29 May 2018

ICANN asks German court for GDPR clarity over Whois

On the same day as the EU’s General Data Protection Regulation (GDPR) came into force, ICANN filed injunction proceedings against a domain name registrar in an effort to clarify how the new regulation should be interpreted.

ICANN  announced the legal action against  EPAG, part of the  Tucows Group and a provider of internet services, on Friday, May 25.

The organisation said it filed injunction proceedings in Bonn, Germany, where EPAG is based, to ensure that data collected for the Whois system is protected in accordance with the GDPR. The regulation came into force on May 25 and is designed to harmonise data privacy laws across Europe.

Under the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.

According to ICANN’s release, EPAG recently said that it would no longer be collecting administrative and technical contact information when it sells new domain name registrations because to do so would violate the GDPR.

Under the terms of the contract between ICANN and EPAG, the registrar is entitled to sell registrations within generic top-level domains (gTLDs) but must collect administrative and technical contact information.

ICANN recently adopted a new temporary specification regarding how such data is collected and which parts may be published, in order to comply with the GDPR. The specification, which was  approved by ICANN on May 17, still requires registry operators and registrars to collect all registration data.

John Jeffrey, general counsel and secretary at ICANN, said: “We are filing an action in Germany to protect the collection of Whois data and to seek further clarification that ICANN may continue to require its collection.”

He added: “It is ICANN’s public interest role to coordinate a decentralised global Whois for the gTLD system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource."

ICANN has asked the court for “clarity on this important issue”, Jeffrey said.

If EPAG’s actions are approved by the court, legitimate users of information such as law enforcement and IP owners may no longer be able to access Whois records, ICANN claimed.

In response to the lawsuit, Tucows  said it has built a new registration system which “aligns with the GDPR’s principles”.

“The domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so,” according to Tucows.

It added that the company will “continue to ensure that those with legitimate purposes, including law enforcement, intellectual property, and commercial litigation interests will have access to domain registrant information”.

ICANN initially proposed interim changes to the Whois system in February, but in April Europe’s data protection authorities  concluded that the proposed solution did not go far enough.

This story was  first published on TBO.

Already registered?

Login to your account

To request a FREE 2-week trial subscription, please signup.
NOTE - this can take up to 48hrs to be approved.

Two Weeks Free Trial

For multi-user price options, or to check if your company has an existing subscription that we can add you to for FREE, please email Adrian Tapping at atapping@newtonmedia.co.uk

More on this story

11 July 2018   ICANN’s interim proposal for making the Whois system compliant with the new General Data Protection Regulation in the EU has failed to impress European data regulators.
24 August 2018   ICANN has asked for feedback on its proposal for a possible unified access model to the Whois system, in an effort to engage with data protection authorities and be compliant with the newly implemented General Data Protection Regulation in the EU.