ICANN requests guidance about the GDPR impact on domain whois from the EU

Göran Marby, ICANN’s President and Chief Executive Officer, has requested guidance about the General Data Protection Regulation (GDPR) impact on the domain name system and WHOIS from the European Union.

Marby sent letters (pdf) to the commissioners of all European Union countries that relate to Personal Data Protection and Information.

ICANN seems to have given up trying to figure out a solution to the upcoming GDPR and is asking everybody else to solve the problem. It is already too late. ICANN has not even figured out what the interim GDPR model is going to be.

Maybe ICANN should start doing some actual work instead of only spending our money.

Here is how the Göran Marby letter begins:

“This letter is in follow up to our letter dated 12 September 2017 to provide you with an update on the ongoing work of ICANN and the global Internet community in seeking to comply with the General Data Protection Regulation (GDPR) as it may apply to the global Domain Name System, and in particular, the WHOIS, a global, publicly available distributed directory service containing information about the registration records of more than 187 million domain names.

ICANN helps to coordinate a decentralized WHOIS through private contractual arrangements, with more than 2, 500 domain name registries and registrars, each of which, along with ICANN, are data controllers impacted by the GDPR.

Accordingly, ICANN and more than a thousand of the domain names registries and registrars are at a critical juncture. We need specific guidance from European data protection authorities in order to meet the needs of the global internet stakeholder community, including governments,  privacy authorities, law enforcement agencies, intellectual property holders, cybersecurity experts, domain name registries, registrars, registrants and ordinary internet users.

Following extensive public debates and information exchanges about the impact of the GDPR on WHOIS, there remain critical questions regarding how to maintain the global system of WHOIS in a manner that is consistent with the GDPR. Without guidance from you on these critical questions detailed below, the integrity of the global WHOIS system and our ability to enforce WHOIS requirements after the GDPR becomes effective will be threatened.

Continued ambiguity on the applicability of the GDPR to the global WHOIS may result in many of the domain name registries and registrars choosing not to comply with their contractual requirements on WHOIS out of fear that they will be subject to significant fines following actions brought against them by your respective offices. Many of ICANN’s contracted parties, specifically domain name registries and registrars, need clear guidance on these critical questions and assurance that they will not have enforcement actions brought against them while they implement changes to comply with the GDPR.

At the same time, governments, law enforcement authorities and others are deeply concerned that blocked access to the global WHOIS may significantly harm the public interest, by blocking access to critical information which allow them to enforce other laws and protect consumers, critical infrastructure and intellectual property rights.

We request you to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented.”

You can read the complete letter here.


About Konstantinos Zournas

I studied Computer Engineering and Computer Science in London, UK and I am now living in Athens, Greece. I went online in 1995, started coding in 1996 and began buying domain names and creating websites in 2000. I started the OnlineDomain.com blog in 2012.


  1. Why is this so difficult?

    Most WHOIS providers are outside the EU jurisdiction

    There are many public databases, for example in the UK citizens are obliged to provide a list of residents and then a obliged to inform the local authority of those eligible to vote.

    That data creates “the voters roll” which is then sold for 20c per thousand to all comers. You can ask to be not included but you have to show harm.

    The biggest abusers of this data are the credit reference agencies who sell access to the data and add to the data WITHOUT EXPLICIT CONSENT, despite being a credit reference database it is used when you do not take credit !! They even put alerts on the data for their clients if you move.

    UK Company Directors are published on Companies House and they have to pay to use a different address to avoid their home address being published (sound familiar)

    Nominet still provide a WHOIS service they also offer privacy and the option for sole individuals to only provide a name where the domain is not being used commercially (confirmed by a visit to the site).

    As far as I am concerned all ICANN and their customers need to do is make sure the data is not stored in the EU and that any company offering WHOIS services has a US office. Then ICANN can tell the EU to Foxtrot Oscar.

    WHOIS is an important service to protect from scammers and spammers (when we need to find them), the privacy companies are equally important to offer protection from bots (when they want to steal data) I do not like the way GoDaddy flucks with the system and think ICANN should focus on that.

    All these really requires is some consent and that can be written into agreements.

    • “As far as I am concerned all ICANN and their customers need to do is make sure the data is not stored in the EU and that any company offering WHOIS services has a US office.”

      GDPR also covers the transfer of data outside of the EU.

  2. ““As far as I am concerned all ICANN and their customers need to do is make sure the data is not stored in “the EU and that any company offering WHOIS services has a US office.”

    “GDPR also covers the transfer of data outside of the EU.”

    Last time I looked the data originated in the US, ICANN is US based organisation with members around the world but the data is essentially not EU albeit that some data is about EU Citizens who own domains.

    When they talk about the transfer of data outside of the EU they refer to data that originated there or is used there by EU Citizens by organisations that have an EU Presence (e.g. Facebook).

    The EU can’t hold the world to their laws, only their Citizens, their countries and their organisations.

    We already had this issue come up about cloud data which may reside outside EU or may be cached

    If would be different if it were say Nominet but this is ICANN, typical of them to make it more complicated than it needs to be..

    • Hello Neal,
      Great points above@

      Also our opinion is ICANN is using EU as an excuse to cover the real reason. We think Google/Go-Daddy influence is the real reason. By restricting public access they maintain a tighter control of the (( .COM Equimoditty Platform Asset Class )) = Less Access = More Control . OCCAMS RAZOR

      Gratefully, Jeff Schneider (Contact Group) (Metal Tiger) Former (Rockefeller IBEC Marketing Intelligence Analyst/Strategist) (Licensed CBOE Commodity Hedge Strategist)
      (Domain Master )http://www.UseBiz.com

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.