A German court has made short work of ICANN’s bid to force domain registrar EPAG to gather names, email addresses and other data on registrants, saying it is unfounded.
In an opinion issued on Wednesday — less than a week after the filing of ICANN’s motion — The Regional Court of Bonn said that collecting such data would violate the General Data Protection Regulation (GDPR).
While conceding that EPAG’s contract with ICANN requires that it gather such information, the court adds that the agreement that EPAG, “for its part, as registrar, must comply with applicable laws and regulations. "
Under GDPR, personal data may only be collected for “specified, explicit and legitimate purposes,” and must be “limited to what is necessary,” the court observes.
It adds that, based on the filings in the case, data beyond the domain holder’s name was “not previously necessary” to achieve ICANN’s purposes, and that registrants were not denied if they failed to provide it.
The court continues that it is “unable to follow” the tying of “the so-called “WHOIS” system to international agreements on trademark registers” as a claim for relief.
ICANN had filed a motion asking for a preliminary injunction requiring that EPAG, a Tucows-owned registrar based in Bonn, stop registering second-level domain names without collecting the name, postal address, email address, voice telephone number, and other data for the domain names.
ICANN is a nonprofit corporation that facilitates the operation of generic top- and second-level domains.