In May of 2018, ICANN’s Temporary Specification for gTLD registration data came out. The point in doing this was to start towards compliance with the new GDPR privacy regulations. For new domain owners, this implied several additional requirements.
New WHOIS Changes
ICANN’s Temporary Specification changed the conventional use and output of WHOIS. Prior to this emergency policy, anyone needing to find the owner of a domain name could simply look up the information on WHOIS. The new Temporary Specification put into effect in May of 2018 and expiring on May 2019, placed a list of items that registrars must implement to comply with their Registrar Accreditation Agreement. The following are some of those compliance regulations.
Registrars Must Redact Personally Identifying Information for Whois
In itself, this is nothing new. This means any registrant in the EU must register personal data. However, the new aspect of this is that the fields will output the fields as REDACTED FOR PRIVACY. This means that this private registry of personal data will no longer appear directly from a WHOIS search or in the WHOIS database download. So as of May 2018, Whois lookups now result in all domains returning a “Data Protected” status instead of listing the registrar’s personal information.
New WHOIS Contactability Service
Does this mean all personal data will always remain hidden? No! This approach does plan on providing third parties the ability to contact the registrants by email or web form through the use of a Whois Contactability service. This will allow tech specialists to contact registrants through a specialized hosted web form. This new Contactability service will also allow registrants to have their details displayed in the public Whois if they give their consent to do so.
The access to this personal data will be tiered. The purpose is to allow third parties with a legitimate reason to access this information (law enforcement agencies) to do so, but the new Whois portal will also protect data from unnecessary access.
ICANN’s Temporary Specification will also provide mandatory disclosure to registrants. They will detail who has this personal information, how it is processed and when data transfer (when appropriate) crosses internationally.
Enforcement as of Last Year
ICANN has been enforcing the Temporary Specifications as of last year. So registrars, including domain re-sellers are changing the way they implement their registration process to comply with this new Temporary Specification.
These industry-standard processes are important as they prevent or minimize the risk of spam and cybercrime. Many of these requirements set forth by the Temporary Specifications regulations will move the industry towards a unified approach to data protection of domain registrars.
Implications for Domain Sellers
What this means for domain re-sellers is that they need to have registrars fill out new GDPR regulated forms. If you collect and process data for EU registrars you will need to ensure that you are complying with GDPR regulations.
How Will Domain Transfers Be Affected?
How will this affect domain transfers? This can certainly be a problem because if a reseller cannot see who owns a domain, they cannot initiate a transfer. They cannot determine if the request to transfer is legitimate? At present, the Registry Stakeholders Groups and sub-groups have sent a letter to ICANN proposing changes to the transfer process. They propose that an authorization code should be required to initiate the transfer. The current registrar would then send a mandatory confirmation FOA through the platform requesting that the domain owner complete the form within 5 days. It is a somewhat more time-consuming process but one that would be more secure for all domain re-sellers and registrars.