German Courts Rebuff ICANN For Fourth Time Over WHOIS/GDPR Data Collection

ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN's plea to reconsider the Court's own earlier decision following the introduction of the European Union's General Data Protection Regulation earlier this year.

ICANN has been pursuing a preliminary injunction from the German Court to require EPAG, a Germany-based, ICANN-accredited registrar (that is part of the Tucows Group and based in Bonn, Germany) to continue to collect elements of WHOIS data, as required under ICANN's Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains.

ICANN received a ruling from the German Higher Regional Court in Cologne (“Appellate Court”) last week, that rejected ICANN's request for review (“plea of remonstrance”) filed by ICANN on 17 August 2018. ICANN's plea was filed to continue the immediate appeal in the ICANN v. EPAG injunction proceedings. ICANN initiated such proceedings against EPAG, to seek assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. The Appellate Court again has determined that it would not issue an injunction against EPAG.

This is the fourth time the German courts have rebuffed ICANN’s attempts to have EPAG enforce the RAA. On 30 May the Regional Court determined that it would not issue an injunction against EPAG. Then on 13 June ICANN appealed and on 18 July the Regional Court decided not to change its original determination not to issue an injunction against EPAG. The matter was referred to the Higher Regional Court in Cologne for appeal. Next on 3 August ICANN announced a German appeal court (Appellate Court of Cologne) had issued a decision on the injunction proceedings ICANN initiated against EPAG determining that it would not issue an injunction against EPAG.

In making its ruling, the Appellate Court found that the preliminary injunction proceeding does not provide the appropriate framework for addressing the nature of the contractual disputes at issue, and that a decision in preliminary proceedings does not appear to be urgently needed. Again, the Appellate Court did not address the merits of the underlying issues with respect to the application of GDPR as it relates to WHOIS.

ICANN is continuing to evaluate its next steps in light of this ruling, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

On 25 May, the day the European Union’s General Data Protection Regulation came into place, ICANN filed a legal action against EPAG. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to their contracts.

In a post outlining their position back in May, EPAG Ashley La Bolle wrote the “GDPR begins with a statement of its core principle: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.

“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”

ICANN’s response to the GDPR came just over a week before the EU-wide data protection regulation came into place, and 2 years after it was announced. The “Temporary Specification”, as La Bolle writes, was “meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.” EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.