developed consensus policies.
Below is a description of the work the ICANN organization (org) has conducted in response to this legislation. Click here to return to the main Data Protection and Privacy page.
The GDPR, and the risk of liability as a result of GDPR violations, had a significant impact on the public availability of gTLD registration data. Under current ICANN policy, ICANN-accredited registrars and gTLD registry operators are required to provide public access to non-personal gTLD domain registration data.
These non-personal elements remain public following the ICANN Board's adoption of the Temporary Specification for gTLD Registration Data (Temporary Specification) in May 2018.
Click here for documents and community feedback that informed ICANN's development of the Temporary Specification for gTLD Registration Data.
The adoption of the Temporary Specification triggered the Generic Names Supporting Organization (GNSO) to complete an expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data in order to address the changes to registration data access following the adoption of the legislation. Refer to the GNSO active projects list for more insight into their efforts.
On 19 July 2018, the GNSO Council initiated the EPDP. The EPDP submittedits Final Report to the GNSO Council on 20 February 2019. At its meeting on 4 March 2019, the GNSO Council voted to adopt all the recommendations contained in the Final Report.
The Final Report included 29 policy recommendations that broadly address the following:
- Purposes for processing data.
- Data elements for collection, transfer, and retention.
- Data elements for public display.
- Data elements to be redacted.
- Changes and/or review of current ICANN Consensus Policies.
- Update to reasonable requests for the lawful disclosure of data.
- Continued course for an "implementation bridge," or, how contracted parties may handle the policy recommendations and Temporary Specification requirements following its expiration and before EPDP policy recommendations are officially implemented.
On 15 May 2019, the Board adopted 27 of the 29 recommendations included in the EPDP team's Phase 1 Final Report and ICANN org implemented the Interim Registration Data Policy for gTLDs, which requires ICANN's contracted parties to continue to implement measures consistent with the Temporary Specification on an interim basis, pending the implementation of the Registration Data Policy.
Implementation of these recommendations has been incorporated into the work of the EPDP Phase 1 Implementation Review Team (IRT). To track this work, visit the Implementing Policy at ICANN page.
Phase 2 of this EPDP was chartered with addressing unresolved issues from Phase 1, issues noted in the Annex to the Temporary Specification for gTLD Registration Data, and working on the development of a system for standardized access for nonpublic registration data.
To organize its work, the EPDP team divided its work into priority 1, consisting of the System for Standardized Access/Disclosure and all related questions; and priority 2, which includes the topics noted in the Annex to the Temporary Specification for gTLD Registration Data ("Important Issues for Further Community Action") and outstanding issues deferred from Phase 1 (e.g., redaction of city field, data retention, et. al.)
On 10 August 2020, the EPDP Phase 2 team published its Final Report, which outlines recommendations for a System for Standardized Access/Disclosure (SSAD) to nonpublic gTLD registration data, as well as recommendations and conclusions for Priority 2 topics, carried over from the EPDP Phase 1 discussions. Minority Statements were accepted through 24 August 2020, and all statements received by the deadline were incorporated into the Final Report.
The GNSO Council considered the Final Report on 24 September 2020 and adopted it with the required GNSO supermajority support. In its adoption of the Final Report, the GNSO Council suggested a consultation with the ICANN Board, in particular, to discuss some of the concerns raised in the minority statements related to the SSAD recommendations.
The SSAD is a new system proposed to centrally handle requests for non-public registration data, envisioned in Recommendations 1-18 of the Final Report of the GNSO EPDP on the Temporary Specification for gTLD Registration Data Phase 2. Due to the resource investment and complexity that would likely be required to implement the SSAD-related policy recommendations, the ICANN Board requested an Operational Design Phase (ODP) to inform its deliberations, including whether the recommendations are in the best interests of the ICANN community or ICANN.
The GNSO Council formed a small team to help analyze the ODA to respond to Board Chair Maarten Botterman's letter outlining Board concerns regarding the complexity of an SSAD and provide the Council with further feedback.
The small team submitted its preliminary report to the GNSO Council on 4 April. On 6 April 2022, ICANN org offered to outline a proof-of-concept approach (formerly known as SSAD Light) called the "WHOIS Disclosure System." This proposed system would simplify the process of submitting and receiving requests for nonpublic gTLD registration data for both requestors and contracted parties, and be cost effective.
During its meeting on 14 April, the Council reviewed the preliminary report and the small team's recommendation to request that the ICANN Board pause consideration of the SSAD recommendations and instruct ICANN org to further develop the proposed design for the proof of concept. The GNSO Council sent a letter to the Board on 27 April 2022, requesting consideration of the SSAD-related recommendations be paused and to direct ICANN org to proceed with development of the design for the WHOIS Disclosure System.
On 9 June 2022, the ICANN Board agreed to the Council's request to pause the consideration of the SSAD-related recommendations and on 14 July 2022 accepted the GNSO Council's request to proceed with the WHOIS Disclosure System design paper. ICANN org started the drafting of the WHOIS Disclosure System design paper in mid-July 2022; the paper was presented to the community at ICANN75.
For more information on this work, click here.
The EPDP Phase 2 team's Priority 2 recommendations relate to the implementation of Phase 1 recommendations and not the SSAD; therefore, the Board opted to consider these four recommendations separately and subsequently adopted them. These recommendations have been incorporated into the work of the EPDP Phase 1 Implementation Review Team.
To further track this work, visit the Implementing Policy at ICANN page.
The Final Report for Phase 2 was adopted by the GNSO Council during its meeting on 24 September 2020. However, in response to a request from some EPDP team members, the GNSO Council asked the EPDP team to continue work on two topics: 1) the differentiation of legal vs. natural persons' registration data and 2) the feasibility of unique contacts to have a uniform anonymized email address. These two topics constituted the focus of Phase 2A. The GNSO Council approved the Phase 2A Final Report on 27 October 2021.
The ICANN Board approved the EPDP Phase 2A policy recommendations on 10 March 2022.
Implementation has begun. To track this work, visit the Implementing Policy at ICANN page.
ICANN org participates in a range of forums and engages with a variety of stakeholders on issues relating to ICANN's mission. The org's engagement strategy is two-pronged: 1) focusing on raising awareness, including of privacy-related aspects of ICANN's work, such as WHOIS and associated procedures; and 2) focusing on capacity development and educating local participants on Internet policymaking, technical coordination, and implementation.
ICANN org continues to seek greater clarity from the European Data Protection Board and other European authorities on several outstanding questions and issues related to the GDPR.