As I noted over the weekend, ICANN has instigated legal action against Epag, an ICANN accredited registrar based in Germany that is part of the Tucows group.
ICANN claims that the case is to “preserve WHOIS data”, but Tucows asserts in their statement that the ICANN approach is flawed. It’s not a frivolous statement, but one they’ve backed with fairly detailed rationale – and this is just their public statement and not a formal legal filing.
Tucows explains that they rebuilt their systems and processes based on GDPR and its principles:
In order to have a domain registration system reflective of “data protection by design and default”, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.
ICANN’s temporary specification, which was only finalised about a week before the May 25th GDPR deadline, requires registrars to collect and process all existing domain name registration contacts, which Tucows had issues with for a number of reasons:
..it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.
From exchanges I’ve had with several large registrars it’s apparent that in many, if not the majority, of cases the contacts are identical, which is something that Tucows note:
However, in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant.
So the case in Germany will, in Tucows’ view, come down to whether ICANN’s rationale for collecting and processing all of these contacts is really viable in relation to GDPR. Kevin provided an overview of how the various ccTLDs across Europe are handling whois in light of GDPR, and while there is divergence, many of them have reduced collection and display. In many cases the only data that is being processed relates to the registrant.