ICANN and the WHOIS Database
US-based non-profit ICANN, short for the “Internet Corporation for Assigned Names and Numbers,” is an organization that oversees the domain name registration process and the assignment of Internet Protocol (IP) addresses. As part of its mission to bring order to the chaos of the Internet, ICANN manages a global “WHOIS” database of registered domain names. Serving the role of pseudo-Internet phone book, ICANN collects various data points about every website domain name, including most importantly the name(s) and contact information of domain owners.
Part of ICANN’s non-profit business model requires that it enter into contractual relationships with domain registrars from across the world to keep an updated list of domain name owners. Without these third-party domain registrars, it would be administratively impractical for ICANN to keep track of domain owners for the boundless websites that make up the global Internet. In an effort to coordinate a global and decentralized domain database, ICANN contractually requires the collection of contact information by over 2,500 registrars.
ICANN Seeks an Injunction Against EPAG
One such domain registrar is EPAG, a German-based domain registrar that has historically passed along domain name related information to ICANN. With the passing of the GDPR compliance deadline on May 25, 2018, EPAG communicated to ICANN that it no longer intended to collect personal information when registering a domain name, citing the GDPR as its justification. To its credit, ICANN had already anticipated some potential pushback from its domain registrar partners in Europe. Foreseeing these conflicts, ICANN preemptively modified how website visitors could access the WHOIS database, limiting access only to those who could demonstrate a legitimate purpose (such as in cases of criminal activity, intellectual property infringement or Internet Security problems). Assessing and identifying a legitimate purpose, also known as a Legitimate Interest Analysis, is a requirement identified in the GDPR.
ICANN’s self-imposed modifications failed to convince EPAG that the continued collection of personal information during domain registration complied with GDPR. Reaching an impasse, ICANN filed an injunction in a German regional court (the Landgericht Bonn), seeking to persuade the Court that EPAG was required to continue collecting administrative and technical contact information. In doing so, ICANN highlighted to the German Court that EPAG was contractually obligational to pass along this information to ICANN, and that EPAG could not simply point to the GDPR to escape its contractual obligations.
EPAG Successfully Escapes its Contractual Obligations
The Court rejected ICANN’s argument. Crucially, the Court fell short of declaring that the collection of such data was an out-right violation of the GDPR. Instead, the Court found that ICANN had failed to demonstrate that it could only collect these data points by relying upon its contract with EPAG. In this vein, the Court noted that there existed other possible workarounds, including ICANN seeking out a registrants contact information on its own with the registrant’s consent.
Ramifications of the ICANN – EPAG Dispute
The German’s Court’s decision to reject ICANN’s request for injunctive relief will have several immediate impacts moving forward. First, the Court’s refusal to grant ICANN’s injunction will immediately put in jeopardy the completeness and accuracy of the WHOIS database. This will be of particular consequence to the intellectual property community, which has come to rely upon the database to identify infringers for trademark and copyright enforcement purposes.