Skip to main content

ICANN Files Legal Action in Germany to Preserve WHOIS Data

LOS ANGELES – 25 May 2018 – The Internet Corporation for Assigned Names and Numbers (ICANN) today filed injunction proceedings against EPAG, a Germany-based, ICANN-accredited registrar that is part of the Tucows Group. ICANN has taken this step to ask the court for assistance in interpreting the European Union's General Data Protection Regulation (GDPR) in order to protect the data collected in WHOIS. ICANN's "one-sided filing" in Bonn, Germany, seeks a court ruling to ensure the continued collection of all WHOIS data, so that such data remains available to parties demonstrating legitimate purpose to access it, consistent with the GDPR.

EPAG recently informed ICANN that when it sells new domain name registrations it would no longer collect administrative and technical contact information, as it believes collection of that data would violate the GDPR rules. ICANN requires that information to be collected, via its contract with EPAG which authorizes it to sell generic top-level domain name registrations. ICANN recently adopted a new Temporary Specification regarding how WHOIS data should be collected and which parts may be published, which ICANN believes is consistent with the GDPR.

"We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection. It is ICANN's public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource," said John Jeffrey, ICANN's General Counsel and Secretary. "We appreciate that EPAG shared their plans with us when they did, so that we could move quickly to ask the German court for clarity on this important issue. We also appreciate that EPAG has agreed that it will not permanently delete WHOIS data collected, except as consistent with ICANN policy."

If EPAG's actions stand, those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records.

ICANN does not seek to require its contracted parties to violate the law. EPAG's position has identified a disagreement with ICANN and others as to how the GDPR should be interpreted. This lawsuit seeks to clarify that difference in interpretation. In its 17 May 2018 adoption of the Temporary Specification for gTLD Registration Data, the ICANN Board noted that the global public interest is served by the implementation of a unified policy governing aspects of gTLD registration data when the GDPR goes into effect.

"The ICANN org is committed to enforcing our contracts to the fullest extent the law allows and preserving the integrity of the WHOIS system," said ICANN President and CEO Göran Marby.

The Temporary Specification, effective today, still requires gTLD registry operators and registrars to collect all registration data. If you submit a WHOIS query for a registration subject to the GDPR, you will only receive "thin" data in return, which includes technical data sufficient to identify the sponsoring registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. Additionally, you will have access to an anonymized email address or a web form to facilitate email communication with the relevant contact for that registration. If you are a third party with legitimate interests in gaining access to the non-public data held by the gTLD registry operator or registrar, there are still ways for you to access that data. You can look up the sponsoring registrar and contact them, and they are obligated to respond to you in a reasonable time.

If you do not get a response, ICANN's complaint mechanisms will be available for you to use. If you find individual parties who you believe are not complying with their obligations under this Temporary Specification or their agreements with ICANN, you may contact ICANN's Contractual Compliance Department to file a complaint.

ICANN appreciates the ongoing discussions with the European Commission, and WP29, together with all of the ICANN stakeholders. However, ICANN has seen steps taken by some of our contracted parties that violate their contractual agreements with ICANN. Thus, ICANN must file this action now to both prevent permanent harm to the public interest and seek clarification of the laws, as they relate to the integrity of the WHOIS services.

About ICANN

ICANN's mission is to help ensure a stable, secure and unified global Internet. To reach another person on the Internet, you need to type an address – a name or a number – into your computer or other device. That address must be unique so computers know where to find each other. ICANN helps coordinate and support these unique identifiers across the world. ICANN was formed in 1998 as a not-for-profit public-benefit corporation with a community of participants from all over the world.


More Announcements
Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."