The implementation of the European Union’s General Data Protection Regulation (GDPR) has caused problems for the domain name industry. For ccTLD registries, they were mostly late in announcing how they would deal with its impact, mostly announcing changes to the data they would collect on registrants when domain names were registered in the weeks leading up to its adoption. But for gTLDs it was a different story. ICANN, who is responsible for the policies on what information is collected, only announced a “temporary specification” on what information is collected for gTLDs one week before the GDPR came into being on 25 May.
The temporary specification, which must be reaffirmed every 90 days, applies to all generic top level domains (gTLDs) such as .com, .berlin and .xyz. It sees Registry Operators and Registrars continue to be required to collect comprehensive Whois information for all gTLDs. However, Whois queries will only receive “Thin” data in return, that is only technical data sufficient to identify the sponsoring Registrar, status of the registration, and creation and expiration dates for each registration. But not personal data.
For third parties with legitimate interests in gaining access to the non-public data held by the Registry Operator or Registrar, there are still ways to access that data. Queries can be made through the sponsoring Registrar and they are obligated to respond in a reasonable time. If a response is not received, ICANN will have a complaint mechanism available. If it is thought individual parties are not complying with their obligations under these temporary specifications or their agreements with ICANN, ICANN’s Contractual Compliance Department can be contacted to file a complaint.
However one Registrar, the German EPAG, decided that ICANN’s requirements weren’t compliant with the GDPR and refused to collect the data ICANN required of them as per their Registrar Accreditation Agreement. EPAG, and their parent company Tucows, took the view that ICANN’s requirements went over above what the EU’s GDPR required.
The GDPR, EPAG notes, has data minimisation as one of its keys collecting and processing only that personal data that is necessary. Tucows acknowledges that the ability to contact the registrant is essential, however in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, the collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant. The collection of this “contact data is problematic because it requires us to store and process personal data belonging to people with whom we have no legal or contractual relationship.”
Tucows also took the view that the temporary specification doesn’t offer a robust legal basis for the transfer of data to registries and therefore presents an unacceptable risk under the GDPR. They also viewed the requirement to publish the organisation, state/province, and country fields in the public Whois as being superfluous.
This led to a fundamental disagreement between Tucows and ICANN as to how the GDPR impacts the RAA.
“The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data.”
As a result, ICANN took Tucows to court to seek clarification. At the end of May, the Regional Court in Bonn sided with Tucows and said it wouldn’t issue an injunction that would have forced them to comply. So in mid-June ICANN filed an appeal to the Higher Regional Court of Cologne to try and force the collection of the registration data ICANN requires. ICANN is asking the Higher Regional Court to issue an injunction that would require EPAG to reinstate the collection of all Whois data required under EPAG’s Registrar Accreditation Agreement with ICANN.
If the Higher Regional Court doesn’t agree with ICANN or is not clear about the scope of the GDPR, ICANN is also asking the Higher Regional Court to refer the issues in ICANN’s appeal to the European Court of Justice.
ICANN is likely to be spending millions in its legal bid that could see it appealing several times if it keeps losing. One could argue there is a fundamental misunderstanding of how American-based organisations such as ICANN view European law, and in this case the GDPR. American-based organisations seem quite keen to take on European lawmakers, the latest being Google who was fined €4.34 billion by the European Commission in July.
