German court snubs ICANN's bid to compel registrar to slurp up data
GDPR hell to continue for unprepared DNS overseer
Global domain name system overlord ICANN’s latest attempt to deal with compliance with European data protection law has been dealt a blow after a German court rejected its request to force a registrar to keep gathering people’s information.
The DNS overseer filed a lawsuit in Bonn against German domain registrar EPGA on Friday - the day the EU's General Data Protection Regulation (GDPR) came into force.
This asked for an injunction to compel EPGA to continue collecting administrative and technical contacts details of people who buy web addresses, in addition to their personal details.
Who had ICANN suing a German registrar over GDPR and Whois? Congrats, it's happeningREAD MORE
ICANN argued that the technical and admin contacts were necessary and that the registrar’s contract with the body obliged it to do so – but EPGA has said that this information slurping is a breach of the GDPR.
EPGA and its parent company Tucows - the second largest domain registrar in the world - counter that it isn’t necessary to collect these contacts because they are often the same as the personal details, and in doing so it would go against the GDPR’s principle of data minimisation. In addition, they claim there may not be a legal basis for the collection.
Filing the suit was one of ICANN’s last-ditch attempts to deal with GDPR - for which it is ill-prepared, despite having had two years to work on compliance - and ensure the future of the Whois domain-name-lookup service.
Other attempts have seen ICANN unsuccessfully beg EU data protection agencies for a one-year extension to allow it to become compliant, and a temporary policy issued to registrars just one week before the GDPR enforcement date.
It is likely ICANN hoped that issues with other registrars over their contracts and GDPR would be put off until this case had made its way through the courts has been scuppered also.
However, the German court has scuppered these chances by rejecting the request for an injunction, in a ruling (PDF) that described ICANN's application as unfounded.
ICANN had said that the technical and administrative contacts have important functions, and are needed for the stable and secure operation of the domain name system as well as to identify customers related to technical or legal issues.
But in its ruling, the court said that although it was clear that having more data makes identifying and contacting the people behind a domain more reliable, ICANN had not demonstrated that storing this other data was indispensable for its purposes.
For instance, the ruling (translated from German by the court) said: “Against the background of the principle of data minimization, the Chamber is unable to see why further data sets are needed in addition to the main person responsible.”
But the court, noting that it was possible for a registrant to provide the same data for each of the three contacts - and that this had not led to a registration being denied.
“If they had been necessary in the real sense, it would not have been possible to do without them before; rather, a registration would have been made dependent on the specification of different data records in terms of content and such a registration would not otherwise have been approved,” the court said.
Despite these comments, ICANN’s general counsel John Jeffrey said that the ruling “did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings”.
He added: "ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services." ®
Sponsored: Becoming a Pragmatic Security Leader