GDPR v. WHOIS: ICANN brings dispute with German registrar to Court

In our previous article, we presented the challenges the domain name system will face due to the changes introduced by the European Union's General Data Protection Regulation (GDPR). Determined to find a balance between the new data protection rules and the security and stability of the Internet (including the interest of intellectual property rights owners) the Internet Corporation for Assigned Names and Numbers (ICANN) adopted a Temporary Specification. This document provides legal purposes for the collection and process of WHOIS data and their transfer between registrars, registries and escrow agents. It means, that registrars continue to be obliged to collect these data according to their contract with ICANN, however the publicly available part of the WHOIS data was drastically reduced.

One of the registrars in Germany, EPAG (part of the Tuscow Group), had an interesting view on this. They notified ICANN, that as of May 25 2018, they will not collect technical and administrative data when selling domain names as it would not be compatible with GDPR. Right on the day when the GDPR came into force, ICANN filed injunction proceedings against EPAG at the Regional Court of Bonn. They asked the Court to order the defendant to cease and desist from offering and/or registering second level domain names without collecting certain technical and administrative data of the registrant. ICANN argues that the changes introduced by the Temporary Specifications have sufficiently implemented GDPR in the domain name registration system, therefore the contractual obligations between the registrars and ICANN should remain unchanged. EPAG, on the other hand, cannot agree with this broad interpretation and reached the conclusion that they cannot legally collect these additional information from registrants after GDPR is enforceable.

ICANN may have hoped that the decision of the Court would give an answer regarding the general interpretation of GDRP in terms of domain name registrations, especially WHOIS. As we have discussed earlier, the non-public nature of WHOIS data does not mean that those are not available for e.g. intellectual property rights owners. This was reinforced by the WIPO Arbitration and Mediation Center January 2018. They stated that UDRP providers must have access to WHOIS data in order to fulfill their obligation. Therefore, those who have legitimate interest in initiating domain dispute resolution procedures should not be worried, the procedure would be the same.

The Court delivered the judgment in a timely fashion and rejected ICANN`s application for preliminary injunctions. However, the decision did not exactly clarify the relationship between GDPR and WHOIS. Since the original request was only about the collection of technical and administrative data the Court only reflected to the collection of these not the registrant data itself or the publicly available nature of these data. It means that, as long as the registrant data are recorded, the registrar should not be obliged to collect and process the additional technical and administrative data as well (while there may be some differences between the three data categories, the same personal data could be used in registrant, administrative and technical data records). The registrant data provides information about the registrant who is primarily responsible for the domain name. These data should be sufficient for the legal purposes to which ICANN is referring. Consequently, those seeking remedy based on legitimate interests against a domain registration will continue to be able to access enough data to start the relevant procedures.

The case was therefore an attempt from ICANN to uphold the contractual obligation of the registrars with respect to the complete WHOIS data (including administrative and technical data records). The decision of the Regional Court of Bonn does not mean however that registrars would not be contractually obliged to collect data regarding the holder of the domain name at all. The legitimate interest relating to security and e.g. protection of intellectual property rights will not be jeopardized by GDRP.

// Eszter Kurtan & Monika Colak