David Goldstein - ICANN Announces How gTLDs Will Comply With EU GDPR As Domain Industry Moves At Snail’s Pace


    The European Commission’s General Data Protection Regulation (GDPR) came into effect on 25 May and on 17 May ICANN finally announced a Temporary Specification for gTLD Registries and Registrars. The Temporary Specification, that will be reviewed after 90 days, will see a significant reduction in the information that will be displayed when conducting WHOIS requests, however registrants will still be required provide the same information as they do now.

    The changes, which only relate to generic top level domains (gTLDs) such as .com, .berlin and .shop, come 2 years after the GSPR was adopted on 14 April 2016 and after a 2-year transition period becomes enforceable on 25 May 2018. Yet despite this timeframe, ICANN only approved the Temporary Specification for gTLD Registration Data on 17 May, with a draft published on 11 May. It gave Registries and Registrars 7 days to finalise and implement changes to their systems, or 14 days if they started when the draft was published. That is if they waited for ICANN’s snail-like process to take place.

    The GDPR has been developed by the European Commission to give individuals more control over their data that businesses hold, including domain name Registries and Registrars. It also applies to businesses outside of the EU that hold data on citizens and residents of the EU. It’s impact is far-reaching and penalties for breaches are severe – fines of up to €20 million or 4% of the business’ annual worldwide turnover, whichever is greater.

    ICANN’s approval of a Temporary Specification is the result of 12 months of consultation with the community and “is an important step towards bringing ICANN and its contracted parties into compliance with GDPR,” said ICANN’s Chair Cherine Chalaby. “While there are elements remaining to be finalised, the adoption of this Temporary Specification sets us on the right path to maintaining WHOIS in the public interest, while complying with GDPR before its 25 May enforcement deadline."

    The Temporary Specification will be revisited by the ICANN Board in 90 days, if required, to reaffirm its adoption. It will also have to meet the approval of the European Commission whose Article 29 Data Protection Working Party has expressed misgivings about ICANN’s proposals in April this year.

    So what should be happened on 25 May? Registry Operators and Registrars will still be required to collect all WHOIS information for generic top level domains (gTLDs). However, WHOIS queries will only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.

    For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.

    The changes are not unlike those being implemented by several European country code top level domain (ccTLD) registries. Some, such as the Austrian registry have implemented a “thin” model for individuals registering domain names, but legal entities or businesses will continue to have “thick” WHOIS data published. Others such as DENIC, the German ccTLD registry, will only record the contact details of the domain name registrant, two additional email addresses as contact points for abuse reports and general and technical requests as well as the usual technical domain data, which is similar to the ICANN model.

    Registrars are frustrated. At the Domain Pulse conference in Munich in February, Registrars expressed misgivings about the slow pace of the consultation and how late solutions, not just from ICANN but also ccTLD Registries, are.

    Registrars expressed frustration that the entire industry has been slow to develop solutions and these solutions were only beginning to be finalised back in February. The changes require significant resources to implement changes. In an industry that operates on razor-thin margins, it’s not an ideal situation.

    There have also been claims that the changes will be a boon for cybercriminals. Krebs on Security has noted that while “cybercriminals don’t use their real information in WHOIS registrations … ANY information they provide — and especially information that they re-use across multiple domains and cybercrime campaigns — is invaluable to both grouping cybercriminal operations and in ultimately identifying who’s responsible for these activities.” And while some cybercriminals do take advantage of privacy protection services, “based on countless investigations I have conducted using WHOIS to uncover cybercrime businesses and operators, I’d wager that cybercrooks more often do not use these services.”