First GDPR Verdict Issued in German Courts

July 15, 2018


Last Monday (July 9) a German law court, in the first decision relating the General Data Protection Regulation (GDPR), decreed that data gathering that surpasses what is needed to attain lawful business purposes violates one of the basic codes of the GDPR.

As per Article 5 of the GDPR, private data gathering shall be “for identified, precise and lawful purposes and not further handled in a way that’s mismatched with those aims,” and “sufficient, pertinent and limited to what’s needed in relation to the intentions for which they are handled.

The case was being heard for ICANN, an American non-profit firm that supervises the international WHOIS databank of recorded domains, and EPAG, a German domain recorder. EPAG had a contractual affiliation with ICANN to collect private data from people who bought domain names. Moreover, ICANN desired for EPAG to provide the name and communication details of a technical and administrative contact for the recording body. EPAG would not gather this information, asserting that doing so would breach Article 5 of GDPR since there was no business requirement, and for that reason, no legal basis, to gather and handle private data of administrative and technical associates.

The ICANN WHOIS has developed to be a crucial utility for trademark and copyright owners when enforcing their rights on the Internet. It is a large number of cases. It is the main source of information in the search for the owners of a website that is selling counterfeit and copyright-infringing products. The WHOIS database allows rights holders to discover the identities of the persons behind these sites who are profiting from them.

ICANN began a legal action suit in Germany seeking an injunction to compel EPAG to gather the technical and administrative contact information. ICANN claimed that contact information was required to address problems that could arise in connection with the domain name registration. Dismissing ICANN’s request, the Regional Court of Bonn held that gathering data on technical and administrative contacts would breach the data minimization rule. In support of the ruling, the court noted that registrants had not previously been required to supply technical and administrative contact details, and ICANN did not provide adequate proof that such data collection was required.

ICANN has made an appeal to the Bonn court’s decision to the Higher Regional Court of Cologne, Germany. However, this appeal is being challenged by the European Data Protection Board (EDBP) as it warned ICANN about the need to update the WHOIS service to take user privacy into account 15 years ago. A statement read “The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Who is in compliance with European data protection law since 2003”.

The challenges to privacy practices of Google and Facebook submitted when the GDPR became enforceable in May are still being processed, but this case shows that both for-profit and not-for-profit groups must take care to review GDPR obligations.

This first GDPR legal ruling is a reminder that businesses should assess and record why the personal data they collect and the process is necessary for a specific, legitimate purpose, and ensure that the information is restricted to what is required to achieve that goal.