Who had ICANN suing a German registrar over GDPR and Whois? Congrats, it's happening
Time for plan C, says DNS overlord stuck in a privacy bind
A fight over private information and the internet's domain name system is heading to a German court, in a proxy battle between European legislators and American intellectual property lawyers.
On Friday – the same day that new European GDPR privacy legislation took effect – DNS overseer and US corporation ICANN filed a lawsuit against German domain registrar EPAG in Bonn, asking that it be forced to keep gathering private information on people who buy web addresses.
ICANN argued [PDF] that the registrar is obligated under its contract with ICANN to keep gathering the information. The registrar's position is that gathering the information breaks GDPR, and so opens it up to legal challenges, tellings off, and potentially ruinous fines.
By filing for an injunction and insisting the matter is urgent, ICANN hopes to preempt challenges to the contract it has with registrars across the world as well as buy time while it develops a new version of that contract to fit with the GDPR legislation.
GDPRmageddon: They think it's all over! Protip, it has only just begunREAD MORE
While the actual details under consideration are relatively insignificant – the requirement for someone registering a domain name to provide an administrative and technical contact as well as their own personal details – the legal challenge is critical to the future of the so-called Whois domain-name-lookup service as well as ICANN's authority over the global internet.
That authority has come under question following the organization's failure to consider the impact of the new privacy rules, despite a two-year lead-time, until it was too late.
Following a failed effort to force through a "temporary" policy covering the Whois service in March – just two months before the law came into effect – ICANN pleaded with European data protection regulators to grant it a special one-year extension to the law: something that the watchdogs pointed out was not in their power to offer.
Do this by next week, please
That resulted in a ludicrous situation where ICANN published a "temporary" policy that required significant changes to hundreds of companies' backend systems just one week before the deadline – and then warned those same companies that it would be monitoring them for compliance.
While ICANN was prevaricating however, EPAG's parent company Tucows – the world's second largest registrar – developed its own system for gathering domain name information. In a blog post this week, the biz explained why that system ended up significantly different to the one ICANN is insisting be applied.
As GDPR draws close, ICANN suggests 12 conflicting ways to cure domain privacy painsREAD MORE
"We started with the GDPR itself and crafted our procedures and policies around it," the corp explained. The problem, it soon discovered, was that ICANN's contract – the Registrar Accreditation Agreement – "not only required us to collect and share information we didn't need, it also required us to collect and share people's information where we may not have a legal basis to do so."
At the heart of the issue is the fact that the Whois service was developed 20 years ago, and has not been updated to reflect the modern internet.
ICANN claims the extra admin and technical contacts are necessary to maintain a stable and secure internet, but Tucows says the reality is that "in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant."
One of the GDPR's core tenets is "data minimization" where the collection and processing of personal data is limited to only what is necessary. As such, Tucows argued, the requirement for three sets of effectively the same data breaks GDPR. It also argues that if a registrant supplies names and contact details for those separate records – the owner, the admin, and the technical contact for a domain – it may also be breaking GDPR because it may not have those individuals' explicit consent to store, share or publish that information.
Efforts to modernize the Whois service to fit modern practices have been repeatedly killed off by intellectual property lawyers fearful of losing access to the vast database of information.
ICANN is in many respects beholden to those powerful corporate interests and as a result has been ignoring European privacy legislation for over a decade, calculating that as a US corporation with the backing of the American government, it could not be obliged to act.
That situation changed however when a European registry simply refused to provide a Whois service in the light of the GDPR legislation – despite threats from ICANN's legal team – because it said the contract directly conflicted with national law, and so was "null and void."
The key difference between GDPR and previous privacy requirements is that it gives European citizens a legal right to complain, and gives data protection authorities the right to levy huge fines, totaling millions of dollars, if companies are found to be in breach of the new law.
Faced with a massive financial impact, registries and registrars decided to push back against ICANN's insistence that its contract was the final word. And the DNS overseer has been playing catch-up ever since.
ICANN's complaint is notable for the fact that its main arguments concern trademarks, to the extent that it even argues that the Whois service should be compared to an official trademark database.
Critics have been quick to point out this line of reasoning very closely follows the arguments put forward by American intellectual property lawyers, while ignoring the clear concerns outlined by other members of the organization.
How do you say 'no' in every European language?
That formal advice explicitly warned ICANN that it should "take care in defining purposes in a manner which corresponds to its own organizational mission and mandate"; that "purposes pursued by other interested third parties should not determine the purposes pursued by ICANN"; and that it "cautions ICANN not to conflate its own purposes with the interests of third parties, nor with the lawful grounds of processing which may be applicable in a particular case."
But the data protection authorities are not the courts, so ICANN's lawsuit is an effort to ensure that its contract holds up in Europe while it works on a formal policy to become GDPR compliant, a process it estimates will take a year to complete.
By filing in a German court on the very first day of GDPR's implementation, ICANN will also be hoping that any subsequent lawsuits against it – or the registrars and registries that are under contract to it – for breaking GDPR will be held off while this case works its way through the legal system.
It's a desperate ploy that the organization could and should have avoided by tackling GDPR compliance two years ago.
Fundamentally, ICANN is arguing that there are exceptions in GDPR that say data collection is allowed when it is a "necessity for the performance of a contract" – and the Whois clause in its contract qualifies for such a protection.
Whether the German court buys that argument and orders EPAG to keep gathering information – bolstering ICANN's authority – or whether it decides to dig deeper into the topic and make a determination over whether ICANN's contract breaks the GDPR by forcing organizations to gather and store unnecessary private information, we will have to wait and see. ®
Sponsored: Becoming a Pragmatic Security Leader