ICANN asks German court for GDPR clarity over Whois

On the same day as the EU’s General Data Protection Regulation (GDPR) came into force, ICANN filed injunction proceedings against a domain name registrar in an effort to clarify how the new regulation should be interpreted.

ICANN announced the legal action against EPAG, part of the Tucows Group and a provider of internet services, on Friday, May 25.

The organisation said it filed injunction proceedings in Bonn, Germany, where EPAG is based, to ensure that data collected for the Whois system is protected in accordance with the GDPR. The regulation came into force on May 25 and is designed to harmonise data privacy laws across Europe.

Under the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.

According to ICANN’s release, EPAG recently said that it would no longer be collecting administrative and technical contact information when it sells new domain name registrations because to do so would violate the GDPR.

Under the terms of the contract between ICANN and EPAG, the registrar is entitled to sell registrations within generic top-level domains (gTLDs) but must collect administrative and technical contact information.

ICANN recently adopted a new temporary specification regarding how such data is collected and which parts may be published, in order to comply with the GDPR. The specification, which was  approved by ICANN on May 17, still requires registry operators and registrars to collect all registration data.

John Jeffrey, general counsel and secretary at ICANN, said: “We are filing an action in Germany to protect the collection of Whois data and to seek further clarification that ICANN may continue to require its collection.”

He added: “It is ICANN’s public interest role to coordinate a decentralised global Whois for the gTLD system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource."

ICANN has asked the court for “clarity on this important issue”, Jeffrey said.

If EPAG’s actions are approved by the court, legitimate users of information such as law enforcement and IP owners may no longer be able to access Whois records, ICANN claimed.

In response to the lawsuit, Tucows said it has built a new registration system which “aligns with the GDPR’s principles”.

“The domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so,” according to Tucows.

It added that the company will “continue to ensure that those with legitimate purposes, including law enforcement, intellectual property, and commercial litigation interests will have access to domain registrant information”.

ICANN initially proposed interim changes to the Whois system in February, but in April Europe’s data protection authorities concluded that the proposed solution did not go far enough.