In a bid to “to protect the data collected in WHOIS”, ICANN last week sought a court ruling in a German court to “ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR.”
The “one-sided filing” in Bonn, Germany, was against German registrar EPAG, these days part of the Tucows group. EPAG had recently informed ICANN that it would no longer collect administrative and technical contact information for generic top level domain name registrations as it believes collection of that data would violate the GDPR rules, and further, it wasn’t needed.
EPAG had advised ICANN it no longer intended to collect such data, citing the GDPR law implementation as its rationale. In a statement from their parent company, Tucows, they said they “realised that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.”
Through its contract with registrars including EPAG, ICANN requires the WHOIS information be collected. In an effort to comply with the European Union’s General Data Protection Regulation, ICANN recently adopted a new Temporary Specification regarding how WHOIS data should be collected and which parts may be published, which ICANN believes is consistent with the GDPR.
The late announcement of the Temporary Specification, a week before the GDPR came into being, already had registrars irate, as they had to have their systems compliant ready for its implementation. Speaking to Domain Pulse at the Domain Pulse conference (unrelated), EPAG’s Managing Director Ashley La Bolle said at EPAG they wished “ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”
The German court ruled in favour of EPAG, at least in part, ruling it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, said ICANN in a statement, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
“While ICANN appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN's General Counsel and Secretary. “ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”
So where to from here? Michele Neylon from the Irish registrar and hosting company Blacknight suggests “there might be more at play here than initially meets the eye. ICANN is probably coming under a lot of pressure from the US government and other interests in relation to public whois. Recent speeches by US Department of Commerce’s head honcho David Redl in multiple venues have underlined the US government’s fixation with full public whois.”
It's not over yet. As Jeffrey noted, the ruling didn’t give the clarity ICANN sought. Watch this space.