ICANN Requests GDPR Exemption As It Develops Compliance Plans

Internet domain name bodies have estimated they could take up to a year or more to implement proposals designed to bring them into compliance with the EU’s General Data Protection Regulation (GDPR), as the internet oversight body ICANN scrambles to put a compliance plan into place.

A working group made up of groups such as registries and registrars, who contract their services from ICANN, made the estimate in a document published by the organisation ahead of the GDPR’s 25 May implementation date.

The new rules are incompatible with ICANN’s WHOIS system, which displays contact information for anyone who registers a website, unless they pay to have the information hidden.

ICANN said it has asked the European Commission for a moratorium on GDPR enforcement while it develops its plans.

Compliance scheme

The regulations came into force nearly two years ago, and were in the works for several years before that, but US-based ICANN only began work on changing the way WHOIS functions last October.

GDPR compliance requires extensive changes to WHOIS, which is routinely used by security professionals and law enforcement in tracking down malicious actors.

ICANN is proposing a system that would give accreditation to such professionals to access the data, while hiding it from the general public by default. But a centralised system for assigning such credentials could take “quarters (or possibly years), rather than months” to develop, the working group said in the document.

A system that would allow users to opt into having their WHOIS data displayed could take about 15 months.

The GDPR allows large fines to be imposed on organisations who don’t protect individuals’ personal data in accordance with its rules.

Legal liability

Rather than expose themselves to such issues some registrars, such as GoDaddy, have said they will filter out all WHOIS contact data until a centralised system for compliance is available.

Last month ICANN chief executive Goran Marby sent letters to each of the EU’s 28 state data protection agencies asking for advice, and requesting an exemption on GDPR enforcement that would allow WHOIS to temporarily continue in its current form.

The absence of such guidance could lead to “many domain name registries and registrars choosing not to publish or collect WHOIS out of fear that they will be subject to significant fines following actions brought against them by the European DPAs”, Marby wrote.

While ICANN is based in the US, website registrants are often based in Europe, meaning the system falls under the GDPR’s jurisdiction.

Marby has said ICANN expects to have a response from the European Commission’s Article 29 Working Party data protection group following its next plenary session in the coming weeks.

For the present, Marby has acknowledged that until it hears from the Article 29 Working Party ICANN does not yet even know whether its approach would be considered compliant with EU law.

Do you know all about security? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago