A German court has ruled against ICANN, the organization tasked with overseeing the internet domain name system (DNS), over its attempt to compel one of its contracted registrars to collect administrative and technical contact details for WHOIS, a public database of domain registrants.
The ruling (PDF) comes after EPAG, a German domain registrar, declared it will no longer collect administrative and technical data for WHOIS, as it believes doing so contravenes the EU’s General Data Protection Regulation (GDPR).
EPAG is a subsidiary of Tucows, which is second only to GoDaddy for total global domain registrations.
ICANN contends EPAG is contractually obliged to collect technical, administrative and personal registration data on domain registrants, while EPAG states collecting this additional data will violate the GDPR provision on “data minimisation”.
Data minimization is covered by Article 5 (1) (c) of the GDPR, that states, “personal data shall be…adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’)”.
ICANN sought an injunction against EPAG, however the court has ruled its lawsuit was “unfounded”.
The court order states that while EPAG has a contractual obligation to collect administrative and technical data, its agreement with ICANN also provides that it must “comply with applicable laws and regulations.”
The court order also states that ICANN failed to demonstrate that the collection of additional data is “indispensable” for its purposes.
In an announcement on its website, John Jeffrey, ICANN’s General Counsel, states, “While ICANN appreciates the prompt attention the Court paid to this matter, the Court’s ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings.
“ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”
ICANN’s primary concern is that the court only ruled that EPAG was not obligated to collect the additional data, it didn’t rule on whether collecting technical and administration data contravenes the GDPR.
The court’s ruling follows an ICANN temporary specification announced on May 17th that outlines how registrars and registries should handle WHOIS data under the GDPR.
In its temporary specification it outlined what data should be available in WHOIS and how access to it should be restricted. However, it faced criticism for waiting until the 17th May — 8 days before the GDPR came into force — to publish guidance on how registrars and registries should comply with the new privacy law.
ICANN also asked for a one year moratorium to formulate a solution for bringing WHOIS into compliance, which was rejected by the EU.