May 15, 2018 - by Matt Serlin

The Latest on GDPR and WHOIS

GDPR. It’s the four-letter “word” everyone is talking about and there are lots of questions still swirling around the topic. We wanted to provide a summary of where we are and what we believe the next ten days will bring.

What we know:

  • GDPR enforcement will begin May 25, 2018. After this date, those found in violation of the regulation can be fined up to 4% of annual global turnover or 20 Million Euros, whichever is greater.
  • At one point, there was discussion of forbearance for contracted parties (registrars and registries) to allow for more time to implement a GDPR-compliant WHOIS solution, but that will not happen, and the contracted parties need to have GDPR-compliant WHOIS in-place by May 25, 2018.
  • The ICANN Board appears poised to approve a “Temporary Specification” which will address how WHOIS will be handled in light of GDPR enforcement. A draft of the specification has been posted here: https://www.icann.org/en/system/files/files/gtld-registration-data-temp-spec-17may18-en.pdf. This temporary specification could be in place for up to a year.
  • This specification reaffirms the interim WHOIS model put forth by ICANN. This proposed WHOIS model pares back data fields significantly to include only organization name, state or province, and country. In addition, the proposed WHOIS output will include either an anonymized e-mail address or web form which will allow for a certain level of contactability.
  • Once the temporary specification is approved, it will allow for very little time for contracted parties to update their systems to comply with the requirements. Already, many registries and registrars have updated their WHOIS output to become GDPR-compliant, but others have been waiting to receive guidance from ICANN.
  • ICANN has stressed the importance of continuing to collect registrant data as registrars have done in the past. That said, there is concern that contracted parties have already made changes to their systems, and if those changes include not collecting registrant data, those registrars may not be compliant with the temporary specification.
  • In conjunction with the temporary specification being put into place, ICANN will also kick off a policy development process to create long-term policy which will govern WHOIS.
  • Given that public WHOIS data will be severely diminished, each contracted party will define the mechanisms by which third-parties may obtain non-public WHOIS data.
  • Despite proposals put forth for credentialing and tiered-access to non-public WHOIS data, given the complexity involved, such a system could not be implemented by May 25, 2018.

What we don’t know:

  • Once this temporary specification is put forth by ICANN, exactly what are the next steps? Will we see an increase in the level of contractual compliance complaints submitted to ICANN?
  • Because the temporary specification can only be in place for a year, there is concern that new policy cannot be developed within that timeframe. It is unclear what would happen if the temporary specification expires without a new policy to replace it.
  • Will ICANN be doing outreach to its global network of several thousand contracted parties to ensure all are aware of the requirements and timelines? Most parties within the ecosystem are accustomed to having months or even years to adopt ICANN policy, so having something pushed out within less than 10 days will be a new experience.
  • How will the domain market look and operate after May 25, 2018? With WHOIS information drastically reduced, obtaining domain ownership and contact information will become challenging in ways we have not previously seen.
  • What will Reverse WHOIS providers do with the millions of historical WHOIS records they have stored? Will that data continue to be available or will it be purged? It’s possible only records containing personally identifiable information for those in the EU would be purged, but that remains to be seen.
  • How are ongoing issues already being worked on within ICANN impacted? Specifically, topics like Privacy and Proxy accreditation could be paused while the full impact of GDPR is understood. Already we have seen a request to push out 2018 deadlines for Thick WHOIS in .com and .net by a year due to the ongoing GDPR discussions.

It’s clear that there are lots of moving pieces and still lots of unknowns. But as always, we’ll continue to monitor closely and provide updates as they become available.

Tags: TAG1, TAG2, TAG3, TAG4

  • Nov 28, 2018 - by Matt Serlin
    The EPDP Initial Report: Forward Progress Yet Much Work Remains

    Here in the United States, we recently celebrated Thanksgiving and with that, we now enter the last weeks of 2018. I’ve spent much of this past year involved in ICANN’s Expedited Policy Development Process (EPDP) for gTLD Registration Data and I’m happy to say our group has reached a historic milestone. Just last week, the group published its initial report for public comment (https://www.icann.org/public-comments/EPDP-gtld-registration-data-specs-initial-2018-11-21-en). I’d be remiss if I didn’t take this opportunity to thank the entire group for their good faith efforts in issuing this initial report.

    Read full post
  • Nov 8, 2018 - by Elisa Cooper
    Evaluating Corporate Registrars? What You May Be Overlooking.

    Maybe there is something in the air, but it seems like an increasing number of corporate legal departments are starting to reevaluate whether their current registrar is still the best option for them. Many have used the same registrar for over a decade, or have ended up as a client of a legacy provider when their registrar was acquired. Regardless of whether companies are looking for better service, support, expertise or technology, evaluating other options every few years can be a worthwhile endeavor.

    Read full post

  • Matt Serlin

    With a focus on security, service and support, Matt Serlin joined Brandsight in 2017 to lead all domain operations, including client services and domain name provisioning. Matt has over 15 years of direct domain name experience most recently with MarkMonitor where he was instrumental in building the industry’s first dedicated client services team, which has become the de facto standard for all corporate registrars.

    Recent posts from Matt Serlin

    Request a demo.

    See for yourself the power of Brandsight.

    Schedule a demo
    Brandsight web application