ICANN’s WhoIs a GDPR Compliance Challenge

The Internet Corporation for Assigned Names and Numbers (ICANN) continues to develop interim models that focus on the preservation of ICANN’s WhoIs Lookup service once the European Union’s General Data Protection Regulation (GDPR) takes effect.

ICANN is a non-profit organization, whose purpose is to oversee domain names. Following this purpose, its WhoIs protocol provides public access to the full contact details or personal information of domain name registrants. Registrants can opt for domain privacy to mask the user’s contact information from the public, but registrants have to purchase this service from domain registrars. Because of the nature of WhoIs, aiming to maintain the service as close as possible to its current state while also achieving GDPR compliance puts ICANN in a tricky spot.

As a recourse, ICANN has been looking to data protection authorities for direction. On March 26, the organization sent requests to each of the European member states’ data protection authorities (DPAs) asking for guidance on how its most recent interim model, the "Cookbook," can be improved for GDPR compliance.

A clear purpose for processing

ICANN had started publishing interim models before the Cookbook in January 2018. However, the European Commission determined that these models needed further improvement. One of the Commission’s chief concerns was that the purpose for data processing was not as clear and concrete as required in the GDPR, branching to problems in the legitimacy of WhoIs’ data collection, retention, and publication.

ICANN had to continue developing these models, trimming them down to the one detailed in the Cookbook published last March. Its solution involved implementing “tiered access” to domain-name user information, wherein most of the information will be inaccessible to the public. Only certain third-party groups, such as law enforcement and those who can comply with the legitimate interest provision for data processing in the GDPR, may be given access to the full WhoIs. As an additional measure, ICANN also proposed to anonymize by default the contact email of domain users in the publicly accessible section of WhoIs.

Whether this model will get a favorable response from concerned data protection authorities remains to be seen.  WhoIs is considered a useful tool, allowing users to check whether a domain name is still available or help them take down fraudulent ones. However, for WhoIs to remain true to its purpose depends not only on whether an interim model will be approved but also whether this model can be implemented by the time GDPR is enforced. ICANN’s registries and registrants sent a timeline for adhering to the model, stating that the needed changes would take several months to complete. Unfortunately, it's unlikely to meet the GDPR deadline.

More on GDPR compliance

ICANN’s case exemplifies just one of the many challenges GDPR poses. Organizations must enforce changes to make their journey to GDPR compliance align with their own goals as a business. It pushes companies to improve their data processing, storage, and collection policies, ideally reducing the risk of data loss. The GDPR also emphasizes using “state-of-the-art technology” to improve data processing efficiency and cybersecurity. Compliance can be seen as proof that an organization has excellent security and control over their data.

With only weeks to go before the GDPR is enforced, compliance is a concern that’s gaining more urgency. To help an organization’s continuing journey to compliance, information on the GDPR and checklist for compliance have been released and updated ever since it was announced two years ago. As for the “state-of-the-art technology” component, a cybersecurity solution that can protect the entire enterprise and has a strong technology component can support an organization’s journey towards GDPR compliance.

Watch our GDPR video case study to see how Trend Micro has been preparing for compliance.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy