GDPR. It’s the four-letter “word” everyone is talking about and there are lots of questions still swirling around the topic. We wanted to provide a summary of where we are and what we believe the next ten days will bring.
What we know:
- GDPR enforcement will begin May 25, 2018. After this date, those found in violation of the regulation can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater.
- At one point, there was discussion of forbearance for contracted parties (registrars and registries) to allow for more time to implement a GDPR-compliant WHOIS solution, but that will not happen, and the contracted parties need to have GDPR-compliant WHOIS in-place by May 25, 2018.
- The ICANN Board appears poised to approve a “Temporary Specification” which will address how WHOIS will be handled in light of GDPR enforcement. A draft of the specification has been posted here: https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf. This temporary specification could be in place for up to a year.
- This specification reaffirms the interim WHOIS model put forth by ICANN. This proposed WHOIS model pares back data fields significantly to include only organization name, state or province, and country. In addition, the proposed WHOIS output will include either an anonymized e-mail address or web form which will allow for a certain level of contactability.
- Once the temporary specification is approved, it will allow for very little time for contracted parties to update their systems to comply with the requirements. Already, many registries and registrars have updated their WHOIS output to become GDPR-compliant, but others have been waiting to receive guidance from ICANN.
- ICANN has stressed the importance of continuing to collect registrant data as registrars have done in the past. That said, there is concern that contracted parties have already made changes to their systems, and if those changes include not collecting registrant data, those registrars may not be compliant with the temporary specification.
- In conjunction with the temporary specification being put into place, ICANN will also kick off a policy development process to create long-term policy which will govern WHOIS.
- Given that public WHOIS data will be severely diminished, each contracted party will define the mechanisms by which third-parties may obtain non-public WHOIS data.
- Despite proposals put forth for credentialing and tiered-access to non-public WHOIS data, given the complexity involved, such a system could not be implemented by May 25, 2018.
What we don’t know:
- Once this temporary specification is put forth by ICANN, exactly what are the next steps? Will we see an increase in the level of contractual compliance complaints submitted to ICANN?
- Because the temporary specification can only be in place for a year, there is concern that new policy cannot be developed within that timeframe. It is unclear what would happen if the temporary specification expires without a new policy to replace it.
- Will ICANN be doing outreach to its global network of several thousand contracted parties to ensure all are aware of the requirements and timelines? Most parties within the ecosystem are accustomed to having months or even years to adopt ICANN policy, so having something pushed out within less than 10 days will be a new experience.
- How will the domain market look and operate after May 25, 2018? With WHOIS information drastically reduced, obtaining domain ownership and contact information will become challenging in ways we have not previously seen.
- What will Reverse WHOIS providers do with the millions of historical WHOIS records they have stored? Will that data continue to be available or will it be purged? It’s possible only records containing personally identifiable information for those in the EU would be purged, but that remains to be seen.
- How are ongoing issues already being worked on within ICANN impacted? Specifically, topics like Privacy and Proxy accreditation could be paused while the full impact of GDPR is understood. Already we have seen a request to push out 2018 deadlines for Thick WHOIS in .com and .net by a year due to the ongoing GDPR discussions.
It’s clear that there are lots of moving pieces and still lots of unknowns. But as always, we’ll continue to monitor closely and provide updates as they become available.