ICANN approves gTLD data measure as GDPR looms

ICANN has approved a temporary solution for storing registration data in order to comply with the EU’s General Data Protection Regulation (GDPR).

Announced yesterday, May 17, the “Temporary Specification for gTLD Registration Data” applies to the Whois model, under which registrants’ data are stored. 

After the ICANN board approved the measure, board chair Cherine Chalaby said it was an “important step” towards bringing ICANN and its contracted parties into compliance with the GDPR.

The GDPR comes into force on May 25. 

Chalaby added that “there are elements to be finalised” but that ICANN is on the right path to maintaining Whois in the public interest while complying with the GDPR. 

According to ICANN, the temporary specification reflects the previous “Proposed Interim Compliance Model” and aims to ensure the continued availability of the Whois system “to the greatest extent possible”.

“Preserving the Whois system is critical to the stability and security of the internet, which allows for the easy identification and mitigation of bad actors, cybercriminals, IP infringement, and other malicious activity online,” the organisaton added. 

The temporary specification allows registrars and registries to continue with the “robust collection” of registration data and technical information, ICANN said. 

In order for ICANN to comply with the GDPR, access to personal data will be restricted to layered access, where only users with a “legitimate purpose” can request access to non-public data through registrars and registry operators. 

ICANN explained that until a unified access model is in place, registries and registrars will have to determine which requests are legal.  

The alternative option would be to contact either the registrant or its administrative and technical contacts through an anonymous email or web form available with the registrar, ICANN added. 

The board’s decision was unanimous, and it must reaffirm its approval every 90 days for at least a year.