• by Laurie Sullivan  @lauriesullivan, April 19, 2018

Internet Corporation for Assigned Names and Numbers (ICANN), which manages the Domain Name System (DNS), is completely unprepared for the new laws related to the General Data Protection Regulation (GDPR), which goes into effect in May, according to the European Union. 

ICANN manages WHOIS, a database listing of names, email addresses, phone numbers, and physical addresses of those who own website domains, including individuals and businesses. All that data is open to the public, but GDPR requires companies to gain consent to list any personal information on residents in the European Union.

Earlier this month, ICANN received a letter from the working group chartered to reach compliance for GDPR. The letter provided recommendations on ICANN’s Interim Model for Compliance. In the reply to the letter, Goran Marby, president and CEO of ICANN, asked for more time to further develop and implement the model, including a moratorium on enforcement until it is in place.

“ICANN recognizes the importance of the GDPR and its goal of protecting personal data, but also notes the importance of balancing the right to privacy with the need for information,” Marby wrote in a blog post.

ICANN proposed four interim models in January. Each model differs, but all were intended to facilitate additional community discussion.

ICANN still has not come up with a consistent way to make the data private, said Michael Fauscette, chief research officer at G2 Crowd, a business software and services company based on user ratings and social data.

“There are some services that charge to make your data private, yet on the other hand taking the names private could present security problems,” he said. “It’s been in the works for about two years.”

Fauscette said that under GDPR the contact name and information associated with the website are protected, so unless the person or business owner of the site gave permission to the information they would be in violation. 

"I don't think it works to have four different interim plans and then the domain registrar gets to make the decision because you don't know if the data is really protected," he added.