German Appellate Court Rules on ICANN Request to Preserve WHOIS Data
LOS ANGELES – 3 August 2018 – The Internet Corporation for Assigned Names and Numbers (“ICANN”) today announced that a German appeal court (Appellate Court of Cologne) has issued a decision on the injunction proceedings ICANN initiated against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. The Appellate Court has determined that it would not issue an injunction against EPAG.
In making its ruling, the Appellate Court stated that the interpretation of provisions of the GDPR was not material to its decision, so there was no obligation to refer the matter to the European Court of Justice.
Rather, the Appellate Court simply found that it was not necessary for it to issue a preliminary injunction to avoid imminent and substantial disadvantages, and noted that ICANN could pursue its claims in the main proceedings in order to enforce the rights it asserts.
ICANN is considering its next steps, including possible additional filings before the German courts, as part of its public interest role in coordinating a decentralized global WHOIS for the generic top-level domain system and will provide additional information in the coming days.
On 25 May 2018, ICANN filed the injunction proceedings against EPAG. ICANN asked the Regional Court in Bonn, Germany for assistance in interpreting the GDPR in an effort to protect the data collected in WHOIS. ICANN sought a court ruling to ensure the continued collection of all WHOIS data. The intent was to assure that all such data remains available to parties that demonstrate a legitimate purpose to access it, and to seek clarification that under the GDPR, ICANN may continue to require such collection.
ICANN filed the proceedings because EPAG had informed ICANN that as of 25 May 2018, it would no longer collect administrative and technical contact information when it sells new domain name registrations. EPAG believes collection of that particular data would violate the GDPR. ICANN's contract with EPAG requires that information to be collected.
EPAG is one of over 2,500 registrars and registries that help ICANN maintain the global information resource of the WHOIS system. ICANN is not seeking to have its contracted parties violate the law. Put simply, EPAG's position spotlights a disagreement with ICANN and others as to how the GDPR should be interpreted.
On 30 May 2018, the Regional Court determined that it would not issue an injunction against EPAG. In rejecting the injunctive relief, the Court ruled that it would not require EPAG to collect the administrative and technical data for new registrations. However, the Court did not indicate in its ruling that collecting such data would be a violation of the GDPR. Rather, the Court said that the collection of the domain name registrant data should suffice in order to safeguard against misuse in connection with the domain name (such as criminal activity, infringement, or security problems).
The Court reasoned that because it is possible for a registrant to provide the same data elements for the registrant as for the administrative and technical contacts, ICANN did not demonstrate that it is necessary to collect additional data elements for those contacts. The Court also noted that a registrant could consent and provide administrative and technical contact data at its discretion.
On 13 June 2018, ICANN appealed the Regional Court's ruling to the Higher Regional Court of Cologne, Germany, and again asked for an injunction that would require EPAG to reinstate the collection of all WHOIS data required under EPAG's Registrar Accreditation Agreement with ICANN.
On 21 June 2018, the Regional Court in Bonn, Germany, decided to revisit its ruling in the injunction proceedings, which it has the option to do upon receipt of an appeal.
On 18 July 2018, the Regional Court decided not to change its original determination not to issue an injunction against EPAG, and referred the matter to the Higher Regional Court in Cologne for the appeal.
In addition to the court proceedings, ICANN is continuing to pursue ongoing discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to the integrity of WHOIS services.
ICANN's mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.