di Davide Baldini
Introduction
On 25 May 2018, the Internet Corporation for Assigned Names and Numbers (“ICANN”), the non-profit organization which coordinates the allocation of unique names addresses on the internet, filed a motion for the issuance of a preliminary injunction against the accredited Registrar EPAG Domainservices GmbH, as the latter decided not to comply with its contractual obligations due to data protection concerns. On 30 May 2018, the Regional Court of Bonn (the Landgericht Bonn) has issued its preliminary decision on the case, which has been further confirmed by the Appellate Court of Cologne (the Oberlandesgericht Köln) on 3 September 2018.
The litigation between ICANN and EPAG is rooted within the well-known issues of compatibility between the WHOIS system managed by ICANN. The WHOIS is a decentralized data system, which aims to provide anyone the possibility to obtain contact information of persons who have registered Internet resources, such as domain names and internet protocol or “IP” addresses, mostly for purposes relating to law-enforcement and protection of intellectual property rights. To that end, the WHOIS system gathers – and thus processes – many personal data relating to the registrant of a domain name.
The inherent compatibility issues of the WHOIS system and of ICANN contracts and policies vis-à-vis GDPR obligations has already been thoroughly addressed and has been the subject of much debate,[1] even within ICANN’s community.[2] This brief article focuses instead on examining the aforementioned litigation matter between ICANN and EPAG.
Pre-litigation phase
As an accredited Registrar of generic Top-Level Domains (“gTLDs”, such as .com and .org), EPAG is authorized by a (non-negotiable) agreement concluded with ICANN to assign domain names to natural and legal persons seeking for such assignments.
Under the agreement, EPAG is obliged to collect and store in its own database the personal data relating not only to the registered name holder, but also to the administrative and technical contacts relating to the registered name. These contractual obligations serve to set the minimum requirements for WHOIS data and ensure the availability of WHOIS information.
Not long before the direct applicability of Regulation (EU) 2016/679 (“General Data Protection Regulation” – “GDPR”), EPAG notified ICANN of its intention to waive the collection and storage of personal data relating to the administrative and technical contacts, as the processing of such data for the purpose of registering a domain name is deemed by EPAG to be in contrast with the principle of data minimization set forth by art. 5(1)(C) GDPR, which prescribes that personal data be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In EPAG’s opinion, only the processing of personal data relating to the registered name holder satisfy this principle, but not that relating to admin and tech, as those data are not strictly necessary for issuing the registration.
The ruling of the Landgericht Bonn
In the subsequent lawsuit,[3] ICANN asked Regional Court of Bonn for injunctive relief against EPAG, requesting the enforcement – under a penalty of EUR 250.000 – of the clauses of the Registrar contract which obliged EPAG to collect and store such personal data. In particular, ICANN stressed the fact that the processing of personal data at hand is absolutely necessary to achieve ICANN’s purposes, and that the GDPR is not opposed to this.
The Court, in its preliminary decision dated 30 May 2018[4], has rejected ICANN request for the injunction, on the grounds that the collection and storage of data relating only to the domain holder (and thus not to admin and tech contacts) is sufficient in order to fulfil the purposes primarily pursued by ICANN, namely that of combating criminally relevant or otherwise punishable infringements or security problems. In other words, the Court did not see how the gathering and storing of personal data relating to admin and tech contributed to achieve the aims and interests pursued by ICANN.
The Court substantiated this decision on both the aforementioned principle of data minimization and that of purpose limitation (art. 5(1)(b) GDPR), in the part which prescribes that personal data may be processed only for “specified, explicit and legitimate purposes”.
Therefore, according to this judgement, pursuant to these principles, registrars may legitimately refuse to collect data relating to admin and tech, even when contractually bound to do so in the registry-registrar agreement.
ICANN immediate appeal against the decision and the ruling of the Oberlandesgericht Köln
After the publication of the first decision, ICANN has issued an immediate appeal[5] against it. On 18 July 2018, the Regional Court of Bonn, however, found the appeal to be inadmissible on procedural grounds,[6] and referred the matter to the Appellate Court of Cologne (the Oberlandesgericht Köln).
Following the appeal, in a first order,[7] the Appellate Court has rejected ICANN’s demands, again mostly in relation to procedural grounds. This first order has been again appealed by ICANN with a plea of remonstrance dated 17 of August.[8]
On 3 September 2018 a second (and, to date, final) order[9] has been issued by the Appellate Court, confirming the first order and, thus, the decision of the Landgericht Bonn. Along mainly procedural reasons, on the merits it is noteworthy that the Appellate Court has held that:
“the provision of the information, the collection of which the Defendant now refuses, was also not previously obligatory and the GDPR applicable as of 25 May 2018 reaffirms the principle already in force that (personal) data should be handled with as much restraint as possible. Ultimately, the decision as to whether a legal obligation of the opposing party to collect these data elements exists depends on an interpretation of the contractual agreements between the parties against the background of the applicable law (..)”[10]
In this respect, it is worth noting that ICANN practices (i.e. its policies and contractual agreements with registrars and other registries) have in fact been expressly labelled as incompatible with EU data protection law long before GDPR applicability, or even its first proposal by the EU Commission in 2012. Most notably, the predecessor of the European Data Protection Board, the Article 29 Working Party, had already maintained in its Opinion 2/2003[11] that the WHOIS architecture was not compliant with obligations stemming from Directive 95/46/EC, with particular regard to excessive data collection, which encroach upon data protection principles established by article 6 of the Directive. These same principles are substantially reiterated in article 5 GDPR, which have been litigated before the Landgericht Bonn and the Oberlandesgericht Köln.
To date, ICANN has not pursued further actions against the unfavourable decision.
Conclusions and takeaways from the judgements
It should be noted that both decisions have limited influence, having been issued by regional courts and in the context of an injunctive claim. Moreover, the parts relating to the interpretation of GDPR provisions are obiter dicta. Nonetheless, the provisional rulings signal (rectius: confirm) the fact that ICANN current practices relating to domain name registration may be deemed to be in contrast with GDPR obligations, especially as regards processing of admin and tech contacts.
From a practical perspective, in the light of these judgements, accredited registrars should review their contracts with both ICANN, national registration authorities or other registrars, to ensure that the clauses set forth therein are in line with GDPR requirements and, particularly, that the principles of data minimization and purpose limitation are respected.
In the forthcoming months, it will also be important for registrars to closely monitor both ICANN’s review process of its data protection practices (currently, the provisional Temporary Specification for gTLD Registration Data)[12] and European Data Protection Board’s opinions and recommendations in this respect.[13]
[1] On Cyberlaws, see Davide Baraglia’s recent contribution: https://www.cyberlaws.it/2018/whois-nellera-post-gdpr/.
[2] More information are availlable in ICANN’s website: https://www.icann.org/dataprotectionprivacy.
[3]https://www.icann.org/de/system/files/files/litigation-icann-v-epag-request-prelim-injunction-redacted-25may18-de.pdf. An unofficial English translation is available here.
[4]Landgericht Bonn, Court Order, 30 May 2018, 19W32/18 (10 O 171/18) https://www.icann.org/de/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-de.pdf. An unofficial English translation is available here.
[5] https://www.icann.org/de/system/files/files/litigation-icann-v-epag-immediate-appeal-redacted-13jun18-de.pdf. An unofficial English translation is available here.
[6]Landgericht Bonn, Court Order, 16 July 2018, (10 O 171/18) https://www.icann.org/de/system/files/files/litigation-icann-v-epag-court-order-re-prelim-injunction-redacted-16jul18-de.pdf. An unofficial English translation is available here.
[7]Oberlandesgericht Köln, Court Order, 1 August 2018, 19W32/18 (10 0 171/18) https://www.icann.org/de/system/files/files/litigation-icann-v-epag-order-higher-regional-court-re-immediate-appeal-redacted-01aug18-de.pdf. An unofficial English translation is available here.
[8]https://www.icann.org/de/system/files/files/litigation-icann-v-epag-icann-plea-remonstrance-redacted-17aug18-de.pdf. An unofficial English translation is available here.
[9]Oberlandesgericht Köln, Court Order, 3 September 2018, 19W32/18 (10 0 171/18) https://www.icann.org/de/system/files/files/litigation-icann-v-epag-order-higher-regional-court-icann-plea-remonstrance-redacted-03sep18-de.pdf. An unofficial English translation is available here.
[10] Underline added.
[11] Article 29 Working Party, Opinion 2/2003 on the application of the data protection principles to the Whois directories, adopted on the 13 June 2003, 10972/03/EN final WP 76 (available at https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2003/wp76_en.pdf).
[12] Available at https://www.icann.org/resources/pages/gtld-registration-data-specs-en.
[13] The most recent guidance on the topic may be found here.