Tag Archives: General Data Protection Regulation

ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

Although ICANN isn’t technically American, there’s a growing difference of opinion between Europe and “America” over how to deal with the collection of domain name registrant’s registration, or Whois, data. Despite going down 4-0 to German courts in a dispute where EPAG is refusing to abide by ICANN’s requirement to collect registration data, ICANN has continued to insist registrars and registries collect the data they require for gTLDs. Continue reading ICANN Reaffirms gTLD Registration Data Temporary Specification in Defiance of German Courts

SIDN Sets Up Privacy Portal and Legal Help Desk To Assist Registrars Comply With GDPR

To assist their registrars comply with the European Union’s General Data Protection Regulation, SIDN, the .nl ccTLD manager, has set up a Privacy Portal and a Legal Help Desk. SIDN acknowledges that for registrars, bringing their operations into line with the GDPR — and making sure they stay that way — can be a challenge.

In a blog post on the SIDN website by RA CEO Margreth Verhulst and SIDN’s Key Account Manager Sebastiaan Assink discuss the Privacy Portal and Legal Help Desk now available to registrars.

“At the start of the year, SIDN organised a webinar on the implications of the GDPR for domain name registration. Participants were asked whether they had set up a data processing register, as required under the new legislation. And no fewer than 66 per cent of the registrars responded by saying that they hadn’t yet set one up. A broadly similar picture emerged when the RA surveyed its members to find out how many were GDPR-compliant. From the survey feedback, it was also clear that registrars would welcome support bringing their activities into line with the directive. The RA and SIDN therefore linked up with the ICTRecht legal consultancy to create the Privacy Portal, which opened for business on 27 September 2018. The Portal is intended to advise registrars on recording and protecting sensitive information and other privacy-related issues. “The Privacy Portal offers registrars free guidance on all aspects of privacy management,” explains Sebastiaan. “You can get answers to legal questions, or help with data processing agreements and other documents.” Dozens of registrars have already turned to the Portal for assistance.

A registrar’s first contact the Privacy Portal sees them being asked a few general questions. Answers are used to build up a profile and then a customised account can be established. Through the account, tailored advice is made available and appropriate measures are suggested. Facilities are also available for organising your enquiries and documents. “The intake privacy scan provides an immediate impression of what you’ve got under control and what still needs attention,” adds Margreth.

“The Portal also features a tool that can be used to set up and maintain a data processing register, another of the GDPR’s new requirements. There’s a privacy statement generator as well, and a utility for checking the adequacy of your technical data protection measures. Another feature of the Privacy Portal is its data breach registration functionality, which you can use to comply with the GDPR’s requirement that details of all breaches must be recorded. Finally, there’s a tool for generating appropriate data processing agreements to regulate your relationships with any data processors that handle data on your behalf. In other words, the Privacy Portal offers all kinds of assistance with GDPR-compliance.”

“Registrars process a great deal of personal data and cooperate with other actors, including suppliers and partners. They collect registrants’ personal details, for example, and forward the information to us on the registrants’ behalf. That’s how a domain name is registered. Naturally, it’s primarily the registrars’ responsibility to make sure that their data processing complies with the law. However, it’s also very much in our interests to see that registration data is processed and exchanged securely,” continues Sebastiaan. As Margreth points out, registrars have a lot on their plates, even without the GDPR. “Their core business is domain name registration, and compliance with the many rules and regulations that apply to the industry sometimes gets sidelined. So the Portal has been created with the aim of relieving some of the burden and making compliance easier for registrars. For any registrar who sees GDPR compliance as a dauntingly high mountain, the Privacy Portal will act like a Sherpa. You’ve still got to get up the mountain yourself, but the Portal is there to shoulder some of the load.”

“The Privacy Portal is just one of the ways that the RA and SIDN are working together to support and invest in the registrar community. It is a spin-off from the Legal Help Desk opened earlier in the year. Via the Help Desk, all 1250 or so .nl registrars can get free legal advice regarding issues involving contracts, ICT, terms and conditions and the like. Questions are simply submitted to the Help Desk using a standard form. Another product of cooperation between SIDN and the RA is the SIDN Academy.”

“So far, we’ve run three SIDN Academy sessions for registrars. The one-day sessions are intended for sharing knowledge on particular topics,” said Assink. “The first round of sessions was devoted to e-mail security, for example.”

Looking forward, the post notes Margreth and Sebastiaan have no preconceptions about how the Help Desk and Portal should develop from here. Both are really still pilot services. “We’ll evaluate the situation after twelve months,” says Margreth. “The future direction of the projects will depend on how registrars use these facilities in practice. A positive response and high levels of use will encourage us to continue and extend the services.”

The full version of this post originally appeared on the SIDN website here. SIDN is the country code top level domain (ccTLD) manager for .nl (Netherlands).

APWG and M3AAWG Survey Finds ICANN’s GDPR Response Impeding Cyber Investigations

APWG logoA joint APWG-M3AAWG survey of over 300 cybercrime responders and anti-abuse personnel indicates ICANN’s Temporary Specification, its response on how to deal with the European Union’s General Data Protection Regulation for domain name WHOIS data, has eliminated interventions that previously allowed investigators to stop new cybercrimes while still in the preparatory stages — and has markedly impeded routine mitigations for many kinds of cybercrimes.

With responses from 327 professionals, the survey revealed that losing the ability to attribute domain names to criminals or victims of abuse has irreparably eliminated their capacity to issue warnings about new abuses that known bad actors are perpetrating, even when the WHOIS registrant data is use a pseudonym, according to Peter Cassidy, Anti-Phishing Working Group (APWG) Secretary General.

According to survey respondents ICANN’s Temporary Specification for gTLD Registration Data, established in May in response to the GDPR, impedes investigations of cybercrime – from ransomware attacks to distribution of state-sponsored strategic disinformation. Analyses of responses from the survey reveal that:

  • Cyber-investigations and mitigations are impeded because investigators are unable to access complete domain name registration data.
  • Requests to access non-public WHOIS by legitimate investigators for legitimate purposes under the provisions of the Temp Spec are routinely refused.

“The biggest impact has been to determine who has registered a criminal/fraudulent domain, and the ability to use that information to find other domains registered by the same actor. That devastates our ability to find all of the fraudulent domains registered by the same entity,” one typical respondent wrote in the APWG-M3AAWG GDPR and WHOIS User Survey report.

APWG and the Messaging, Malware and Mobile Anti-Abuse Working Group (M3AAWG) concluded their analysis with recommendations for ICANN to:

  • Establish a mechanism for WHOIS data access by accredited, vetted qualified security actors.
  • Restore redacted WHOIS data of legal entities.
  • Adopt a contact data access request specification for consistency across registrars and gTLD registries.
  • Establish a WHOIS data access scheme that does not introduce delays in collecting or processing and is not burdened by per-request authorizations.
  • Reassess the current redaction policy and consider replacing restricted personal data with secure hashes that can be used as a proxy for tracing criminal actors across data resources.
  • Publish point of contact email addresses to provide investigators with an effective means of identifying domains associated with a victim or person of interest in an investigation.

The survey was submitted to ICANN on Oct. 18 by the Anti-Phishing Working Group and the Messaging, Malware and Mobile Anti-Abuse Working Group.

The full survey can be found at www.m3aawg.org/WhoisSurvey2018-10 or docs.apwg.org/reports/ICANN_GDPR_WHOIS_Users_Survey_20181018.pdf.

ICANN: Data Protection/Privacy Update Webinar – 8 October

ICANN today [27 Sep] announced that it will hold a webinar on 8 October 2018 from 15:00 to 16:00 UTC to provide an update on recent ICANN data protection and privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

To facilitate global participation, interpretation services will be available in Arabic, Chinese, French, Portuguese, Russian, and Spanish. Participants are encouraged to email questions prior to the call via email to gdpr@icann.org. We will also hold a question and answer period at the end of the webinar. A full recording of the webinar will be published on icann.org for future reference.

More information on ICANN‘s Data Protection/Privacy Issues is available here:

Webinar Details & How to Attend:

Date: 8 October 2018
Time: 15:00 – 16:00 UTC
Join via Adobe Connect
View Dial-in Information

Participant Codes:

English – Participant Code: 9001
Français – Participant Code: 9002
Español – Participant Code: 9003
中文 – Participant Code: 9004
Pусский – Participant Code: 9005
العربية – Participant Code: 9006
Português – Participant Code: 9007

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-27-en

German Courts Rebuff ICANN For Fourth Time Over WHOIS/GDPR Data Collection

ICANN has suffered another setback in its desire to continue to collect and make public domain name registrant contact details following an appeal to a German High Court who ruled against ICANN's plea to reconsider the Court's own earlier decision following the introduction of the European Union's General Data Protection Regulation earlier this year.

ICANN has been pursuing a preliminary injunction from the German Court to require EPAG, a Germany-based, ICANN-accredited registrar (that is part of the Tucows Group and based in Bonn, Germany) to continue to collect elements of WHOIS data, as required under ICANN's Registrar Accreditation Agreement (RAA), which permits the registrar to sell domain name registrations for generic top-level domains.

ICANN received a ruling from the German Higher Regional Court in Cologne (“Appellate Court”) last week, that rejected ICANN's request for review (“plea of remonstrance”) filed by ICANN on 17 August 2018. ICANN's plea was filed to continue the immediate appeal in the ICANN v. EPAG injunction proceedings. ICANN initiated such proceedings against EPAG, to seek assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. The Appellate Court again has determined that it would not issue an injunction against EPAG.

This is the fourth time the German courts have rebuffed ICANN’s attempts to have EPAG enforce the RAA. On 30 May the Regional Court determined that it would not issue an injunction against EPAG. Then on 13 June ICANN appealed and on 18 July the Regional Court decided not to change its original determination not to issue an injunction against EPAG. The matter was referred to the Higher Regional Court in Cologne for appeal. Next on 3 August ICANN announced a German appeal court (Appellate Court of Cologne) had issued a decision on the injunction proceedings ICANN initiated against EPAG determining that it would not issue an injunction against EPAG.

In making its ruling, the Appellate Court found that the preliminary injunction proceeding does not provide the appropriate framework for addressing the nature of the contractual disputes at issue, and that a decision in preliminary proceedings does not appear to be urgently needed. Again, the Appellate Court did not address the merits of the underlying issues with respect to the application of GDPR as it relates to WHOIS.

ICANN is continuing to evaluate its next steps in light of this ruling, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

On 25 May, the day the European Union’s General Data Protection Regulation came into place, ICANN filed a legal action against EPAG. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to their contracts.

In a post outlining their position back in May, EPAG Ashley La Bolle wrote the “GDPR begins with a statement of its core principle: ‘The protection of natural persons in relation to the processing of personal data is a fundamental right.’ Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.

“In order to have a domain registration system reflective of ‘data protection by design and default’, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.”

ICANN’s response to the GDPR came just over a week before the EU-wide data protection regulation came into place, and 2 years after it was announced. The “Temporary Specification”, as La Bolle writes, was “meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.” EPAG have 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”.

ICANN: Data Protection/Privacy Update Webinar Scheduled for 26 September

ICANN today [13 Sept] announced that it will hold a webinar on 26 September 2018 from 15:00 to 16:00 UTC to provide an update on recent ICANN data protection/privacy activities related to the European Union’s General Data Protection Regulation (GDPR).

Participants are encouraged to email questions prior to the call via email to gdpr@icann.org. We will also hold a question and answer period at the end of the webinar. A full recording of the webinar will be published on icann.org for future reference.

More information on ICANN‘s data protection/privacy activities is available here:

Webinar Details & How to Attend:

Date: 26 September 2018
Time: 15:00 – 16:00 UTC
Join via Adobe Connect
View Dial-in Information

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-09-13-en

Has GDPR Contributed To Spam Decline? 2 Organisations Say It’s Too Early To Tell

Recently threat intelligence organisation Recorded Future published a blog post suggesting “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules.”

The General Data Protection Regulation that came into force on 25 May, seeks to give individuals more control over their personal data and to simplify data protection regulation in the European Union to one rule for all countries. Recorded Future published spam volumes compiled by Cisco which found that “on May 1, 2018, the total volume of email was 433.9 billion messages; spam accounted for 370.04 billion messages, or 85.28 percent of all email. On August 1, 2018, the total volume of messages was 361.83 billion, with 85.14 percent, or 308.05 billion messages, identified as spam. While the total volume of email fell precipitously, most likely due to a combination of seasonal email fluctuations and as the result of newly enforced privacy standards, the percentage of spam remained roughly the same.”

Recorded Future surmised that “spammers are not — at least at this time — rushing to launch new campaigns because of GDPR-enforced WHOIS privacy rules. Spam is still a big problem, but it has not become a bigger problem, contrary to popular opinions among security researchers.”

Spamhaus has taken a similar view. They note “the real answer is that it is far too early to tell.”

“Before GDPR came into effect, records such as a domain’s registered owner and registered contacts could be looked up in WHOIS databases maintained by individual registrars governed by ICANN.”

“WHOIS information was used by researchers in organisations such as Spamhaus to help determine a domain’s reputation. Domains determined from this and other factors to have a bad reputation would have potentially been listed on our Domain Block List (DBL).”

Spamhaus goes on to note that “whilst the lack of some of this information is tiresome and makes a security researcher’s job a little more difficult, it isn’t insurmountable. Spam will be blocked. Domains will continue to be added to our DBL and email will be filtered accordingly.”

“It’s true, spam rates have dropped marginally since May 2018. Spamhaus never anticipated a tsunami of spam to follow GDPR, however current claims that spam has fallen as a result of GDPR are unconvincing.

“Of course, it could be that legitimate companies, who are concerned about being GDPR compliant, have started purging email lists and are sending less ‘legit’ spam. However, one needs to remember that spam from legitimate companies accounts for a very small percentage of overall spam numbers, so any reduction in this area would have a minute impact on the figures.

“Another theory could be that due to the changes on WHOIS fewer bad domains are being identified and therefore some anti-spam systems are flagging less email.

“Nonetheless, this small reduction in spam is more than likely down to the natural ebb and flow of spam volumes, which have always been highly variable, just like botnet traffic.”

Spamhaus note there could be “numerous non-GDPR related reasons as to why there’s been a recent drop in spam email ranging from the spambots which are currently in operation (or not in operation as the case may be) to who has been arrested recently!”

So Spamhaus say there’s “no hard evidence we have seen proving that this current decline in spam is as a direct result of GDPR…it will be interesting to see what the volumes of spam are like over Black Friday and the subsequent Christmas holidays.”

They also suggest the drop in spam levels bein attributed to the GDPR is a “vacuous claim, unless it’s worth considering that snowshoe spammers don’t need as many new identities now that their current ones are withheld on WHOIS.”

“A more likely explanation to the drop in domain name registrations could be something as simple as top-level domains (TLDs) not having run any ‘specials’ recently (everyone loves a bargain, even a cybercriminal).”

But Spamhaus suggests that prohibiting personal details being visible on Whois “will hamper, if not stop, organisations being able to join the dots and identify gangs of professional cybercriminals who have a mechanism of fraud that is proving successful.”

According to Spamhaus “researchers collect all kinds of information from WHOIS. This data allows us to identify patterns in spamming activity, and build intelligence to attribute it to specific spam gangs.”

Whois data are “small but critical pieces of data [that] can become crucial to investigations later down the line, although they may not be obvious at the time. This evidence can assist law enforcement agencies to pursue these prolific gangs who are defrauding significant amounts of people of vast quantities of money” with “even fraudulent information that is used in a WHOIS record can be used against criminals.”

ICANN Loses Another Round in Battle Over Whois and GDPR With EPAG

ICANN announced Friday they had lost another round in their battle to get EPAG, a subsidiary of Tucows, to enforce their “temporary specification” on the collection of domain name registrant data.

For the third time the German courts have ruled against ICANN. This time the Appellate Court determined that it would not issue an injunction against EPAG. In making its ruling, ICANN explains in its announcement, “the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.”

“Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.”

Former ICANN staffer and now (again) journalist on the domain name industry Kieren McCarthy tweeted on the news:

#ICANN has lost its #Whois legal case yet again. And its insistence that the matter be referred to the ECJ has been refused. Just how bad does it have to get before this critical org gets itself some proper legal advice?

ICANN is seeking to have EPAG reinstate collection of administrative and technical contact data for new domain name registrations. To comply with the European Unions General Data Protection Regulation, ICANN was seeking to have all its 2,500 accredited registrars and registries to continue to collect “thick” data but anyone conducting a Whois search would only receive “Thin” data in return, which includes only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration, but not personal data.

However Tucows took the view ICANN’s temporary specification wasn’t compliant with the GDPR. They had problems with 3 core issues. These issues were the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.

Which led to a dispute on how the GDPR impacts EPAG’s registrar accreditation agreement. “The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”

ICANN note that they are now considering their “next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralised global WHOIS for the generic top-level domain system and will provide additional information in the coming days.”

 

ICANN: German Regional Court to Revisit Ruling in Injunction Proceedings on Request to Preserve WHOIS data

ICANN was informed Thursday that the Regional Court in Bonn, Germany, has decided to revisit its ruling in the injunction proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group.

 

On 13 June 2018, ICANN appealed the Regional Court’s initial decision to reject ICANN‘s application for an injunction, in which ICANN sought a court order requiring EPAG to reinstate collection of administrative and technical contact data for new domain name registrations.

Upon receipt of an appeal, the Regional Court has the option to re-evaluate its decision that is being appealed, or affirm its decision and immediately forward the matter to the Higher Regional Court for consideration of the appeal.

In this instance, the Regional Court has decided to revisit its initial decision and has asked EPAG to comment on ICANN‘s appellate papers within two weeks.

ICANN is pursuing this matter as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system. To that end, ICANN continues to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the European Union’s General Data Protection Regulation (GDPR).

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties that demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018, it would no longer collect administrative and technical contact information when it sells new domain name registrations. EPAG believes collection of that particular data would violate the GDPR. ICANN‘s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Regional Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement, or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

On 13 June 2018, ICANN appealed the Regional Court’s ruling to the Higher Regional Court of Cologne, Germany, and again asked for an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN‘s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-3-2018-06-21-en

ICANN Appeals German Court Decision on GDPR / WHOIS

ICANN today (13 June) appealed a decision by the Regional Court in Bonn, Germany not to issue an injunction in proceedings that ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The appeal was filed to the Higher Regional Court of Cologne, Germany.

ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG’s Registrar Accreditation Agreement with ICANN.

The Regional Court in Bonn rejected ICANN’s initial application for an injunction, in which ICANN sought to require EPAG to collect administrative contact and technical contact data for new domain name registrations.

If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Union’s General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANN’s appeal to the European Court of Justice.

ICANN is appealing the 30 May 2018 decision by the Regional Court in Bonn as part of ICANN’s public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system.

“We are continuing to seek clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,” said John Jeffrey, ICANN’s General Counsel and Secretary. “We hope that the Court will issue the injunction or the matter will be considered by the European Court of Justice.”

Background:

On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Court for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.

ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018 when it sells new domain name registrations, it would no longer collect administrative and technical contact information. EPAG believes collection of that particular data would violate the GDPR. ICANN’s contract with EPAG requires that information to be collected.

EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG’s position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.

On 30 May 2018, the Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement or security problems).

The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.

ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.

About ICANN

ICANN’s mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.

This ICANN announcement was sourced from:
https://www.icann.org/news/announcement-2018-06-13-en