The collision between ICANN’s Whois regime and the European General Data Protection Regulation (GDPR) took a decisive turn May 25, 2018, when ICANN filed injunction proceedings against EPAG, a German registrar affiliated with Tucows. EPAG had notified ICANN that as of May 25 it would no longer collect administrative and technical contact information when it sells new domains. EPAG believes that collection of such data would violate the GDPR rules. “We are filing an action in Germany to protect the collection of WHOIS data and to seek further clarification that ICANN may continue to require its collection,” said John Jeffrey, ICANN’s General Counsel and Secretary.
The final determination of this case, of course, is now in the hands of a German court. As ICANN’s news release states, EPAG disagrees with ICANN regarding what it must do to comply with the GDPR, and the lawsuit seeks to clarify that difference in interpretation. In that respect, the injunction request is a positive development because a court decision is likely to reduce uncertainty on all sides of the controversy. In this article, we review ICANN’s filing and the arguments it makes.
The first point to note is that the disagreement centers on the status of the Technical and Administrative Contact information in the Whois record. The Technical and Administrative Contacts are not the same as the domain name Registrant. Typically, they are appointed by the Registrant to handle different aspects of maintaining the domain. It is important to bear in mind, however, that in many Whois records, particularly of individuals and smaller organizations, the Registrant, Technical Contact (Tech-C) and Administrative Contact (Admin-C) are all the same. The second point is that even ICANN agrees that these data elements no longer need to be publicly displayed indiscriminately. The issue is whether the registrar needs to collect that information, so that it can be revealed to accredited parties seeking additional information. Whether registrars need to collect that information or not in turn hinges on the question of the purpose of Whois, an issue that ICANN has long avoided reaching consensus on, and has never handled fairly or correctly. A narrow definition of ICANN’s mission, which involves coordinating and maintaining the stability of the domain name system, makes it clear that the Tech-C and Admin-C information are not really necessary to that purpose.
The filing by ICANN’s Jones Day lawyers, which can be found here, asserts a far more sweeping purpose for Whois data, which is part of an attempt to make ICANN the facilitator of intellectual property enforcement on the Internet. “The technical contact and the administrative contact have important functions,” the brief asserts. “Access to this data is required for the stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content.” That last phrase (“and/or their content”) is an eye-opener. For years, ICANN has been claiming that it is not in the business of content regulation, and its new bylaws contain a specific provision forbidding it from regulating content. Yet here in the legal brief from ICANN is an explicit admission that “legal issues with the domain names and/or their content” is part of the purpose of ICANN’s data collection.
It gets worse. In Part V of the filing ICANN’s lawyers compare the Whois system to a trademark register. They assert the long-discredited notion that “trademarks and domain names … distinguish offers for goods and services in a market.” This ignores millions of noncommercial domains and overlooks the fact that generic terms, which cannot be trademarked as such, can be registered as domain names. The brief goes on to claim that “The trademark register referring to basically the same data has basically the same functions as WHOIS:” which it enumerates as i) law enforcement, ii) availability of a trademark; iii) enforcement of trademark rights.
What’s shocking about this is that ICANN’s legal staff is basically inventing a purpose for Whois, one that conflicts with its mission, one that most of its stakeholders disagree with, and one that has no basis in a legitimate policy development process. Not only does it lack consensus for its claimed purpose, the ICANN-invented purpose is clearly one that is NOT supported by 3 of ICANN’s 4 Stakeholder Groups (Registrars, Registries, and Noncommercial). Despite Goran Marby’s friendly posturing of “consulting” with various groups, ICANN clearly isn’t listening to them and has unilaterally determined what its position will be.
But even if we set these eye-popping problems aside, it is instructive to see how weak is ICANN’s case that registrars must collect the Tech-C and Admin-C data. That is, even if one goes along with ICANN’s expansive definition of Whois purpose, it is unclear why all domain name registrants must conform to the Admin-C and Tech-C convention that was established more than 20 years ago. ICANN admits that if both contacts are the same as the Registrant, then no new data is collected. If the Admin-C or Tech-C are not the same as the Registrant, and the contact data for them constitutes personal data, then ICANN admits that “the collection of such data is subject to an assessment under the GDPR…” Under the GDPR, if the Registrant and/or the Admin-C and Tech-C consent to the collection of their data, then there is no legal problem with it. So in many cases, those who wish to delegate a contact may still do so. Yet ICANN insists that it must compel collection of this data.
The viewpoint of many registrars on this question was expressed well on the DomainMondo blog:
…current WHOIS policy collects much more data than is necessary or appropriate. The relevant questions are: 1) Who is the legal registrant (or representative of the registrant) of a domain name, and 2) how can that person be contacted? Registrants should be able to choose to list their name, address, and email and phone data (fax is an anachronism), or appoint an agent (“Registrant’s Agent” which could include an accredited WHOIS privacy provider) for public WHOIS purposes. As a default, and to comply with the GDPR, if the registrant fails to choose one of the above methods for the Public WHOIS, the domain name’s registrar of record should be listed as registrant’s agent since most domain disputes (e.g., UDRP and URS) are essentially in rem or quasi in rem actions. It really should be that simple, but I am afraid ICANN is “lost in la-la-land.”
By insisting on the retention of a rather arbitrary convention, ICANN seems to be protecting the interests of data miners in the security and trademark industry who have written scripts that scrape the information automatically. But this is just a guess.
With this filing, ICANN the organization has thrown off its mask of bottom up multistakeholder policy development regarding Whois, it has staked out a position that serves the interests of a few stakeholders. It has shown that it will fight hard and spend a lot of money to support those interests. It has also shown a willful disregard for the limited nature of its mission. The good news here, however, is that legal certainty regarding the application of GDPR to Whois may be on the way soon.
Excellent summary and comment on what currently happens in the GDPR and WHOIS implementation.
It appears that the case was dismissed (ICANN lost) rather quickly, see:
https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf