German court rules against ICANN on data protection grounds

In a decision based directly on the GDPR, a German court recently prohibited collection of broad categories of personal data during the process of registration of internet domain names. If the decision portends the way in which courts in Europe will handle the issue, availability of the data regarding the holders of internet domain names will in the future be limited to a minimum.

A German Regional Court (Landgericht) in Bonn delivered the ruling on 29 May 2018 in the dispute between ICANN (Internet Corporation for Assigned Names and Numbers) and EPAG (EPAG domain services GmbH), a German Internet domain registrar accredited by ICANN.

ICANN has a network of agreements with registrars all over the world, which allow those registrars to assign top-level and, relevant in this case, second-level domains to users. The agreements are uniform and all prescribe the obligation of the registrar to collect, among other data, the so-called Tech-C data and Admin-C Data, when assigning a domain name to registrants. Tech-C data are data regarding the person (“technical contact”) who has the right to receive and supply, for and on behalf of the registrant, data relating to technical matters of significance for the registration of the domain name. Admin-C data are data about the person (“administrative contact”) who may sign and submit all applications related to the domain on behalf of the registrant and receive and forward any kind of information related to the domain.

EPAG collected the Tech-C and Admin-C data until 25 May 2018, the day GDPR’s implementation started. Then, EPAG informed ICANN that it would no longer collect Tech-C and Admin-C, since collecting that data would not be in line with the provisions of GDPR.

ICANN turned to the court and asked for an injunction obliging EPAG to continue to collect the disputed data. ICANN claimed that collecting Tech-C data and Admin-C data does not violate GDPR provisions. Collection of those categories of data, according to ICANN, is necessary in order to achieve the purposes of security and criminal enforcement, as the data help identify the persons behind the domain names. ICANN also claimed that the collection of Tech-C is necessary for solving technical problems.

EPAG claimed that the registrar accreditation agreement with ICANN obliges EPAG to comply with applicable law, that GDPR is such law, and that GDPR’s provisions on “data minimisation” (Article 5(1)(c)) and on “privacy by design and by default” (Article 25) prohibit the collection of the disputed data.

After reviewing written submissions, the court dismissed ICANN’s request for injunction. The court accepted EPAG’s argument that GDPR applies to the agreement between ICANN and EPAG. GDPR requires that personal data have to be collected “for specified, explicit and legitimate purposes” (Article 5(1)(b) of GDPR) and that the data must be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed” (Article 5(1)(c) (data minimisation)).

The court held that for the achievement of ICANN’s purposes of ensuring security and facilitating criminal enforcement it is sufficient for a registrar – such as EPAG – to collect the contact data of the domain name owner. Collecting the Tech-C and Admin-C is unnecessary for the pursuit of those objectives.

Another purpose of collecting the Tech-C data is, according to ICANN, to solve technical problems. The court, however, determined that resolving technical problems is only indirectly related to the security aspects, which are what truly matters in the case. The court also emphasised that ICANN’s practice had been to not require from domain name owners (registrants) to provide any data on technical contacts and administrative contacts for the purpose of domain name registration, other than the data about the registrant himself (the registrant could put in his contact data as the data for technical and administrative contact). In other words, collecting the Tech-C and Admin-C data was optional in the first place. Therefore, ICANN cannot convincingly claim that registrars must collect the Tech-C and Admin-C data.

This decision indicates that the data controllers to whom GDPR applies will have to offer weighty arguments to justify the processing of personal data.

The decision is also potentially important for intellectual property right holders and their legal counsels. If confirmed on the appeal, the decision might impact contents of the WHOIS database. WHOIS operated for decades as a publicly accessible database containing for each domain name details on the owner (registrant) and the contact persons (Tech-C and Admin-C). Recently, ICANN removed all these categories of personal data from WHOIS, as a temporary measure while ICANN explores the possibilities for WHOIS to operate without GDPR provisions being violated. If ICANN and accredited registrars ultimately decide to further collect (and make publicly available) Tech-C and Admin-C personal data, the WHOIS system would become fragmented, with registrars in (at least) Germany collecting and disclosing fewer categories of personal data than registrars elsewhere.