ICANN has been nothing but persistent in its battles over the data collected from registrants of generic top level domain names (WHOIS) losing battles in the German courts 4 out of 4 times to date, the latest being in September when they lost an appeal.
The battle began when German registrar EPAG, these days part of Tucows, refused to collect the required registrant data for the gTLDs, such as .com and .saarland, as per their Registrar Accreditation Agreement they have signed with ICANN. The RAA in part specifies what registrant data must be collected upon registering a domain name for gTLDs. EPAG believed that the “Temporary Specification” ICANN introduced in response to the European Union’s General Data Protection Regulation (GDPR) wasn’t compatible with the GDPR that came into effect in May 2018.
The goal of the Temporary Specification was to serve as a stop-gap to bring gTLD registration services in line with the GDPR while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy. EPAG had 3 concerns with the Temporary Specification based around “Personal Data Transfer to a Registry”, “Personal Data Display” and “Desire for Clarity”. As a result EPAG refused to collect certain registrant data and so ICANN took them to court in Germany and the subsequent 4 out of 4 losses.
In late November the Expedited Policy Development Process (EPDP) Team, who is considering the Temporary Specification for gTLD Registration Data, announced the publication of their Initial Report and opening of the Public Comment period. This Initial Report contains the preliminary recommendations of the EPDP Team and a set of questions for public review and comment.
As part of the consultation ICANN is seeking comments on the Initial Report on issues including what data is collected from domain name registrants, the transfer of the data collected between registrars, registries, escrow providers and ICANN, what information is necessary, who has access to the information collected, what is “reasonable access” and a “lawful basis” to the data collected, policy updates relating to dispute resolution.
Depending on the outcomes of the consultation, it could end up with a GDPR compliant policy relating to the collection of domain name registration data and lead to an end of the court battle in Germany.
