This article is more than 1 year old

Hey, so Europe's GDPR privacy deadline for Whois? We're going to miss it ... by a year or so

Internet registries and registrars provide terrible timeline

The internet's domain name system is going to miss a May 25 deadline to become compliant with new European privacy legislation by, um, a year or so.

That's according to the companies that register and maintain domain names, who outlined their schedule in a letter [PDF] to DNS oversight body ICANN.

The organizations, which are under contract to the US-based ICANN, note that even if the DNS overseer manages to finalize its model for compliance with the EU's General Data Protection Regulation (GDPR) by the end of next month, it will still take them anywhere between three months and a year to fully implement the changes.

Whois? No, Whowas: Incoming Euro privacy rules torpedo domain registration system


That could potentially open up registries and registrars to huge fines: GDPR allows for companies to be fined up to €20 million ($25m) or 4 per cent of global annual turnover, whichever is higher, if they fail to comply with the legislation.

Even though a large percentage of the companies that operate the DNS are based in the United States, the people registering domains are often based in Europe and the law applies to their data.

Currently, when someone registers a domain name their personal data is published on the internet under the Whois service – including their name, email, phone number and physical address – unless they pay extra for a proxy privacy service.

That approach is illegal under GDPR. But despite having had two years to devise changes to Whois, it wasn't until six months ago - October 2017 – that ICANN finally realized it was not exempt from the legislation.

Even then, the organization failed to act with any sense of urgency until one of its registries that runs the .amsterdam and .frl internet extensions simply refused to accept ICANN's contractual terms and argued that the relevant Whois clause was "null and void" since it conflicts with European regulations.

Don't panic!

Following a mad scramble in which ICANN asked registrars and registries to send it their ideas on how to change the system, and then put out a document with no less than 12 different proposed models, the organization's staff published its own proposal less than two weeks before a critical meeting… and was promptly slammed by the US government for failing to stick to its own core values by trying to give governments the sole right to decide a critical component of the new system.

By the end of its meeting last month, the organization had achieved little beyond a series of letters from its constituencies pointing out flaws in the proposal.

In response to its organizational failure, ICANN's CEO Goran Marby sent a copy of its flawed GDPR "Cookbook" to each of Europe's 28 data protection agencies on March 26 and asked them to tell it what they should do. And asked that ICANN and its contracted parties be given a special exemption from the law while it tries to sort itself out.

"We request you to help ICANN and the domain name registries and registrars to maintain the global WHOIS in its current form, through either clarification of the GDPR, a moratorium on enforcement or other relevant actions, until a revised WHOIS policy that balances these critical public interest perspectives may be developed and implemented," the letter [PDF] read in part.

More about

More about

More about


Send us news

Other stories you might like