ICANN announced Friday that it is pursuing legal action in Germany against Epag. Epag is owned by Tucows, who are one of the largest registrars in the world.
So what is going on?
Why is ICANN taking legal action against a registrar?
According to the announcement from ICANN the action is “to preserve whois data”.
However it’s not that simple.
ICANN has been struggling to deal with its contracts and policies with respect to the collection and processing of personal information for a very long time. This is not a new issue, but with GDPR the approach from ICANN towards whois has evolved quite dramatically. You can read the background to this situation over on the ICANN site here.
GDPR came into effect on May 25th, but ICANN only released its “Temporary Specification for gTLD Registration Data” on May 17th. What that means is that most registrars and registrars had already started making changes to their systems and processes well in advance of the May 25th deadline. While some registrars and registries might have chosen to implement policies and processes that were fairly close to what ICANN is now demanding it’s highly unlikely that anyone was 100% aligned with ICANN’s views, as they weren’t announced until May 17th. Some might say that much of ICANN’s views were known in advance, however if you read the various documents put out by ICANN you can see there is divergence.
Is the temporary specification “GDPR compliant”?
At this juncture it’s not clear if it is or not.
So what is ICANN doing?
I guess that depends on how you want to view this. According to ICANN’s general counsel:
We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection. It is ICANN’s public interest role to coordinate a decentralized global WHOIS for the generic top-level domain system. ICANN contractually requires the collection of data by over 2,500 registrars and registries who help ICANN maintain that global information resource,” said John Jeffrey, ICANN’s General Counsel and Secretary. “We appreciate that EPAG shared their plans with us when they did, so that we could move quickly to ask the German court for clarity on this important issue. We also appreciate that EPAG has agreed that it will not permanently delete WHOIS data collected, except as consistent with ICANN policy.
In one way it’s enforcing its contracts against a registrar, but instead of doing it via the regular compliance route they’ve opted instead to go to court. That in itself is a little “different”.
GDPR is the law. It’s not something that can be ignored, so there has been divergence of opinion in how domain registration data should be collected and processed.
While some feel that it is “key” to collect and process a range of contact points for each domain name registration others have argued that it isn’t necessary and that in the majority of cases the registrant contact is sufficient. And under GDPR there is a strong argument for minimising the amount of data being collected and processed.
If ICANN are able to get a ruling, no matter which way it that ruling goes, it is hoped that it would remove some of the ambiguity surrounding domain registration data and GDPR.
If you’re interested in following the case ICANN has released its filings, most of which are in German, though there is a translated version of the main filing:
Tucows / Epag haven’t made any public comments on the case as yet, though with the announcement coming late Friday when offices in Germany would already have been closed for the weekend that isn’t surprising. It’s also a long weekend in some countries, including the US.
It’s unclear how quickly a German court will take to deal with a case of this nature.