IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located.
GDPR applies to any data collector, processor, or subject of data collection , if any of those activities occur inside of the EU. **Citizenship or residence is not a factor.** For example, an American visiting an EU country is just as covered as a citizen of that country. If the data collector, processor and subject are solely outside of the EU, then GDPR *PROBABLY* does not apply. There are many edge cases here though. But the key takeaway is that the citizenship or residence of the data subject DOES NOT MATTER with respect to GDPR applicability. On Fri, Jul 18, 2025 at 3:40 PM David Conrad via NANOG < nanog@lists.nanog.org> wrote:
Hi,
On Jul 17, 2025, at 2:43 PM, Mel Beckman via NANOG <nanog@lists.nanog.org> wrote:
First, this seems like awfully short notice. Second, although I remember reading something about this a month ago having to do with GDPR, I didn’t realize it would result in the deletion of existing data in North America.
IANAL, but my understanding is that one of the “nice” things about GDPR is that it applies to European citizens, regardless of where they’re located. So if an EU citizen happens to be the registrant/contact for a domain registered anywhere in the world (including in the US), the data holder (i.e., the registrar) would, in theory, be liable for misuse of that data to the tune of “up to €20 million or 4% of the company’s global annual turnover from the preceding financial year, whichever is higher.” Since registrars generally don’t know the citizenship of the information associated with individual registrants or their contacts, the term “better safe than sorry” probably applies.
For domains I manage, I have an opportunity, however brief, to collect this information for future use. However, I’m surprised that this is happening to domains registered in North America. I would think it would conflict with ICANN requirements.
I see you, like any sane person, are blissfully unaware of the ongoing frenetic and kafkaesque events at ICANN since GDPR went into force in May 2018. In short, ICANN continues to require registrars to collect registrant information, however that information is (largely) unavailable to the public. Since the “temporary specification” (temp spec) was put in place shortly after GDPR went into effect, fields in Whois (now RDAP) that can contain PII must be redacted. ICANN did create a system to allow for requests of the redacted data (see https://www.icann.org/rdrs-en), but let’s just say opinions vary on its usefulness.
I suspect GoDaddy will probably argue that they have taken this step to try to minimize their liability exposure as a data holder — if the registry doesn’t require the data, the safest approach is obviously not to collect it. I believe this fits within ICANN’s requirements. Oh, and you, as a member of the public, will still be unable to see that data (law enforcement may be able to see it if they ask and/or they have a court order).
Has anybody else got ideas on the impact of this going forward? I’m not in the domain resale business, but I am in the business of troubleshooting network problems. :-)
My somewhat cynical answer: if you relied on domain (and likely IP address/ASN in the future) registration data, it might be worthwhile figuring out alternatives to that reliance. Les cynically: pragmatically, given the vast majority of contact information these days points to privacy providers or is redacted, I’m unclear there will be significant impact — the data is already pretty useless.
Regards, -drc
_______________________________________________ NANOG mailing list
https://lists.nanog.org/archives/list/nanog@lists.nanog.org/message/LCEN6OBF...