ICANN, the organization tasked with overseeing the internet’s domain space, has appealed a decision made by a German court last month over the information that should be collected on domain registrants.
The German court’s decision was the latest development in a situation that has left many registrars unclear on what approach to take on WHOIS data, a public database of domain registrants, in order to comply with the EU’s General Data Protection Regulation.
The court ruled that while EPAG, which is a subsidiary of the world’s second largest domain registrar, Tucows, has a contractual obligation to collect data to prevent misuse, it’s not required to collect the additional data ICANN wants it to collect e.g. administrative and technical contact data.
ICANN argues that while the court ruled that EPAG was only required to collect data on the domain holder, it didn’t rule whether collecting technical and administrative contact data contravened the GDPR.
In its appeal (PDF), ICANN is asking the court to order EPAG to collect the additional data requested or face a penalty of 250,000 EUR.
ICANN notes that the court’s original decision was based on a “universal legal principle that a party may only demand performance of contractual obligations to the extent such performance does not violate any applicable laws”.
While ICANN doesn’t dispute this principle, it claims EPAG can only refuse to fulfil its obligations under this principle “if there [is] no lawful way to fulfil such obligation.”
ICANN claims there is a lawful basis, and it points collecting administrative and technical data that does not constitute “personal data.”
It also points to collecting administrative and technical contact data that does not constitute “personal data” but where processing is justified under Article 6 (1) of the GDPR.
Article 6 of the GDPR determines the lawful bases under which organizations can collect data, and those bases include legitimate interest, consent and “necessity for performance of a contract.”
It argues that its agreements with EPAG don’t require it to collect data in any specific way and, as such, the court’s decision is “not tenable.”
Further, it claims that as EPAG is free to determine the lawful basis under which it collects, it’s thus able to comply with the GDPR and its contractual obligations with ICANN.
It also goes onto state that the court acknowledges that EPAG can collect data from the data subject providing it has the consent of the data subject.
Despite this, it highlights that EPAG doesn’t collect administrative or technical contact data in any case, irrespective whether the data constitutes personal data or not, or whether it is given with the data subject’s consent.
It claims this is a clear breach of EPAG’s contractual obligation and is not justified under the GDPR.