The head of the European Data Protection Board (EDPB) has come out against ICANN’s attempt to force a domain registrar to submit personal data on admin and technical personnel, saying that it conflicts with the GDPR.
In a letter dated Thursday, EDPB chair Andrea Jelinek writes that registrants should not be “required to provide personal data on individual employees (or third parties).”
The Regional Court of Bonn, Germany had rejected a motion by ICANN demanding that the registrar EPAG collect the name, mail address, email address, voice telephone number and other data on domain name registrants.
ICANN, a nonprofit facilitator of domain name operations, filed an appeal, but “that appeal now looks dead in the water,” the UK’s Register writes.
The personal data is needed for “the legitimate purposes” of consumer protection and investigation of cybercrime, ICANN had argued.
Observers are watching the case closely because of the potential impact on WHOIS, the database of all registered domains.
The defeat contributes to “a series of embarrassing failures on ICANN's part to regain control of its authority over the WHOIS service,” the Register adds.
In its “guidance” the DEP objects to ICANN’s retention of data.
“So far ICANN is yet to demonstrate why each of the personal data elements processed in the context of WHOIS must in fact be retained for a period of 2 years beyond the life of the domain name registration,” Jelinek writes.
In addition, Jelinek reiterates that ICANN should take care not to conflate its own purposes” with those of third parties.
ICANN had asked for an advisory on several issues. Jelinek concluded by saying, the EDPB is confident that “the guidance contained in this letter…will enable ICANN to develop a GDPR-compliant model for access to personal data accessed in the context of WHOIS.”