Out-Law / Your Daily Need-To-Know

EU court could settle ICANN data gathering dispute

Out-Law News | 18 Jun 2018 | 12:55 pm | 1 min. read

The amount of data that domain name registrars can be forced to gather on people operating websites could be determined by the EU's highest court.

The internet’s global domain name organisation, the Internet Corporation for Assigned Names and Numbers (ICANN), has appealed a recent ruling by a court in Germany on the issue, which concerns how new EU data protection laws should be interpreted.

ICANN has said the appeals court should ask the Court of Justice of the EU (CJEU) to help it interpret the General Data Protection Regulation (GDPR) if it is unsure how the law applies in the context of so-called 'WHOIS' data.

Earlier this summer, Regional Court of Bonn rejected ICANN's request for a court order to be issued against domain name registrar EPAG Domainservices. ICANN wanted the court to force EPAG to collect the personal data of technical and administrative contacts of organisations that register domain names with it.

Although EPAG does collect the domain name holder's contact data in accordance with the terms of its contractual agreement with ICANN, ICANN challenged EPAG's right to waive the collection of further details of technical and administrative contacts. It argued that EPAG was contractually obliged to collect the additional personal data and that it needed the information to achieve its purposes.

Information that serves to identify the people behind domain name registrations is published on the WHOIS system, a series of online databases. The data is useful for a range of purposes necessary for the operation of the internet, but is also used upon by law enforcement agencies and by intellectual property (IP) owners seeking to enforce their IP rights.

EPAG had previously collected the information but said it had stopped doing so comply with the GDPR.

The Regional Court of Bonn ruled that ICANN had failed to show that the collection of the contact information was necessary, as required by the GDPR.

Now ICANN has lodged an appeal before the Higher Regional Court of Cologne in Germany.

"If the Higher Regional Court does not agree with ICANN or is not clear about the scope of the European Union’s General Data Protection Regulation (GDPR), ICANN is also asking the Higher Regional Court to refer the issues in ICANN’s appeal to the [CJEU]," ICANN said in a statement.

The body said there would be consequences for organisations pursuing "legitimate purposes" if its appeal fails.

"ICANN appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the WHOIS requirements, but if EPAG's actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records," ICANN said.

"In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services," it said.