ICANN loses early decision on WHOIS data under GDPR

ICANN (the Internet Corporation for Assigned Names and Numbers) has been unsuccessful in an early German interlocutory application under the GDPR. The decision relates to the collection and publication of information about persons associated with domain names, known as WHOIS data.

The GDPR, ICANN and WHOIS

The GDPR is a new privacy regulation which commenced in late May 2018. The GDPR broadly affects the collection of personal information from EU residents and affects businesses that operate or have customers within the EU (even if the business is not itself situated there).

ICANN is the organisation charged with administering domain names globally and has raised significant concerns about the imposition of the GDPR, particularly from the perspective or intellectual property right holders.

The GDPR has the effect of significantly clamping down use and publication of personal information for individuals and businesses connected with the EU.

WHOIS data contains information about a particular registered domain name. It provides the identity of the domain name holder and various other people associated with a domain name.

Traditionally, WHOIS data includes "Administrative Contact", "Technical Contact" and "Registrant Contact" information, along with other information to identify the nameservers and status of a given domain name.

In recent times, ICANN has subcontracted the collection of that data to domain registrars (organisations that provide domain name registration services to the public through domain name resellers).

The advent of the GDPR throws into question, and significant uncertainty, the legality of collecting and displaying that data - at least in relation to EU-based domain holders.

IP right advocates argue that the ability to identify the holder of a domain name is critical to achieve a number of legitimate purposes, such as the ability to enforce legal rights in the case of intellectual property infringement and to counter criminal and terrorist activity.

On the other hand, the GDPR recognises the need to protect the privacy of individuals, whose personal information until now has been accessible in WHOIS records.

The Decision

The decision is from the German Regional Court of Bonn.

EPAG Domainservices GmbH (EPAG) is a domain registrar. Pursuant to its Registrar Agreement with ICANN, EPAG would collect and publish Domain Registrant, Administrative Contact and Technical Contact data in the course of providing domain registration services.

However, in anticipation of the GDPR's commencement, EPAG announced to ICANN that it inteded to cease collection and publication of Administrative Contact and Technical Contact information for domain names it registered.

ICANN applied to the Court for interlocutory orders to compel EPAG to continue collecting the data. The application was ultimately unsuccessful.

The Court ruled that while a clause existed in the Registrar Agreement requiring EPAG to collect the data, this clause was incompatible with the GDPR requirements. (The Court noted that the Agreement also contained a clause requiring the EPAG to comply with local laws.)

The Court held that collection of the Administrative Contact and Technical Contact data went beyond what was necessary to achieve ICANN's purpose:

The Applicant [ICANN] has not demonstrated that the storage of other personal data than that of the domain holder, which continues to be indisputably collected and stored, is indispensable for the purposes of the Applicant.

The collection of Domain Name Registrant's personal data was not in dispute in the proceedings. However, the Court appeared to consider that the collection of a domain name Registrant's identification information would be sufficient to allow ICANN to achieve its aims of IP right enforcement and counter-terrorism and anti-criminal measures:

In so far as the general interests to be ensured by the Applicant relate primarily to criminally relevant or otherwise punishable infringements or security problems which the Applicant watches over, the Chamber considers that this need is satisfied solely by the collection and storage of the data of the domain holder willing to register.

On that basis, the Court denied ICANN's application.

Outcomes

The decision provides some clarification of the uncertainty surrounding the application of GDPR regulations to WHOIS data. While further judicial consideration will be necessary to achieve better certainty, the decision at least suggests that:

• domain registrars may elect not to collect “unnecessary” data from their customers;
• there is acknowledgement that the need to be able to identify a domain name holder has a legitimate purpose.

Further reading

Internet Corporation for Assigned Names and Numbers v EPAG Domainservices GmbH (29 May 2018) (English Transaltion [PDF] NB: The English translation is not an official record)