GDPR: Next Steps for the Domain Industry

By Beth Bacon, Director of Policy and Privacy, Public Interest Registry

As we laid out in a prior post, PSA to Nonprofits: GDPR May Apply to You, there are several things nonprofits and NGOs need to be aware of and take into consideration now that GDPR is with us.

We have been working hard to make sure our internal processes are in line with the law, and we are actively engaging with the community on issues impacting the industry, most notably regarding WHOIS. To help with understanding and clarity, we’d thought we’d lay out the issues being discussed and outline the next steps.

Prior to May 25, 2018, when the GDPR came into effect, the public searchable WHOIS information included some personal data about the registered domain name holder. Following May 25, the requirements to make that personal information were changed. A WHOIS lookup will now return only non-personal data related to the registered domain name.

This modification was part of a Temporary Specification (TS) published by ICANN on May 17. The TS established provisional requirements to allow ICANN, Registries and Registrars to meet their contractual obligations while complying with the GDPR. This allows ICANN up to a year to work in its multi-stakeholder fashion to establish a long-term solution that all interested parties agree on. This process, called an ePDP (Expedited Policy Development Process), will have a very short period of time to create, pitch and implement the agreed method.

The ICANN Community as well as parties outside the industry have views on how this work should proceed.  For example, ICANN has sought input from the European Data Protection Board (EDPB), who provided a letter laying out their concerns and advice. The letter and advice will no doubt be considered as part of the ePDP. ICANN has given their response to the EDPB in a blog post.

The main concerns that will likely be discussed and addressed are:

  • Technical data processing requirements for registries, registrars and ICANN
  • roles and responsibilities
  • Data retention
  • Data access and disclosure

As always, Public Interest Registry intends to remain actively involved in industry efforts related to data privacy, as well as continuing to dedicate itself to protecting user data and evolving our own data management and ethics practices.