ICANN Loses Another Round in Battle Over Whois and GDPR With EPAG

ICANN announced Friday they had lost another round in their battle to get EPAG, a subsidiary of Tucows, to enforce their “temporary specification” on the collection of domain name registrant data.

For the third time the German courts have ruled against ICANN. This time the Appellate Court determined that it would not issue an injunction against EPAG. In making its ruling, ICANN explains in its announcement, “the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.”

“Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.”

Former ICANN staffer and now (again) journalist on the domain name industry Kieren McCarthy tweeted on the news:

#ICANN has lost its #Whois legal case yet again. And its insistence that the matter be referred to the ECJ has been refused. Just how bad does it have to get before this critical org gets itself some proper legal advice?

ICANN is seeking to have EPAG reinstate collection of administrative and technical contact data for new domain name registrations. To comply with the European Unions General Data Protection Regulation, ICANN was seeking to have all its 2,500 accredited registrars and registries to continue to collect “thick” data but anyone conducting a Whois search would only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.

However Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.

Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”

ICANN note that they are now considering their “next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”