The Internet Corporation for Assigned Names and Numbers (ICANN) filed on Friday May 25, 2018 (first day of the GDPR enforcement) injunction proceedings against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group.
ICANN has taken this step to ask the court for assistance in interpreting the European Union’s General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS.
The court will be no help at that!
ICANN’s “one-sided filing” in Bonn, Germany, claims to seek a court ruling to ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR.
In short, ICANN looked for a scapegoat and found it in the form of the German registrar. ICANN’s incompetency has been remarkable. Too stupid, too late.
EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules. ICANN requires that information to be collected, via its contract with EPAG which authorizes it to sell generic top-level domain name registrations. ICANN recently adopted a new Temporary Specification regarding how WHOIS data should be collected and which parts may be published, which ICANN believes is consistent with the GDPR.
So this institution is not based on facts as EPAG could still be collecting all whois data. ICANN did not actually check to see if its data collection requirements where fulfilled before filling the injunction.
“We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection. It is ICANN’s public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource,” said John Jeffrey, ICANN’s General Counsel and Secretary. “We appreciate that EPAG shared their plans with us when they did, so that we could move quickly to ask the German court for clarity on this important issue. We also appreciate that EPAG has agreed that it will not permanently delete WHOIS data collected, except as consistent with ICANN policy.”
“If EPAG’s actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.”
“ICANN does not seek to require its contracted parties to violate the law. EPAG’s position has identified a disagreement with ICANN and others as to how the GDPR should be interpreted. This lawsuit seeks to clarify that difference in interpretation. In its 17 May 2018 adoption of the Temporary Specification for gTLD Registration Data, the ICANN Board noted that the global public interest is served by the implementation of a unified policy governing aspects of gTLD registration data when the GDPR goes into effect.”
“The ICANN org is committed to enforcing our contracts to the fullest extent the law allows and preserving the integrity of the WHOIS system,” said ICANN President and CEO Göran Marby.
“The Temporary Specification, effective today, still requires gTLD registry operators and registrars to collect all registration data. If you submit a WHOIS query for a registration subject to the GDPR, you will only receive “thin” data in return, which includes technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. Additionally, you will have access to an anonymized email address or a web form to facilitate email communication with the relevant contact for that registration. If you are a third party with legitimate interests in gaining access to the non-public data held by the gTLD registry operator or registrar, there are still ways for you to access that data. You can look up the sponsoring registrar and contact them, and they are obligated to respond to you in a reasonable time.”
“If you do not get a response, ICANN’s complaint mechanisms will be available for you to use. If you find individual parties who you believe are not complying with their obligations under this Temporary Specification or their agreements with ICANN, you may contact ICANN’s Contractual Compliance Department to file a complaint.”
“ICANN appreciates the ongoing discussions with the European Commission, and WP29, together with all of the ICANN stakeholders. However, ICANN has seen steps taken by some of our contracted parties that violate their contractual agreements with ICANN. Thus, ICANN must file this action now to both prevent permanent harm to the public interest and seek clarification of the laws, as they relate to the integrity of the WHOIS services.”