Introduction

Since the entry into force of the General Data Protection Regulation (GDPR) in 2018, access to domain name registration data via WHOIS has been profoundly disrupted. Faced with increasing opacity adversely affecting trademark owners, cybersecurity professionals, and judicial authorities, ICANN has undertaken a structural overhaul of its data access architecture. From the SSAD project to the RDRS, alongside the adoption of the RDAP protocol and the new Registration Data Policy, the normative framework is being reshaped, with concrete and immediate implications for all intellectual property stakeholders.

WHOIS in the face of the GDPR: a structural reassessment

For more than thirty years, the WHOIS database constituted the reference tool for identifying domain name registrants. Following the entry into force of the GDPR in 2018, ICANN required registrars to remove or mask personal data of registrants in the public WHOIS database, giving rise to what practice has termed the “WHOIS blackout.”

For intellectual property practitioners, the impact is both immediate and lasting: the new opacity surrounding registrant identity directly complicates the enforcement of infringement rights. Henceforth, the only option consists in submitting a request to the relevant registrar, without any assurance as to the outcome, processing timelines, or the existence of a harmonized procedure.

This development places ICANN in a particularly sensitive position: it must reconcile its mission to preserve the stability and security of the global DNS with compliance with legal obligations relating to data protection, the extraterritorial scope of which is now well established. The institutional response to this challenge has been constructed through successive stages, each seeking to refine and further structure the framework.

The SSAD: A normative ambition hampered by its own complexity

Project genesis

The SSAD (System for Standardized Access/Disclosure) constitutes a centralized system project intended to regulate the processing of requests for access to non-public registration data and was published by ICANN in 2022. It follows on from recommendations 1 to 18 of the final report of Phase 2 of the EPDP (Expedited Policy Development Process) of the GNSO (Generic Names Supporting Organization). The objective is to establish a single point of access enabling accredited requesters to obtain data, where appropriate anonymized, under predictable, transparent conditions compliant with GDPR requirements.

Operationally, this mechanism envisages, inter alia, the implementation of a unified process for creating and verifying requester accounts, a standardized request submission mechanism, and partial automation of disclosures in certain limited circumstances, in order to reduce the identification burden on contracted parties.

Obstacles leading to suspension

Despite its conceptual merit, the SSAD encountered prohibitive economic and technical realities. According to ICANN’s Operational Design Assessment, the implementation of the SSAD could require between USD 20 and 27 million in development costs, and more than USD 100 million annually in operating costs depending on adoption rates. The development of the system, entrusted to an external provider, was estimated at between 31.5 and 42 months, following two years of preliminary work by ICANN’s internal review team.

In February 2023, nearly five years after the GDPR entered into force, the SSAD project was officially placed on hold. ICANN then shifted to a more incremental and progressive approach, less ambitious but deployable in the short term: the RDRS.

The RDRS: the operational bridge until 2027

Architecture and functioning of the service

The RDRS (Registration Data Request Service) is a free, centralized system, available on a global scale for managing requests for access to non-public registration data of gTLDs (generic Top-Level Domains). It operates as a platform connecting, on the one hand, requesters demonstrating a legitimate interest and, on the other hand, ICANN-accredited registrars that have chosen to participate.

In practice, the service provides a unified framework for submitting requests, allows supporting legal documentation to be attached, enables the storage of reusable request templates, tracks case progress, and routes requests directly to participating registrars.

Access to the RDRS, is restricted to certain categories of users, including public authorities , intellectual property practitioners, consumer protection actors, cybersecurity specialists, and representatives of public bodies.

Practical Example: A law firm specializing in intellectual property, mandated to identify the registrant of a domain name reproducing a well-known trademark, may submit via the RDRS a request for access to registration data accompanied by relevant supporting evidence (industrial property title, evidence of infringement). The registrar must then respond within a certain timeframe, although disclosure of the requested data is neither automatic nor guaranteed.

Structural Limitations of the System

The RDRS aims to standardize the request submission procedure without harmonizing decisions relating to data disclosure. Each registrar retains decision-making autonomy and conducts its own legal assessment on a case-by-case basis in accordance with applicable law and ICANN policies.

Moreover, as participation is not mandatory, the system covers only a portion of domain names. In this respect, the Governmental Advisory Committee (GAC) indicated during ICANN84 in Dublin that the RDRS provides access, at best, to approximately 60% of gTLDs.

Finally, by decision dated 30 October 2025, ICANN’s Board of Directors extended the system until December 2027, pending the work of the ICANN community aimed at defining a permanent standardized access and disclosure mechanism, such as the SSAD or any successor system.

This extension establishes a hybrid environment for the next two years: rights holders and investigative services retain an operational channel to submit requests; ICANN’s Board encourages the broadest possible use by requesters and registrars without imposing a general obligation; in parallel, ICANN has launched a public consultation on a roadmap addressing structural shortcomings, including access to data via proxy services, timelines applicable to urgent requests, and authentication mechanisms.

The registration data policy and the RDAP protocol: the new normative foundation

The Registration Data Policy effective as of 21 August 2025

The Registration Data Policy (RDP), adopted by ICANN and effective as of 21 August 2025, establishes a harmonized and structured normative framework governing the collection, processing, publication, and disclosure of domain name registration data by registrars and registry operators. It replaces the interim measures implemented in 2018 following the entry into force of the GDPR and aims to standardize data management practices across all gTLDs.

The main obligations introduced by the RDP include in particular:

• Limited publication: only non-personal data may be made publicly available via WHOIS/RDAP;
• Controlled disclosure: any access request must be justified, documented, and processed through a standardized procedure;
• Accuracy and reliability: regular verification of registrant information;
• Retention and security: protection and retention of data for the minimum period defined by ICANN (two years);
• Accountability and compliance: adequate documentation, technical measures, and cooperation with ICANN audits.

The RDAP protocol

Since 28 January 2025, the RDAP (Registration Data Access Protocol) has become the reference mechanism for accessing registration data for generic top-level domains, intended to replace the WHOIS system, whose services are being progressively phased out.

Unlike WHOIS, which is based on plain text responses, RDAP relies on standardized and structured web formats enabling automated data processing by information systems. It also incorporates advanced functionalities, particularly in terms of internationalization, secure access to data, service discovery, and differentiated access to registration data.

Strategic implications for IP rights holders

The GDPR logic at the core of disclosure decisions

For European stakeholders, any disclosure request via the RDRS falls within the scope of Article 6(1)(f) of the GDPR, relating to legitimate interest.

In accordance with ICANN’s Temporary Specification for registration data, registrars may grant access to personal data to third parties demonstrating a legitimate interest.

However, such access is not automatic: it requires a balancing test between the requester’s interest and the fundamental rights and freedoms of the domain name registrant. Disclosure may only occur where the legitimate interest invoked does not disproportionately infringe those rights.

The temporary policy provides that registrars must grant reasonable access to personal data to third parties demonstrating a legitimate interest, unless the interests or fundamental rights of the domain name registrant prevail over those of the requester, in accordance with Article 6(1)(f) GDPR.

Towards a future SSAD reinforced by the NIS2 directive

The NIS2 Directive, with its reference to “legitimate requesters,” strengthens the likelihood that a finalized version of the SSAD will become an official ICANN policy. The envisaged prospects include prior accreditation of requesters, mandatory participation of registrars—unlike the voluntary nature of the RDRS and differentiated access rights depending on the requester’s profile (judicial authorities, law enforcement, IP rights holders).

Key Takeaways:

• The RDRS is operational until December 2027, but its coverage remains partial (~60% of gTLDs);
• The Registration Data Policy of 21 August 2025 now constitutes the new contractual framework for all registrars;
• The RDAP is intended to progressively replace WHOIS for access to domain name registration data, with a key milestone set on 28 January 2025;
• A permanent system (SSAD or successor) remains to be developed; its final architecture will be determined during the RDRS extension period.

Schema art Whois MAJ ENG

Conclusion

The WHOIS data access system is undergoing a profound transformation, the final contours of which will likely only be determined by 2027–2028. Between the normative ambition of the SSAD, the operational pragmatism of the RDRS, and the regulatory consolidation driven by the Registration Data Policy and the RDAP protocol, ICANN is progressively building a GDPR-compliant registration data access ecosystem while seeking to preserve the legitimate interests of rights holders.

For intellectual property professionals, this transitional period requires a dual vigilance: mastering the RDRS procedures currently available while anticipating the normative developments that will reshape data access in the coming years.

Cybersecurity, the fight against cybersquatting, and online trademark enforcement depend directly on this.

Dreyfus & Associés assists its clients in managing complex intellectual property cases, offering personalized advice and comprehensive operational support for the complete protection of intellectual property.

Dreyfus & Associés works in partnership with a global network of attorneys specializing in Intellectual Property.

Nathalie Dreyfus with the support of the entire Dreyfus team

FAQ

What risks do companies face if they cannot identify a domain name registrant?

The lack of direct access to the identity of a domain name registrant exposes companies to several operational and legal risks. It significantly delays infringement or cybersquatting actions by complicating the identification of the opposing party and the collection of evidence. This opacity may also delay interim measures (blocking, domain transfer) and increase costs associated with technical or judicial investigations. Ultimately, it weakens companies’ ability to effectively protect their intangible assets and to respond swiftly to online infringements.

Are WHOIS data access rules identical across domain name extensions (.com, .fr, .eu)?

No, access rules vary depending on registries and the legal frameworks applicable to each extension. While gTLDs (.com, .net, etc.) are governed by ICANN policies, ccTLDs (.fr, .eu, etc.) are subject to specific national or regional regulations. For example, certain European extensions apply stricter personal data protection rules, while others provide regulated access mechanisms for rights holders. This heterogeneity requires a case-by-case analysis in any international protection strategy.

Do judicial authorities have specific means to access non-public data?

Yes, judicial authorities and certain administrative authorities have specific mechanisms enabling them to obtain access to non-public data. Such access may occur in the context of judicial proceedings, requisitions, or official requests addressed to registrars. In some cases, international cooperation or sector-specific regulatory frameworks facilitate such access. However, these mechanisms remain regulated and subject to strict requirements in terms of proportionality and data protection.

How can companies adapt their trademark protection strategy in light of limited access to WHOIS data?

Companies must adopt a more proactive and structured approach. This includes strengthening domain name monitoring systems, systematically documenting infringements (screenshots, history, content), and using available channels such as the RDRS or alternative dispute resolution procedures (UDRP, URS). Furthermore, resorting to complementary intellectual property strategies (extended trademark filings, defensive domain name registrations) helps anticipate risks. Finally, support from experts becomes essential to navigate a more fragmented legal environment.

Will ICANN developments impact the fight against cybercrime and online fraud?

Yes, these developments have a direct impact on the effectiveness of actions against cybercrime. Limited access to data complicates the rapid identification of perpetrators of unlawful activities, potentially delaying investigations and remediation measures. However, the mechanisms under development aim to restore regulated access for legitimate actors, particularly for security and user protection purposes. The balance sought between data protection and security requirements will ultimately determine the effectiveness of mechanisms to combat online fraud.

This publication is intended to provide general guidance to the public and to highlight certain issues. It is not intended to apply to specific situations or to constitute legal advice.