ICANN ‘To Deliver Temporary GDPR Plan’ As Deadline Looms

Internet oversight body ICANN has said it hopes to deliver a draft temporary specification for compliance with the EU’s General Data Protection Regulation (GDPR) within the next few days, amidst dissension with European regulators and the US government over its delayed compliance plans.

The update came as a study found only 3 percent of US organisations were concerned about fines under the new regulations, and as a result were not prioritising compliance.

On Tuesday Akram Atallah, president of ICANN’s Global Domains Division, said he met with registries and registrars last week to discuss GDPR compliance and its effect on their operations.

Atallah said the organisation is putting into place a temporary specification to give registries and registrars common guidelines for compliance.

Temporary measures

“We aim to have a draft temporary specification to share with the community in the next few days,” Atallah wrote in an online update.

He said the aim of the specification and the Interim Model are to change WHOIS as little as possible under the law.

“Our aim is to maintain the current WHOIS to the greatest extent possible while complying with the law,” he wrote, adding that comments from the group’s thousands of registries and registrars would help ICANN achieve “an appropriate balancing of the law’s requirements and ICANN contracts”.

The temporary specification covers areas such as continued collection of registration data from registrants, its transfer to registries, how it should be displayed on the public WHOIS and how amendments to registry-registrar agreements should be handled.

Data row

The GDPR was passed nearly two years ago and an enforcement grace period ends on 25 May, but ICANN has estimated it may take at least a year beyond that deadline to make the necessary changes to its WHOIS registry data disclosure system.

Last month the group, which maintains the internet’s infrastructure under the auspices of the US government, met with European regulators, who asked for changes to its draft Interim Model for compliance, including restricting the disclosure of email addresses.

The US government disagrees, saying it belives WHOIS should operate in a way more closely aligned with its current form, in which website contact information is made freely available online unless users pay for it to be concealed.

ICANN began its plans for compliance only late last year, and has asked European regulators for a one-year moratorium on enforcement while it puts measures into place, a request the authorities have so far shown little enthusiasm for granting.

In the absence of a moratorium ICANN fears registries and registrars will put their own measures into place to protect themselves from potentially large GDPR fines. That would fragment WHOIS, which is used by intellectual property enforcers and criminal authorities to track down offenders, ICANN argues.

ICANN’s Interim Model currently calls for an accreditation scheme by which individuals and organisations can receive full WHOIS data, with a reduced set displayed to the general public.

Fines on the way

A Spiceworks-commissioned study released on Wednesday found only 3 percent of US organisations feared fines if they did not comply with the GDPR by 25 May. The figure was higher in the UK, at 14 percent, and 9 percent in other parts of the EU.

Only 25 percent of US organisations said they were already or expected to be compliant by 25 May, compared to 61 percent in the UK and 46 percent in the rest of the EU.

How much do you know about privacy? Try our quiz!