ICANN Sues Registrar to Test Its Temporary Whois Policy
An ICANN injunctive action against a German domain name registrar seeks to "preserve Whois," the internet body said. The case, filed in Bonn Friday against EPAG Domainservices GmbH, asks the court for "assistance in interpreting" the EU general data protection regulation (GDPR). EPAG said it will no longer collect registrants' administrative and technical contact information when it sells new domain names because that would violate the GDPR. ICANN, with a "temporary specification" for registries and registrars to follow to comply, said EPAG's "position has identified a disagreement with ICANN and others as to how the GDPR should be interpreted." While clarification might be helpful, the GDPR trumps ICANN's specification, ICANN players told us Tuesday.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
If EPAG's actions stand, "those with legitimate purposes, including security-related purposes, law enforcement, intellectual property rights holders, and other legitimate users of that information may no longer be able to access full WHOIS records," ICANN General Counsel John Jeffrey said in a news release. Under the temporary system, registrars and registries must still collect all registration data but can provide only "thin" data in response to a Whois inquiry. That includes technical information sufficient to identify the sponsoring registrar, status of the registration and creation and expiration data for each domain name registration, not personal data, ICANN said. Inquiries will allow access to an anonymized email address or web form to enable email communication with the relevant registration contact, it said. It noted "ongoing discussions" with the European Commission and Article 29 Data Protection Working Party yet has "seen steps taken by some of our contracted parties that violate their contractual agreements" and must now sue to "prevent permanent harm to the public interest and seek clarification of the laws" on integrity of Whois services.
Tucows, which owns EPAG, said it takes "extremely seriously" the principles enshrined in the GDPR. To have a domain registration system that reflects the GDPR's call for data protection by design and default, Tucows developed procedures and policies around the new rules, it said Tuesday. The company realized that ICANN's 2013 registrar accreditation agreement not only requires it to collect and share information it doesn't need, it also mandates the registrar gather and share people's information where it may not have a legal basis to do so, Tucows said. The contract requires registrars to process personal information belonging to people with whom it may not have a direct relationship, such as administrator and tech contacts, the company said.
ICANN's goal for the GDPR "has been to preserve as much of the status quo as possible," Tucows said. This led the internet body to try to achieve compliance via "process reduction" as opposed to Tucows' approach of starting with the regulation itself and rebuilding from the ground up, it said. The two positions led to the need to determine whether ICANN's insistence on the collection of the full thick Whois data, and its transfer to generic top-level domain registries, complies with the GDPR, it said.
ICANN "has always maintained that its contracts and policies cannot override local law," but with the GDPR's perceived impact on public Whois, "how ICANN handles this is going to be particularly interesting," emailed Michele Neylon, managing director of Irish domain registrar and hosting company Blacknight Internet Solutions. There may be some logic to the lawsuit if the idea if to help get "clarity," he said. But ICANN can't override the GDPR, he said: "The law is the law and if the law says that ePag cannot do something, then it doesn't matter what ICANN wants or says."
"ICANN needs to force the issue of the legality of its temporary spec, so that registrars who follow it and collect the data will not be legally exposed," emailed Georgia Institute of Technology School of Public Policy professor Milton Mueller, of the Internet Governance Project. EPAG says collecting the information doesn't comply with the GDPR, and if not challenged, other registrars will likely follow because it would minimize their risk under the regulation, he said: The suit "is another example of how ICANN's staff and board are in effect unilaterally making policy about the nature and purpose of Whois, a policy that serves the interests of some of its stakeholders but not others." Nevertheless, "some benefit" will come of clarification, Mueller said. "ICANN will never get the [data protection authorities] to 'bless' its temporary spec until and unless the issue is posed in this way (through a lawsuit)."
ICANN's legal argument "asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet," Mueller blogged. The document (available in English here) says access to registrants' technical and administrative contact information is needed for the stable and secure operation of the domain name system "as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content." The phrase "and/or their content" is an "eye-opener," Mueller said, because ICANN has claimed for years it's not in the business of content regulation and its bylaws specifically forbid such activities: "What's shocking about this is that ICANN's legal staff is basically inventing a purpose for Whois" that conflicts with its core missions and about which most stakeholders disagree.