Data Privacy Regulations and gTLD Operations Post-GDPR

The 2026 round of the ICANN New gTLD Program arrives in a vastly different regulatory environment compared to its predecessor in 2012. Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in May 2018, data privacy has become a cornerstone of internet governance, fundamentally altering the operational, contractual, and technical landscape for domain name registries. The GDPR catalyzed a global wave of privacy legislation, influencing data protection policies in jurisdictions across Asia, North America, Latin America, and Africa. For new gTLD applicants in 2026, compliance with this evolving patchwork of regulations is not a peripheral concern—it is a central operational requirement with direct implications for registry viability, legal exposure, and reputational integrity.

The GDPR’s core principles—data minimization, purpose limitation, consent, transparency, accountability, and user access rights—have directly impacted the handling of WHOIS data, which had previously been publicly accessible by default. Prior to GDPR, domain registration data was often published in full through WHOIS records, exposing personal information such as registrant names, email addresses, phone numbers, and postal addresses. Under GDPR and similar laws, such exposure is no longer permissible without a lawful basis for processing. This has led to the development and adoption of gated access models and layered disclosure frameworks that limit public data visibility while enabling legitimate third-party access under strict conditions.

ICANN, in response to these regulatory shifts, implemented the Temporary Specification for gTLD Registration Data in 2018 and later worked toward a consensus-based policy through the Expedited Policy Development Process (EPDP). As a result, the 2026 gTLD Program requires registry operators to implement data protection measures that conform to the EPDP’s outcomes, including differentiated access, data retention limitations, and processing purpose specifications. Applicants must design and demonstrate robust data protection policies within their application materials, covering not just WHOIS data, but all personal data collected, stored, or processed in connection with registry operations.

This includes interactions with registrars, escrow providers, technical service partners, and ICANN itself. Registry operators must clearly articulate their roles as data controllers or processors depending on the function and define the data processing agreements they will enter into with third parties. They are expected to document the legal bases for processing personal data, identify all categories of data subjects, and implement security measures such as encryption, access controls, and breach notification protocols in line with Article 32 of the GDPR. Applicants are also required to identify a Data Protection Officer (DPO) if their operations involve large-scale processing of registrant data or sensitive categories of information.

Cross-border data transfers present another layer of complexity. Since the invalidation of the EU–US Privacy Shield by the Court of Justice of the European Union in the Schrems II decision, data transfers between the EU and other jurisdictions have come under heightened scrutiny. Registry operators using service providers outside the EU must ensure that Standard Contractual Clauses (SCCs) or other lawful transfer mechanisms are in place. In some cases, data localization requirements may necessitate the use of regional data centers or jurisdiction-specific compliance measures, particularly in countries such as China, Brazil, or India, which have enacted their own comprehensive data privacy laws.

The operationalization of data subject rights is another critical component of post-GDPR gTLD management. Registries must be prepared to receive and respond to data access, correction, deletion, and portability requests within legally mandated timeframes. Although most of these interactions are handled at the registrar level, the registry must have oversight and audit capabilities to ensure compliance throughout the chain of custody. Moreover, any processing activity that involves automated decision-making or profiling must be transparently disclosed, and safeguards must be provided for data subjects to contest such decisions.

Security, as required under both GDPR and ICANN’s Registry Agreement, must be embedded into registry operations by design and by default. This includes not only cybersecurity protections but also internal data governance policies such as staff training, audit logging, and incident response readiness. Registries that fail to adequately protect personal data may face dual exposure: administrative fines from data protection authorities and contractual penalties under ICANN’s compliance regime. The dual risk elevates the importance of comprehensive privacy-by-design frameworks as part of the initial application and ongoing registry management.

Transparency measures are also now mandatory. Applicants must publicly post privacy notices that are accessible, comprehensible, and regularly updated to reflect any changes in data processing practices. These notices must detail the types of data collected, processing purposes, data sharing practices, retention periods, and user rights. The increasing expectation of privacy-savvy registrants and internet users demands clarity, candor, and user empowerment in how domain-related data is handled. Registries that excel in these areas will build trust and differentiate themselves in a privacy-conscious market.

The introduction of SSAD (System for Standardized Access/Disclosure), a proposed mechanism for handling lawful requests to access redacted registration data, further complicates the post-GDPR domain data landscape. While not yet fully implemented, SSAD or similar systems may become integral to how gTLDs facilitate compliance with competing obligations—transparency to rights holders, researchers, and law enforcement, and confidentiality for registrants. Registries in 2026 may be required to participate in such systems, or at minimum demonstrate compatibility with standardized access protocols and dispute resolution processes.

For gTLD applicants targeting sectors with heightened privacy sensitivity—such as .health, .bank, or .law—the expectations are even higher. These applicants must integrate sector-specific privacy standards, such as HIPAA in the United States or ePrivacy rules in Europe, and ensure alignment with industry norms. Failure to do so may not only result in regulatory penalties but also loss of credibility among users and clients who expect elevated protection standards for sensitive data.

Finally, ICANN’s updated evaluation criteria in 2026 include a thorough review of applicants’ data privacy readiness. The technical and operational evaluation panels will assess whether the proposed data handling practices are legally sound, technically feasible, and well-aligned with the global regulatory environment. Applicants must provide detailed documentation, including data flow diagrams, risk assessments, and privacy impact analyses, particularly if they plan to collect or process registrant data beyond what is required for domain registration itself.

In the post-GDPR world, data privacy is no longer an optional or peripheral concern for gTLD registries—it is a central operational imperative with legal, reputational, and commercial consequences. The 2026 New gTLD Program reflects this reality by embedding privacy requirements deeply into application evaluation, contractual obligations, and operational expectations. Applicants who treat privacy as a compliance checkbox are unlikely to succeed. Instead, those who embrace privacy-by-design principles, invest in infrastructure and expertise, and commit to ongoing accountability will be best positioned to thrive in a domain name ecosystem defined by trust, transparency, and regulatory alignment.

You said:

The 2026 round of the ICANN New gTLD Program arrives in a vastly different regulatory environment compared to its predecessor in 2012. Since the implementation of the European Union’s General Data Protection Regulation (GDPR) in May 2018, data privacy has become a cornerstone of internet governance, fundamentally altering the operational, contractual, and technical landscape for…