The Internet Corporation for Assigned Names and Numbers (“ICANN”) today announced that a German regional court (LG Bonn) has issued a decision on the injunction proceedings ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The Court has determined that it would not issue an injunction against EPAG.
Last Friday, ICANN filed the matter with the German regional court which ruled today, seeking assistance in interpreting the European Union’s General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS.
In particular, ICANN requested a clarification from the Court about whether EPAG should be obligated to continue to collect administrative and technical contact information for new domain name registrations, as it is required to do under its Registrar Accreditation Agreement with ICANN. EPAG originally had indicated that it would delete the contact information, but had withdrawn its intentions to do so after engaging in dialogue with ICANN.
ICANN asked the Court to intervene after learning that EPAG no longer intended to collect such data, citing the GDPR law implementation as its rationale. ICANN had long required full WHOIS data to be collected, and was requiring registrars such as EPAG to continue to collect the data after the GDPR went into full effect. ICANN modified its requirements surrounding how others could access this data, limiting access only to those who could demonstrate a legitimate purpose (such as in cases of criminal activity, intellectual property infringement or Internet Security problems). Assessing and identifying a legitimate purpose is a requirement identified in the GDPR.
In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the adminsitrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse the security aspects in connection with the domain name (such as criminal activity, infringement or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
“While ICANN appreciates the prompt attention the Court paid to this matter, the Court’s ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN’s General Counsel and Secretary. “ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”