Last Friday ICANN took German registrar EPAG to court in Germany.
German courts seem to be pretty fast, so instead of having to wait weeks or months to see how they’d rule, we’ve already got the answer.
The German court in Bonn has ruled that EPAG (Tucows) is not obliged to collect extra contacts beyond the domain name registrant.
The decision, naturally, is in German, but there is a translation into English that we can use to understand how the court arrived at this decision.
So how did this play out?
According to the court documents both parties agreed to settling the dispute in a German court, thus waiving the standard arbitration clause in the ICANN contract with registrars. As EPAG is based in Bonn the venue wasn’t really at issue.
But what about the matter under dispute? How did the court view that?
ICANN had stated in its filing that these extra contacts were crucial:
The technical contact and the administrative contact have important functions. Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content. Therefore, GDPR provisions do not prevent the Defendant from collecting these data elements. If the Defendant does not collect the requisite technical contact or administrative contact information among other things, the secure operation of the domain name system and other legitimate uses of the data, such as law enforcement trying to locate bad actors that use the domain name system for criminal activity, will be in jeopardy.
To paraphrase the ruling a little, the extra contacts aren’t necessary for a domain to be registered, so under GDPR’s principle of data minimisation forcing the registrar to collect and process them is not legal.
The court went further and provided a fairly detailed rebuttal of ICANN’s claims that the extra contact details (admin-c, tech-c, billing-c) were necessary in order to maintain the security and stability of the ‘net. In the court’s view the domain holder was sufficient to handle any and all issues related to a domain name, as it’s clear that in many cases the domain holder (registrant) is also the person looking after the other aspects of the domain. In ICANN’s filings with the court there were also references.
In so far as the general interests to be ensured by the Applicant relate primarily to criminally relevant or otherwise punishable infringements or security problems which the Applicant watches over, the Chamber considers that this need is satisfied solely by the collection and storage of the data of the domain holder willing to register (whereby the Chamber does not see why less data is collected on the domain holder than on the additional categories Tech-‐C and Admin-‐C). Against the background of the principle of data minimization, the Chamber is unable to see why further data sets are needed in addition to the main person responsible. In any case, with regard to the so-‐called Tech-‐C, the Applicant also speaks decisively of the solution of (purely) technical problems, which, however, can only be indirectly related to the safety aspects in the foreground.
Above all, it must be taken into account that according to the concurring argument of both parties in this respect, the same personal data could be used in all three categories, i.e. those of the domain holder himself, the so-‐called Tech-‐C as well as the Admin-‐C, i.e. with corresponding information from a registrant only one data record instead of three was collected and stored and this also in the past did not lead to the fact that a registration of the domain had to be denied in the absence of data going beyond the domain holder himself. However, if this was possible and should continue to be possible, this is proof that any data beyond the domain holder -‐ different from him -‐ was not previously necessary to achieve the purpose of the Applicant. If they had been necessary in the real sense, it would not have been possible to do without them before; rather, a registration would have been made dependent on the specification of different data records in terms of content and such a registration would not otherwise have been approved. Insofar as the choice of providing different contact data for the Tech-‐C and Admin-‐C from the domain holder was in fact already made in the past by the person who wanted to register (and was not an indispensable prerequisite for registration by the Defendant), this means that the person wishing to register will also be able to voluntarily provide their consent to the collection and storage of corresponding personal data in the future (Art. 6 para. 1 lit. a) GDPR and para. 7.2.2 of the RAA) -‐ but he was not forced to do so even before. It does not even matter whether the Defendant’s information to the number of domain holders who have not provided different contact details is accurate.
The court was also rather confused by ICANN’s references to a trademark register and flat out rejected it.
Insofar as the Applicant bases its claim to relief on a parallel of the so-‐called “WHOIS” system to international agreements on trade mark registers, the Chamber is unable to follow this. The legal basis for the trademark registers on the basis of international agreements is missing in relation to the “WHOIS” service claimed by the Applicant. The fundamental comparability of the respective general need for protection does not change this.
So how is ICANN portraying this loss?
In their announcement of the court loss ICANN’s General Counsel seems to be indicating that this case is not the end of the story:
“While ICANN appreciates the prompt attention the Court paid to this matter, the Court’s ruling today did not provide the clarity that ICANN was seeking when it initiated the injunction proceedings,” said John Jeffrey, ICANN’s General Counsel and Secretary. “ICANN is continuing to pursue the ongoing discussions with the European Commission, and WP29, to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.”
That reaction is a little confusing to observers like myself. If the court has ruled against ICANN surely that is all the clarity that’s needed? ICANN has been in touch with individual DPAs as well as Article 29, which has now been replaced by the European Data Protection Board, several times in recent months.
However there might be more at play here than initially meets the eye. ICANN is probably coming under a lot of pressure from the US government and other interests in relation to public whois. Recent speeches by US Department of Commerce’s head honcho David Redl in multiple venues have underlined the US government’s fixation with full public whois.
So where does this ruling leave the temporary specification that ICANN pushed through recently?
As the GDPR is a regulation and not a directive the ruling in Germany should provide cover for registrars and registries in other countries in the EU, though whether ICANN’s legal department will take the same view is not clear. Based on their response last night I suspect they probably don’t want to view the Bonn ruling as binding.
ICANN’s GNSO Council is meeting with the ICANN Board in the next few days to discuss the process involved in rectifying the gaps between the temporary specification and existing contracts and policies. The clock is ticking and there is less than 1 year for the ICANN Community to resolve the issues before the temporary specification is no more.