On May 25, 2018, Europe’s General Data Protection Regulation (“GDPR”) went into effect to provide a set of standardized data protection laws across all of the European member countries. That same day, the Internet Corporation for Assigned Names and Numbers (ICANN) filed an injunction against EPAG Domaineservices GmbH (“EPAG”), a Tucows-owned registrar based in Bonn, Germany. The purpose of the lawsuit was to request that the court issue a GDPR interpretative ruling on what data should continue to be collected and disclosed by WHOIS. On May 30, 2018, the court refused to issue an injunction against EPAG. ICANN has appealed this GDPR interpretation decision to the Higher Regional Court of Cologne, Germany.
Why is it so important for ICANN to get a court to interpret the GDPR?
GDPR Interpretation and its Effect on Intellectual Property
WHOIS is a database that can be searched to determine the owner of a domain name, IP address, or an autonomous system number. ICANN contracts with registry operators to maintain the details concerning domain names, networks and hosts. ICANN believes that it is important to make this information public so that intellectual property owners can find out who to confront when they uncover a violation of their respective Internet-based intellectual property rights. When the GDPR was announced, registrars interpreted the regulation to mean that in order to be compliant with the GDPR, they could no longer collect and disclose any unnecessary personally identifiable information related to registrants and technical contacts. ICANN is concerned that if the registrars do not collect personal information, intellectual property owners will be hampered in their respective efforts to identify online infringers. Depending on what the Court’s GDPR interpretation is, this ruling will have an impact on how intellectual property owners police their online-based property rights in the future.
ICANN’s Plan for WHOIS Under the GDPR
The GDPR was adopted on April 14, 2016, for implementation on May 25, 2018. This gave ICANN two years to develop a compliance plan for WHOIS. ICANN attempted to get a moratorium on enforcement with respect to the WHOIS database so that they could implement an agreed-upon accreditation model. However, this was rejected by the Article 29 Working Party and ICANN was unable to implement a satisfactory compliance model by May 25, 2018. Since then, ICANN has approved a temporary specification (“Temp Spec”) for gTLD registration data to clarify how registrars should collect and publish data. Specifically, the Temp Spec requires registrars to redact personally identifiable information unless the contact has consented to her/his/its data being published on the web. EPAG feels that ICANN’s Temp Spec conflicts with the GDPR and has refused to collect the data required by the Temp Spec, which has led to the subject litigation. ICANN hopes that obtaining a GDPR interpretation from the Court will provide a single path for the parties to proceed on a going-forward basis.
The Future of WHOIS
The outcome of the Higher Regional Court appeal and other GDPR-related cases should provide practitioners and businesses with concrete guidance as to how they should collect and maintain personal data. Given that even large organizations, such as ICANN, are having difficulty interpreting the GDPR, businesses that control, process or collect personal data from individuals in the EU should consult with experienced counsel to ensure that all of their data collection, use and sharing policies and procedures are compliant with the new regulation.