Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs. Continue reading ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts
Tag Archives: EPAG
German Courts Rebuff ICANN For Fourth Time Over WHOIS/GDPR Data Collection
ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN's plea to reconsider the Court's own earlier decision following the introduction of the European Union's General Data Protection Regulation earlier this year.
ICANN has been pursuing a preliminary injunction from the German Court to require EPAG, a Germany-based, ICANN-accredited registrar (that is part of the Tucows Group and based in Bonn, Germany) to continue to collect elements of WHOIS data, as required under ICANN's Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains.
ICANN received a ruling from the German Higher Regional Court in Cologne (“Appellate Court”) last week, that rejected ICANN's request for review (“plea of remonstrance”) filed by ICANN on 17 August 2018. ICANN's plea was filed to continue the immediate appeal in the ICANN v. EPAG injunction proceedings. ICANN initiated such proceedings against EPAG, to seek assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. The Appellate Court again has determined that it would not issue an injunction against EPAG.
This is the fourth time the German courts have rebuffed ICANN’s attempts to have EPAG enforce the RAA. On 30 May the Regional Court determined that it would not issue an injunction against EPAG. Then on 13 June ICANN appealed and on 18 July the Regional Court decided not to change its original determination not to issue an injunction against EPAG. The matter was referred to the Higher Regional Court in Cologne for appeal. Next on 3 August ICANN announced a German appeal court (Appellate Court of Cologne) had issued a decision on the injunction proceedings ICANN initiated against EPAG determining that it would not issue an injunction against EPAG.
In making its ruling, the Appellate Court found that the preliminary injunction proceeding does not provide the appropriate framework for addressing the nature of the contractual disputes at issue, and that a decision in preliminary proceedings does not appear to be urgently needed. Again, the Appellate Court did not address the merits of the underlying issues with respect to the application of GDPR as it relates to WHOIS.
ICANN is continuing to evaluate its next steps in light of this ruling, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.
On 25 May, the day the European Union’s General Data Protection Regulation came into place, ICANN filed a legal action against EPAG. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to their contracts.
In a post outlining their position back in May, EPAG Ashley La Bolle wrote the “GDPR begins with a statement of its core principle: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.
“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”
ICANN’s response to the GDPR came just over a week before the EU-wide data protection regulation came into place, and 2 years after it was announced. The “Temporary Specification”, as La Bolle writes, was “meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.” EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.
ICANN Loses Another Round in Battle Over Whois and GDPR With EPAG
ICANN announced Friday they had lost another round in their battle to get EPAG, a subsidiary of Tucows, to enforce their “temporary specification” on the collection of domain name registrant data.
For the third time the German courts have ruled against ICANN. This time the Appellate Court determined that it would not issue an injunction against EPAG. In making its ruling, ICANN explains in its announcement, “the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.”
“Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.”
Former ICANN staffer and now (again) journalist on the domain name industry Kieren McCarthy tweeted on the news:
#ICANN has lost its #Whois legal case yet again. And its insistence that the matter be referred to the ECJ has been refused. Just how bad does it have to get before this critical org gets itself some proper legal advice?
ICANN is seeking to have EPAG reinstate collection of administrative and technical contact data for new domain name registrations. To comply with the European Unions General Data Protection Regulation, ICANN was seeking to have all its 2,500 accredited registrars and registries to continue to collect “thick” data but anyone conducting a Whois search would only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.
However Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.
Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”
ICANN note that they are now considering their “next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”
ICANN Appeals German Court Decision on GDPR / WHOIS
ICANN today (13 June) appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The appeal was filed to the Higher Regional Court of Cologne, Germany.
ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAGâs Registrar Accreditation Agreement with ICANN.
The Regional Court in Bonn rejected ICANNâs initial application for an injunction, in which ICANN sought to require EPAG to collect administrative contact and technical contact data for new domain name registrations.
If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Unionâs General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANNâs appeal to the European Court of Justice.
ICANN is appealing the 30 May 2018 decision by the Regional Court in Bonn as part of ICANNâs public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.
âWe are continuing to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,â said John Jeffrey, ICANNâs General Counsel and Secretary. âWe hope that the Court will issue the injunction or the matter will be considered by the European Court of Justice.â
Background:
On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.
ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018 when it sells new domain name registrations, it would no longer collect administrative and technical contact information. EPAG believes collection of that particular data would violate the GDPR. ICANNâs contract with EPAG requires that information to be collected.
EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.
On 30 May 2018, the Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.
In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.
About ICANN
ICANNâs mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address â a name or a number â into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.
This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-06-13-en
German Court Rejects ICANN Bid to “Protect” WHOIS Data
In a bid to “to protect the data collected in WHOIS”, ICANN last week sought a court ruling in a German court to “ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR.”
The “one-sided filing” in Bonn, Germany, was against German registrar EPAG, these days part of the Tucows group. EPAG had recently informed ICANN that it would no longer collect administrative and technical contact information for generic top level domain name registrations as it believes collection of that data would violate the GDPR rules, and further, it wasn’t needed.
EPAG had advised ICANN it no longer intended to collect such data, citing the GDPR law implementation as its rationale. In a statement from their parent company, Tucows, they said they “realised that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.”
Through its contract with registrars including EPAG, ICANN requires the WHOIS information be collected. In an effort to comply with the European Union’s General Data Protection Regulation, ICANN recently adopted a new Temporary Specification regarding how WHOIS data should be collected and which parts may be published, which ICANN believes is consistent with the GDPR.
The late announcement of the Temporary Specification, a week before the GDPR came into being, already had registrars irate, as they had to have their systems compliant ready for its implementation. Speaking to Domain Pulse at the Domain Pulse conference (unrelated), EPAG’s Managing Director Ashley La Bolle said at EPAG they wished “ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.”
The German court ruled in favour of EPAG, at least in part, ruling it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, said ICANN in a statement, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
“While ICANN appreciates the prompt attention the Court paid to this matter, the Court's ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN's General Counsel and Secretary. “ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”
So where to from here? Michele Neylon from the Irish registrar and hosting company Blacknight suggests “there might be more at play here than initially meets the eye. ICANN is probably coming under a lot of pressure from the US government and other interests in relation to public whois. Recent speeches by US Department of Commerce’s head honcho David Redl in multiple venues have underlined the US government’s fixation with full public whois.”
It's not over yet. As Jeffrey noted, the ruling didn’t give the clarity ICANN sought. Watch this space.
GDPR: EPAG’s MD Explains The Nightmare on Registrar Street
At the recent Domain Pulse conference in Munich, on 22 and 23 February, the upcoming General Data Protection Regulation (GDPR) was a focus of discussions both during conference presentations and panel discussions and during breaks. Its implementation is becoming a nightmare for many industries, with registries, both gTLD and ccTLD facing their own problems, and registrars.
That ICANN is a year too late in working out a solution for gTLDs and ccTLDs has made registrar’s life a nightmare as each one has introduced their own unique solution, Ashley La Bolle, EPAG’s Managing Director told Domain Pulse, following the panel discussion (see the interview below).
With ICANN simply not ready for the GDPR;’s start date on 25 May having not even finalised how they will respond, and registries throughout the European Union seemingly all having a unique method of dealing with the regulation, it’s what Richard Wein, nic.at’s CEO told Domain Pulse, is a missed opportunity for registries to worked together on one solution. For ICANN and generic top level domain registries (new and legacy) there is sure to be some heated discussions, and criticisms of ICANN for being so slow to adapt, at the ICANN meeting in Puerto Rico this month.
At the Domain Pulse conference (which is unrelated to the Domain Pulse blog), the panel discussion that focussed on GDPR involved representatives from registrars, registries and eco, the German internet association. Titled “The Challenge of Compliance: NIS Directive, GDPR, ePrivacy Regulation – the EU's Digital Roadmap and the Domain Industry”, it featured Volker Greimann from Key-Systems, Boban Kršić from DENIC, Ashley La Bolle from EPAG Domainservices, Ingo Wolff from tacticx and was moderated by Thomas Rickert, lawyer and representing eco. The panel discussion saw criticisms of ICANN with some wondering what will ICANN do if the community, and in particular registrars, disagree with what ICANN proposes.
During the discussion La Bolle said many registries haven’t given the information they require to registrars, neither their reasons and the legal basis, for data they require. “It’s not a lot of information we need. And we can no longer wait for ICANN or independent registries, we have got to implement changes that comply with GDPR.”
Following the panel discussion, Domain Pulse spoke in more detail La Bolle, Managing Director of EPAG Domainservices GmbH, who spoke of her frustrations of the way most registries have responded to the GDPR with unrealistic timelines for registrars to implement the required changes.
Domain Pulse: What are your opinions on the GDPR implementation?
Ashley La Bolle: The domain industry has been really late to the game on GDPR implementation. It's already March and we are just beginning to see real progress regarding contractual and technical changes for the GDPR. We expect to receive a lot of last-minute changes from registries in the next couple months. Although we're not thrilled about having to make last-minute changes to system settings, we still prefer registries to make those changes before May so we can ensure compliance. We do, however, see opportunities for registries to change requirements to be compliant without requiring registrars to make technical changes on very short notice. Some registries, for example, are planning to simply delete any non-essential data that registrars send in a domain order during a specified transition period. Only after that transition period will they begin returning an error message when non-essential data is sent with an order.
DP: How has it impacted on EPAG’s resources and staff?
ALB: EPAG is working closely with OpenSRS and Enom to develop a GDPR implementation plan for the entire company. But even when we are able to pool resources on planning, there is quite a bit of work that has to happen in addition to that. The GDPR requires contracts to be revised, additional staff training, and customer education. Our approach has been to change our systems and processes to handle as much of the impact of the GDPR as possible so that our customers can continue to use our services as they always have.
DP: What will be EPAG’s way of dealing with it?
ALB: The Tucows approach includes data minimisation, contract changes, Whois changes, and a consent management flow. Regarding data minimisation, we will only process a limited set of registrant data and in most cases will no longer process data for the administrative, technical, or billing contacts. At the same time, we are adjusting contracts with registrants, resellers, and registries. Another important part of our approach is the introduction of a gated Whois service, meaning personal data will no longer be published in the public Whois. Authorised third parties with a demonstrated legitimate interest to access the data, will still be granted access following an authentication process. These parties may include Law Enforcement, the Security community, Intellectual Property lawyers, Aftermarket providers, and Certificate Authorities, among others. Finally, we are building a consent management flow in order to allow registrants to give consent for any data use that is not required by contract.
DP: What problems have you experienced in implementing the requirements?
ALB: The main obstacle we have encountered is the lack of preparedness in the domain industry that I mentioned before.
DP: One issue Richard Wein, nic.at’s CEO, has raised is it was a great opportunity for ccTLD registries to collaborate on one solution – I assume this would have made your life a lot easier and required less input of staff and other resources?
ALB: We would prefer a common solution across ccTLD registries. When each registry comes up with an individual approach, it is a nightmare for registrars to implement each individual approach and explain it to their customers. This is an industry that thrives on standards and common practice and the GDPR does not change this.
DP: Are you on track to comply with the requirements for ccTLDs and gTLDs, and given there is no real solution for gTLDs yet, how are you dealing with this?
The result of the domain industry being so late to react to the GDPR is that we have had to design our own approach – one that we feel is both legally compliant and customer friendly. At the same time, we have supported efforts by ECO to propose a common model as described in their Domain Industry Playbook.
DP: Do you have any thoughts on how ICANN has dealt with GCPR?
ALB: We wish that ICANN had started work on this a year ago. Of course, we will try to accommodate changes, but in absence of new consensus policies, we have to develop solutions that we believe will ensure our own compliance with the law.
This article was originally published at:
http://www.domainpulse.com/2018/03/02/gdpr-epags-md-explains-the-nightmare-on-registrar-street/