Jay, On Jul 19, 2025, at 9:15 AM, Jay Acuna via NANOG <nanog@lists.nanog.org> wrote:
I would suggest here the GPDR is controlling only because of ICANN inaction and ICANN indecisiveness.
ICANN is a bit odd in that it is a private entity responsible for a global resource that folks all over the world have to use if they want to use the public Internet. I believe one could say GDPR is “controlling” because ICANN’s "contracted parties" (gTLD registries and ICANN accredited registrars) and the larger community operate and live in areas in which GDPR is the law of the land. I think it fair to say ICANN (both organization and community) failed to take GDPR seriously prior to it going into effect, but that's water under the bridge long ago.
It is entirely possible ICANN (if there was actually concern about preserving the WHOIS service) could have set a rule
You may be unaware how ICANN works (using the term loosely). ICANN is not a government or treaty organization. ICANN (the organization) has what powers it has by private contract. It can’t unilaterally impose new contractual obligations to existing contracts. To add new obligations, it must negotiate with the contracted parties, in many cases involving (or being driven by) the larger community. For reference, the most recent amendments to the Registrar Accreditation Agreement took about 10 years to negotiate and get put into force.
requiring full WHOIS contacts for all organizations and a registrant name and address including a physical address of the registrant and requiring a real person's name, address, phone, and fax for at least 1 contact of each type who is an person individually authorized by the domain owner and not a forwarding address, presented in every WHOIS listing, and verified by the registrar calling the number and obtaining consent, and posting a physical letter, and obtaining consent, and sending an email, and obtaining consent.
And registrars not able to enforce those requirements on every domain that appears purported to be the domain of a company or business; due to being within GPDR jurisdiction would no longer be able to remain accredited registrars. Possibly requiring anyone in the EU wishing to register a domain to leave their jurisdiction and conduct business with an overseas registrar able to run a WHOIS service not subject to the EU's local rules.
And Registrars, particularly European ones, would agree to these terms because…? (And that’s not even taking into consideration the concerns of government representatives like those from the EU and privacy advocates within the community that would surely weigh in heavily if a policy along these lines ever came up). To be clear, I’m not trying to defend ICANN here, just trying to provide information as to why things are the way they are. Regards, -drc