ICANN incurs the wrath of EU data regulators under GDPR rules

10 Jul 2018

Brussels, Belgium, where the EU Data Protection Board is based. Image: b-hide the scene/Shutterstock

A German court has found that US firm ICANN is collecting more personal data than is required for legitimate business purposes.

GDPR has been in force for more than a month now, and many companies and organisations are still working their way up to full compliance. One such company is the US non-profit firm ICANN, which manages the global Whois database of registered domain names.

ICANN went up against German domain registrar EPAG, the latter of which had a contractual relationship with the former to collect personal data from individuals or organisations who bought domain names in Germany.


Put very simply, ICANN wanted EPAG to hand over the name and contact information of a technical and administrative contact for all entities that wished to register, according to The National Law Review.

This request was refused by EPAG, as it argued that carrying it out would violate Article 5 of GDPR. This states that personal data collection must be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes”, as well as “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.

ICANN subsequently filed a lawsuit in Germany hoping EPAG would then be forced to collect the data. ICANN posited that the contact details were required to manage potential problems that could arise relating to the registration of a domain name.

The regional court of Bonn in Germany found against ICANN, saying that the collection of the data it wanted would violate the data minimisation rule in GDPR. The court also noted that people or entities who wanted to register a domain name had not previously been required to hand over contact details for technical and admin representatives.

Appeal in doubt

ICANN lodged an appeal to the higher regional court of Cologne on 14 June. The appeal may not materialise, though, if the European Data Protection Board (EDBP) has its way.

The Register obtained a letter from the EDPB, wherein the body told the US-based company that its GDPR plans were “fundamentally flawed”.

In relation to the provision of contact details of admin and tech employees, the EDBP said that ICANN is not allowed to strong-arm people into providing additional details. It said ICANN’s argument that different rules apply when a domain name is registered by an individual in comparison to a legal entity does not stand up.

It added that the firm must “explicitly justify” why it is necessary to retain personal data beyond the two-year limit outlined under GDPR. The body also quashed ICANN’s claim that it is not a data controller, which means it is liable for millions of dollars in fines.

ICANN was warned by EU regulators about the need to update the Whois service to take user privacy into account 15 years ago, according to the letter. “The EDPB’s predecessor, WP29, has been offering guidance to ICANN on how to bring Whois in compliance with European data protection law since 2003.”

Meanwhile, challenges against Google and Facebook filed prior to the GDPR deadline on 25 May are still making their way through the system.

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects