Last Monday (July 9) a German court, in the first decision applying the General Data Protection Regulation (GDPR), ruled that data collection that exceeds what is necessary to achieve legitimate business purposes breaches one of the basic principles of the GDPR.
According to Article 5 of the GDPR personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes,” and “adequate, relevant and restricted to what is required in relation to the purposes for which they are processed.
The case was being heard in relation to ICANN, an American non-profit company that oversees the global WHOIS database of registered domains, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to gather personal data from people who purchased domain names. Additionally, ICANN wished for EPAG to supply the name and contact details of a technical and administrative contact for the registering body. EPAG would not collect this information, claiming that doing so would violate Article 5 of GDPR because there was no business requirement, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.
The ICANN WHOIS has grown to be a vital utility for trade mark and copyright owners when enforcing their rights on the Internet. It a large number of cases it is the main source of information in the search for the owners of a website that is selling counterfeit and copyright-infringing products. The WHOIS database allows rights holders to discover the identities of the persons behind these sites who are profiting from them.
ICANN began a legal action suit in Germany seeking an injunction to compel EPAG to gather the technical and administrative contact information. ICANN claimed that contact information was required to address problems that could arise in connection with the domain name registration. Dismissing ICANN’s request, the Regional Court of Bonn held that gathering data on technical and administrative contacts would breach the data minimization rule. In support of the ruling, the court noted that registrants had not previously been required to supply technical and administrative contact details, and ICANN did not provide adequate proof that such data collection was required.
ICANN has made an appeal to the Bonn court’s decision to the Higher Regional Court of Cologne, Germany. However this appeal is being challenged by the European Data Protection Board (EDBP) as it warned ICANN about the need to update the Whois service to take user privacy into account 15 years ago. A statement read “The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Whois in compliance with European data protection law since 2003”.
The challenges to privacy practices of Google and Facebook submitted when the GDPR became enforceable in May are still being processed, but this case shows that both for-profit and not-for-profit groups must take care to review GDPR obligations.
This first GDPR legal ruling is a reminder that businesses should assess and record why the personal data they collect and process is necessary for a specific, legitimate purpose, and ensure that the information is restricted to what is required to achieve that goal.