Internet overseer ICANN loses a THIRD time in Whois GDPR legal war
US org told by German court its delusional claims in privacy rules battle are not credible
The internet's domain names overlord has failed in a third attempt to keep to the wheels from falling off its Whois service in Europe, raising questions over its competence.
US-based Internet Corporation for Assigned Names and Numbers (ICANN) was slammed by the Appellate Court of Cologne, Germany, for not having "sufficiently explained" nor provided a "credible reason" for seeking an injunction against German domain registrar EPAG.
In short: EPAG wanted to sell domain names without collecting the domain owners' administrative and technical contact details because it feared doing so would put it at risk of ruinous fines if it ran afoul of Europe's General Data Protection Regulation (GDPR). However, its registrar contract with ICANN requires it to collect this information for the latter's global Whois system. To force it to comply with its contract, and to hell with GDPR, ICANN took EPAG to court in May, seeking an order banning the registrar from peddling domain names if it refused to gather data for Whois.
The row eventually reached Cologne's appeals court, which this month declared [PDF] it found the two previous rulings against ICANN "convincing," and noted that there was "no imminent emergency" that justified a request for an emergency injunction. It stated that even ICANN accepted the argument that past experience has shown that there is no real risk to not gathering the information requested.
The court also rejected ICANN's insistence that the matter be sent to the European Court of Justice, noting that it was "under no obligation to refer the case to the ECJ" because ICANN's interpretation of the law "was not material to the decision."
ICANN is, essentially, attempting to reinforce its authority over the planet's Whois service in the wake of its unprecedented failure to account for new data protection laws. As an organization based in the United States, it has – for 15 years – ignored warnings from European regulators about the legality of its Whois data service – where domain owner and operators' names, phone numbers, and email and home addresses are published online.
But the passing of Europe's GDPR, which allows European citizens to sue organizations that don't minimize their gathering of personal data or allow people to control how that data is used, turned that situation on its head. Faced with potentially millions of dollars in fines, many internet domain outfits simply refused to follow ICANN's contract, arguing that some of its requirements are illegal.
How not to act
ICANN's response has been telling: at first, it failed to even consider the issue. It wasn't until one European registry dismissed the organization's legal threats as "null and void" that the organization even looked at the matter.
When it was informed by outside counsel that the entire Whois service would soon become illegal, it then tried to force through policy changes that essentially retained the current system. Those "changes" let registrars collect, but not publish, the same Whois data they now collect; provide some kind of "authorized access" to the records; and still allowed third parties to spam registrants.
But that effort failed, with even the US government criticizing its approach.
GDPRmageddon: They think it's all over! Protip, it has only just begunREAD MORE
ICANN then, bizarrely, persuaded itself that European regulators would grant it a special one-year exception to the new law, and spent several months insisting on its made-up "moratorium" before being told by regulators that the law had already been passed two years earlier and there was no way to prevent it from being used.
Faced with an impending deadline, ICANN's board then imposed the previously rejected policy changes – which many European companies consider illegal. When those changes were, inevitably, rejected, it responded by suing a registrar in German court in an effort to set a precedent and impose its authority. It lost.
Keep flogging that dead horse
At that point, many expected ICANN to reconsider its legal approach but instead the organization continued to persuade itself that the courts would see the case as an opportunity to settle ambiguities within the GDPR legislation. As such, it continued pushing for an emergency injunction, appealing again.
For the third time in a row, ICANN has attempted to put a brave face on its loss, noting that the court said it could still "pursue its claims in the main proceedings in order to enforce the rights it asserts."
As such, ICANN said in a blog post that it is "considering its next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global Whois."
The truth however is that ICANN continues to be baffled by the fact that the European court system has no interest in its corporate interests and refuses to be told that the Whois service is as important as ICANN considers it to be.
It should be a day of reckoning for an organization that has long lived inside its own policy-making bubble - but no one is holding out much hope.
In a clear sign that the organization is incapable of learning from its mistakes, the organization has decided to develop new Whois policies by doing the exact same thing it has done five times previously: create a new working group. Amazingly, many of the people on that group have also been on previous failed efforts.
Even when, in the past, such groups have managed to reach a majority agreement on necessary changes, ICANN's upside-down model of governance where its staff and board ignore their own groups and reject expert advice in preference to their own counsel, has ensured a lack of progress.
Despite being told repeatedly that its policies are no longer valid, ICANN as a corporation continues to insist that they are. And while ICANN retains that belief, even in the unlikely event that its new working group finds a workable compromise, no progress will be made.
It looks sadly inevitable that ICANN will only react when it is sued in Europe, loses, and is obliged to pay millions of dollars in fines. ®
Sponsored: Becoming a Pragmatic Security Leader