top of page

ICANN and GDPR – nowhere near compliance


The Internet Corporation for Assigned Names and Numbers (ICANN) Initial Report of the Expedited Policy Development Process (EPDP) on the Temporary Specification for generic Top Level Domain (gTLD) Registration Data Team makes for difficult reading. This is because, though it contains a serious attempt at complying with the General Data Protection Regulation (GDPR) compliance, it ignores fundamental criticism by European data protection authorities it has been made aware of as early as fifteen years ago.

The issue at hand is that ICANN, in its role as the global guardian of the internet domain name system for generic top level domains (such as .com and .org ), requires through it standard contractual clauses all its domain name registrars to not only maintain up-to-date contact information about domain name holders, but also to share that data with other registrars as well as the wider world through the public WHOIS directory service. The problem is that this often results in disproportionate processing of personal data and/or transfers of personal data regarding data subjects covered by the GDPR to third countries outside the European Economic Area (EEA). ICANN has been aware of its policies being irreconcilable with EU data protection legislation, first of all through an Opinion of the predecessor of the European Data Protection Board (EDPB), the then Article 29 Working Party (WP29) in 2003. However, it has only recently started to take steps to redress this.

One of the key iss