GDPR Touches DN Transfers: Changes to Inter-Registrar Transfer Procedure Call for Extra Vigilance

As a result of the obscuring of the WHOIS details for many registrants’ domain name records that has come in the wake of the entry into force of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018, the inter-registrar domain name transfer procedure for domain names regulated by ICANN (primarily gTLDs) is having to adapt itself.  In concrete terms, positive confirmation will no longer be required from the old registrant of a domain name before a registrar transfer proceeds.  Domain name owners should be aware of how the changes will affect them and what they must do in order to ensure that their domain names remain secure.

Previously, when an inter-registrar transfer was carried out, the new registrar would send a “Form of Authorisation” to the current registrant by email and they would need to confirm the request in order for it to go through.  As many registrant email addresses will now be masked in line with the requirements of the GDPR (either because the registrant is based in Europe, the registrar is based in Europe, or the domain name is held with a registrar that has decided to mask all registrants’ contact details regardless of their geographic location), this will no longer be possible.  As such, gaining registrars will be able to skip the Form of Authorisation requirement.

In order to effect a registrar transfer, the gaining registrant will still need to obtain and submit the authorisation code for the domain name and the old registrar will send a notification of transfer of the domain name to the old registrant.  If the old registrant does not cancel the transfer within five days, it will go through.

Additionally, the new registrant will be obliged to provide WHOIS data to the new registrar as this information cannot be pulled from the existing WHOIS record.

Although security on inter-registrar transfers has been reinforced considerably in recent times (notably, with the introduction of the 60-day post-transfer registrar lock), in view of this most recent development, registrants should be particularly vigilant about fraudulent transfer requests and ensure that the email and registrar accounts that they use for managing their domain name portfolios are secure.  Certain registrars are even taking additional measures, such as locking all domain names held with them and issuing new authorisation codes for them, in order to try and prevent domain name theft.

The bypassing of the Form of Authorisation is said to be a temporary measure that will remain in place until ICANN implements a system via which registrars can get access to WHOIS data of domain names they are seeking to transfer. We will be keeping an eye out for any such developments.


Authored by Jane Seager and Cindy Mikul

Jane Seager


© 2019 Hogan Lovells. All rights reserved. "Hogan Lovells" or the “firm” refers to the international legal practice that comprises Hogan Lovells International LLP,Hogan Lovells US LLP and their affiliated businesses, each of which is a separate legal entity. Attorney advertising. Prior results do not guarantee a similar outcome.