ICANN Appeals Latest Decision of German Courts to Stop it Gathering Personal Information

ICANN has appealed the most recent decision made against it in the Appellate Court of Cologne. The organisation has argued that the German legal body has made a mistake in decreeing that they had not “sufficiently explained” nor given a “credible reason” for requesting an injunction against German domain registrar, EPAG.

This is the third consecutive time that ICANN has been unsuccessful in a judicial attempt to force EPAG to gather additional personal information on anyone that registers a domain name. EPAG claims that this requirement is in contravention to GDPR privacy legislation and, hence, believes that it would be breaking the European Union law by completing this action.

ICANN refutes this, claiming that the legislation insists is vague and so EPAG has to keep asking for and saving the information if it wishes to continue to acting as a vendor for internet addresses.

ICANN’s legal campaign is an attempt to take ownership of its authority over contracts that govern the sale and registration of internet addresses. However, its approach, attitude and increasing string of failures is not achieving this objective. ICANN did not utilize the allocated time to amend its contracts in preparation for GDPR. Due to this the organization asked EU data regulators for and additional one-year exemption from the law despite there being no precedence for the granting of such a request.

In a further bid to achieve compliance with the new GDPR requirement, ICANN has requested time to develop a proposal for a potential unified access model to the Whois system. The group is currently seeking feedback on the proposed amendments to allow them to continue running the Whois system, domain name registries and registrars must provide public access to information on registrants, including their names and addresses.

The proposal is seeking to ascertain “whether it is possible to develop an automated and unified approach across all gTLD registrars and registry operators in a manner consistent with the GDPR, including the obligations placed on data controllers”. ICANN released the news via its website on Monday, August 20. Click here to read more.

The new proposal is not intended to replace ICANN’s temporary specification for gTLD registration data which was approved on May 25, the same day GDPR was introduced. The temporary specification meant that non-public Whois data access is possible for those with legitimate reasons. However, ICANN have revealed that registry operators have “differing approaches to meeting that requirement”.

This was put in place in May around the same time that ICANN made contact with the EDPB (Europeant Data Protection Board) to seek clarification on its obligations under GDPR. The EDPB replied by asking ICANN to implement additional measures to become compliant with the new legislation.

The Centre for IT & IP Law at the University of Leuven (KU Leuven) released a paper on the case which concluded that the ICANN case against the EPAG is more ‘than a mere privacy compliance issue’. It pertains to the way we see the internet, its governance and its architectural security’. You can read the entire paper here.