ICANN Requests Latest Decision of German Courts to Stop it Collecting Private Information

August 30, 2018


ICANN has appealed the most recent decision made against it in the Appellate Court of Cologne. The organization has contended that the German legal body has made an error in ruling that they had not “adequately explained”, nor given a “sound reason” for requesting a ruling against German domain registrar, EPAG.

This is the third successive time that ICANN has been failed in a legal attempt to compel EPAG to collect additional private information on anybody that records a domain name. EPAG asserts that this requirement is in contravention to GDPR secrecy legislation and, therefore, believes that it would be breaking the European Union law by finishing this action.

ICANN refutes this, claiming that the law insists is unclear and so EPAG has to keep asking for and saving the information if it desires to carry on to act as a seller for internet addresses.

ICANN’s legal campaign is an effort to take ownership of its authority over agreements that manage the sale and registration of internet addresses. Nevertheless, its method, attitude and the increasing string of failures are not achieving this purpose. ICANN didn’t use the allotted time to modify its agreements in preparation for GDPR. Because of this, the organization asked EU data watchdogs for an additional one-year exception from the law in spite of there being no precedence for the granting of such a request.

In a further attempt to attain compliance with the new GDPR requirement, ICANN has requested time to develop a suggestion for a possible unified access model to the Whois system. The group is presently looking for feedback on the suggested changes to let them carry on running the Whois system, domain name registries and registrars should provide public access to information on registrants, including their names and addresses.

The suggestion is seeking to determine “whether it’s possible to develop an automated and unified method across all GTLD registrars and registry operators in a way consistent with the GDPR, including the responsibilities placed on data controllers”. ICANN circulated the news through its website on Monday, August 20.

The new suggestion is not planned to substitute ICANN’s temporary specification for GTLD registration data which was ratified on May 25, the same day GDPR was launched. The provisional specification meant that non-public Whois data access is possible for those with genuine reasons. Nevertheless, ICANN has disclosed that registry operators have “differing methods for meeting that requirement”.

This was put in place in May around the same time that ICANN got in touch with the EDPB (European Data Protection Board) to seek explanation on its obligations under GDPR. The EDPB responded by asking ICANN to implement extra measures to become compliant with the new law.

The Centre for IT & IP Law at the University of Leuven (KU Leuven) released a paper on the case which decided that the ICANN case against the EPAG is more ‘than a mere secrecy compliance issue’. It relates to the way we see the internet, its governance and its architectural safety’.