How ICANN is Complying with the GDPR

European Privacy Regulation Results in Changes to ICANN Policies 

The 2018 passage of the General Data Protection Regulation (“GDPR”) created stricter regulations for companies to meet when handling the personal and sensitive data of consumers and users. As such, the GDPR has created lasting impact in areas of regulation that were previously not affected by domestic laws. This changed, however, when the European Union passed the GDPR, forcing the Internet Corporation for Assigned Names and Numbers (“ICANN”) to create new policies to respond to the heightened security standards.

ICANN is a nonprofit organization that oversees and manages the Internet’s global domain name system (“DNS”). ICANN’s responsibilities include the management of root name servers, introduction of any new generic top-level domains (“gTLDs”), and the creation of new policies that govern and manage the DNS system. ICANN’s policies are recognized internationally, and countries look to ICANN to arbitrate disputes regarding the DNS system as well as to maintain the overall stability of the Internet as it pertains to DNS systems, Internet protocol address spaces, and regional Internet registries.

Domain Ownership Anonymity Facilitated With Heightened Data Privacy Laws 

Since the 2018 introduction of the GDPR by the European Union, ICANN has now found itself tasked with the difficult challenge of reconciling the GDPR’s strict guidelines with the ever-present need for information transparency via the WHOIS database. The WHOIS system allows for public query and will return the contact information of domain owners when used. The contact information made available by a WHOIS query normally includes the mailing address, phone number, and email address of the domain name owner or administrator, and as such, this can leave domain owners vulnerable to the misuse of their contact information by spammers, mass-marketers, and even hackers or identity thieves. To counter this issue, some registrars offer, at a fee, to provide their contact information in place of the true domain owner.

It is well-understood that ICANN generally handles any disputes regarding domains, which may include but is not limited to, cybersquatting, impersonation of brands on websites, and infringing web-use of IP, etc. Generally, to serve, contact, or open a dispute with the infringers, the “true” IP owners must have access to the infringers’ contact information. But with the recent passage of the GDPR, legitimate brand owners now face an even harder time retrieving such data.

ICANN Implements the Temporary Specification

As a compromise, ICANN has now implemented a temporary fix to allow users who are experiencing difficulty in unmasking infringers by creating the Temporary Specification for gTLD Registration Data (“Temporary Specification”). The Temporary Specification provides a safe haven for gTLD registry operators and registrars alike to qualify as “compliant” with ICANN’s WHOIS directory system if they maintain collection of registration data and persona information with increased security, allowing only tiered or layered access. In other words, in order to access personal or more sensitive data, query-users will now have to demonstrate and provide a legitimate reason to ICANN for requesting access to personal information. Moreover, the amount of information requested must also be proportionate to the demonstrated need.

While the Temporary Specification is still very much a work in progress, it does provide a helpful compromise because it requires increased data security without weakening the WHOIS query system too much. As the tiered or layered access required by the Temporary Specification process is not fully fleshed out, ICANN is looking to experts in the field to provide public comments and feedback in order to create sweeping guidelines that will simultaneously meet the requirements of the GDPR, allow for the pursuit of infringers, and still maintain relative transparency when it comes to finding out the contact information of domain owners for legitimate purposes.

technology & data


You may also be interested in:


Sign up for and explore our content and thought leadership here.


About the Firm:

Klemchuk LLP is a litigation, intellectual property, transactional, and international business law firm dedicated to protecting innovation. The firm provides tailored legal solutions to industries including software, technology, retail, real estate, consumer goods, ecommerce, telecommunications, restaurant, energy, media, and professional services. The firm focuses on serving mid-market companies seeking long-term, value-added relationships with a law firm. Learn more about experiencing law practiced differently and our local counsel practice.

The firm publishes Intellectual Property Trends (latest developments in IP law), Conversations with Innovators (interviews with thought leaders), Leaders in Law (insights from law leaders), Culture Counts (thoughts on law firm culture and business), and Legal Insights (in-depth analysis of IP, litigation, and transactional law).