Latest news of the domain name industry

Recent Posts

Registrars will miss GDPR deadline by a mile

Kevin Murphy, March 28, 2018, 11:14:36 (UTC), Domain Registrars

Registries and registrars won’t be able to implement ICANN’s proposed overhaul of the Whois system in time for the EU’s General Data Protection Regulation coming into effect.

That’s according to an estimated timetable (pdf) sent by ICANN’s contracted parties to the organization this week.

While they feel confident that some elements of ICANN’s GDPR compliance plan could be in place before May 25 this year, when the law kicks in, they feel that other elements could take many months to design and roll out.

Depending on the detail of the finalized plan, we could be looking at the back end of 2019 before all the pieces have been put in place.

Crucially, the contracted parties warn that designing and rolling out a temporary method for granting Whois access to entities with legitimate interests in the data, such as police and trademark owners, could take a year.

And that’s just the stop-gap, Band-Aid hack that individual registries and registrars would put in place while waiting — “quarters (or possibly years), rather than months” — for a fully centralized ICANN accreditation solution to be put in place.

The outlook looks bleak for those hoping for uninterrupted Whois access, in other words.

But the timetable lists many other sources of potential delay too.

Even just replacing the registrant’s email address with a web form or anonymized forwarding address could take up to four months to put online, the contracted parties say.

Generally speaking, the more the post-GDPR Whois differs from the current model the longer the contracted parties believe it will take to roll out.

Likewise, the more granular the controls on the data, the longer the implementation window.

For example, if ICANN forces registrars to differentiate between legal and natural persons, or between European and non-European registrants, that’s going to add six months to the implementation time and cost a bomb, the letter says.

Anything that messes with EPP, the protocol underpinning all registry-registrar interactions, will add some serious time to the roll-out too, due to the implementation time and the contractual requirement for a 90-day notice period.

The heaviest workload highlighted in the letter is the proposed opt-in system for registrants (such as domain investors) who wish to waive their privacy rights in favor of making themselves more contactable.

The contracted parties reckon this would take nine months if it’s implemented only at the registrar, or up to 15 months if coordination between registries and registrars is required (and that timeline assumes no new EPP extensions are going to be needed).

It’s possible that the estimates in the letter could be exaggerated as part of the contracted parties’ efforts to pressure ICANN to adopt the kind of post-GDPR Whois they want to see.

But even if we assume that is the case, and even if ICANN were to finalize its compliance model tomorrow, there appears to be little chance that it will be fully implemented at all registrars and registries in time for May 25.

The letter notes that the timetable is an estimate and does not apply to all contracted parties.

As I blogged earlier today, ICANN CEO Goran Marby has this week reached out to data protection authorities across the EU for guidance, in a letter that also asks the DPAs for an enforcement moratorium while the industry and community gets its act together.

Late last year, ICANN also committed not to enforce the Whois elements of its contracts when technical breaches are actually related to GDPR compliance.

Tagged: , , ,

Comments (4)

  1. Rubens Kuhl says:

    Domain investors might vote with their feet, preferring registrars that already implemented the disclose option before the others.

    • Volker Greimann says:

      Rubens, implementing the disclose option may not be possible for registrars when the registry does the hiding of the data. Even if registrars were to send the registries the full data set, they may not have control over the reveal function, depending on the registry.

      • Rubens Kuhl says:

        Good part of domain investing portfolios is still concentrated on .com and .net, and for those, registrars are the only ones needing to implement the disclose option.

        But for other TLDs, the same will apply to registrars and registries: domain investors will prefer TLDs where the disclose option works, and if only a few registrars implement it, they will prefer those.

      • I’m still not convinced registries should be holding any of this data at all.

Add Your Comment