ICANN has appealed the German court ruling that EPAG Domain Services gmbH, a domain registrar, cannot collect names, email addresses and other data on registrants because it violates the EU’s General Data Protection Regulation (GDPR).
In a filing with the Regional Court of Bonn, Germany, ICANN contends that EPAG is required by contract to collect the information, and vows to take the case to the European Court of Justice if necessary.
Such data is needed for “the legitimate purposes” of consumer protection, investigation of cybercrime, DNS abuse, intellectual property protection and law enforcement, ICANN argues in the appeal. The GDPR allows collection for legitimate purposes, it adds.
The case began in May when ICANN -- a nonprofit facilitator of domain name operations -- filed a motion demanding that EPAG collect the name, mail address, email address, voice telephone number and other data on domain name registrants.
The Bonn court rejected the request, agreeing with EPAG that collecting such data without consent would violate the GDPR.
In its appeal, ICANN counters that consent is not needed here, given the need to communicate with registrars.
It contends that this data is needed so that “law enforcement authorities, for example cybercrime units in case of a virus attack or public prosecutors in case of child abuse content, or trademark owners in case of deception of consumers about the origin of products, actually know what person is taking care of administrative and technical issues regarding the domain name.”
Observers are watching the case closely because of the potential impact on Whois, the database of all registered domains.
The Registrar reports that some of ICANN’s efforts were “met with derision,” but adds that ICANN plans to spend millions of dollars on the case and will take it up to the European Court of Justice.
ICANN also argues that EPAG is free to choose a method to collect the data that fully complies with GDPR.
It also cited a GDPR provision stating that "elements such as customs, codes of conduct, codes of ethics, contractual arrangements, and the general context and facts of the case, may also be considered when determining whether a particular purpose is legitimate."
The Bonn court had ruled that EPAG, “for its part, as registrar, must comply with applicable laws and regulations.”