ICANN appeals against GDPR injunction refusal

ICANN has appealed against a decision by the Regional Court in Bonn, Germany not to issue an injunction against a domain name registrar in a case centering on the General Data Protection Regulation (GDPR).

The appeal was filed at the Higher Regional Court of Cologne, Germany, on Wednesday, June 13.

On May 25, the day that the EU’s GDPR came into force, ICANN filed injunction proceedings against domain name registrar EPAG in an attempt to clarify how the new data protection rules should be interpreted.

The proceedings were filed in Bonn where EPAG, part of the Tucows Group, is based and, according to ICANN, were filed in an effort to ensure that data collected for the Whois system is protected in accordance with the GDPR.

Under the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.

In response to the lawsuit, Tucows said it has built a new registration system which “aligns with the GDPR’s principles”.

ICANN requires full Whois data to be collected and ordered registrars to continue collecting administrative and technical data after the GDPR came into effect. However, EPAG indicated that it would delete the contact information for new domain name registrations following the introduction of the new regulation.

The court in Bonn refused to issue the injunction on May 30. It said that because a registrant can provide the same data elements for that registration as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional information for these contacts. 

According to ICANN, the court ruled that it would not require EPAG to collect the administrative and technical data for new registrations, but did not indicate whether collecting such data would be a violation of the GDPR.

ICANN said it is now asking the Higher Regional Court of Cologne to issue an injunction which would require EPAG to reinstate the collection of all Whois data, as required under EPAG’s agreement with ICANN.

If the higher court does not agree with ICANN’s reasoning or is unclear about the scope of the GDPR, it should refer the issues in the appeal to the Court of Justice of the European Union, ICANN said.

ICANN added that it “appreciates and understands the dilemma of EPAG in trying to interpret the GDPR rules against the Whois requirements”, but EPAG’s actions mean that legitimate users such as IP rights owners may not be able to access full Whois records.

John Jeffrey, general counsel and secretary at ICANN, said: “We are continuing to seek clarity of how to maintain a global Whois system and still remain consistent with legal requirements under the GDPR.”

In April, initial changes proposed to the Whois system were criticised by Europe’s data protection authorities for allegedly not going far enough.

ICANN’s recently adopted temporary specification regarding how such data is collected and which parts may be published, in order to comply with the GDPR, still requires registry operators and registrars to collect all registration data.