ICANN’s Evolving Registration Data Policy Post-WHOIS

The Internet Corporation for Assigned Names and Numbers (ICANN) has long been the central administrative body overseeing the global Domain Name System (DNS), including the policies that govern domain name registration data. For decades, this function was fulfilled primarily through the WHOIS protocol, a relatively open-access directory service that made domain registrant data publicly available. WHOIS served a variety of stakeholders—intellectual property owners, law enforcement agencies, cybersecurity researchers, journalists, and businesses seeking to identify online actors. However, with the advent of more stringent privacy regulations, particularly the European Union’s General Data Protection Regulation (GDPR), ICANN was forced to reevaluate and ultimately restructure its approach to registration data. This shift has initiated a complex and still-unfolding evolution in ICANN’s policies, leading to what is now broadly referred to as the Registration Data Policy (RDP) era.

The tension between privacy and transparency had existed in WHOIS since its inception, but it came to a head in May 2018 with the enforcement of the GDPR. The regulation imposes strict conditions on the collection, storage, and disclosure of personal data. Domain registrant information—such as names, email addresses, phone numbers, and physical locations—squarely falls within the scope of personal data when the registrant is an individual or sole proprietor. The traditional WHOIS model, which allowed for immediate and unauthenticated public access to such data, was incompatible with GDPR requirements. ICANN faced significant pressure to adapt, especially given that many registrars and registries are based in or serve customers within the European Economic Area (EEA).

In response, ICANN implemented the Temporary Specification for gTLD Registration Data in May 2018. This emergency policy, adopted to ensure compliance with GDPR while maintaining contractual continuity with registrars and registries, limited the amount of data made publicly accessible through WHOIS. Under the temporary model, most registrant contact information was redacted, and access to full registration data was restricted to parties with legitimate and lawful interests, such as law enforcement or those pursuing intellectual property enforcement. This interim policy marked a fundamental departure from the historically open WHOIS system and set the stage for the development of a longer-term solution through ICANN’s multistakeholder process.

To replace the Temporary Specification with a permanent framework, ICANN convened the Expedited Policy Development Process (EPDP) for gTLD Registration Data. The EPDP’s objective was to develop a consensus policy that would balance privacy, operational needs, and legal obligations. The process unfolded in multiple phases, with Phase 1 focusing on what data should be collected and disclosed, Phase 2 examining the possibility of a System for Standardized Access/Disclosure (SSAD), and Phase 2A addressing the differentiation of legal versus natural persons in registration data.

In Phase 1, the EPDP team affirmed that certain registration data elements should continue to be collected by registrars and registries for contractual and operational purposes, even if they are no longer published. These include the registrant’s name, organization, email address, and country. However, the team also recommended that most of this data be redacted from public access unless the registrant explicitly consents to disclosure or unless the registrar determines that the registrant is a legal person whose data is not subject to the same privacy protections.

Phase 2 introduced the concept of the SSAD, a proposed mechanism for granting accredited third parties access to non-public registration data. Under the SSAD model, parties with legitimate interests—such as intellectual property owners, cybersecurity researchers, and government agencies—could request access to redacted data through a standardized, auditable, and potentially automated system. The goal was to replace the fragmented, registrar-by-registrar data request process with a uniform framework. However, the SSAD has faced criticism for its complexity, cost, and lack of binding obligations on registrars to comply with disclosure requests. Many stakeholders, particularly from the intellectual property and cybersecurity sectors, have expressed concerns that the SSAD may not deliver timely or reliable access to critical information.

The EPDP Phase 2A further examined whether registration data for legal persons—such as corporations and organizations—should be treated differently than that of natural persons. This distinction is crucial because GDPR protections apply specifically to individuals, not to entities. In theory, information about a company’s domain registration, such as a generic corporate email address or office location, could be disclosed without breaching data protection law. However, many registrars have opted for blanket redaction to minimize legal risk, arguing that separating legal and natural persons is not always feasible in an automated or scalable way. The EPDP did not reach consensus on requiring differentiation, leaving the decision to individual registrars and perpetuating inconsistent practices across the industry.

ICANN’s evolving registration data policy also interacts with broader legal and geopolitical considerations. For example, the European Data Protection Board (EDPB) has issued guidance on the applicability of GDPR to domain registration data, but national data protection authorities have sometimes diverged in interpretation. Additionally, law enforcement agencies and government stakeholders have increasingly voiced concern over the challenges in accessing domain registration data for investigations involving cybercrime, terrorism, and online fraud. These concerns have been echoed in the context of international initiatives such as the Council of Europe’s Convention on Cybercrime (Budapest Convention) and the United Nations’ ongoing discussions on cyber norms.

In light of these challenges, ICANN is currently overseeing the implementation of the Registration Data Policy for gTLDs, which incorporates many of the EPDP recommendations into a formal policy set to replace the Temporary Specification. The implementation phase involves developing guidance for registrars and registries, ensuring contractual compliance, and building support tools for standardized disclosure processes. However, the lack of consensus on a binding access mechanism, combined with continued redaction of data, means that the registration data landscape remains fragmented and often opaque for legitimate data requesters.

The post-WHOIS era marks a profound shift in how domain name registration data is managed, accessed, and protected. ICANN’s policy evolution reflects a broader tension between privacy and accountability in the digital age. While the need to protect individuals’ personal information is indisputable, the retreat from open data access has created new obstacles for cybersecurity, trademark enforcement, and public interest oversight. The future of registration data policy will likely depend on further technological innovation, continued legal harmonization, and ongoing engagement among ICANN stakeholders. Whether ICANN can deliver a model that satisfies both privacy requirements and operational needs remains one of the most consequential questions facing internet governance today.

The Internet Corporation for Assigned Names and Numbers (ICANN) has long been the central administrative body overseeing the global Domain Name System (DNS), including the policies that govern domain name registration data. For decades, this function was fulfilled primarily through the WHOIS protocol, a relatively open-access directory service that made domain registrant data publicly available.…