© ruslan_khismatov – Fotolia.com

Violation of the GDPR: ICANN collects too much data during domain registration

DSGVO: Too much personal data when registering a domain. Setback for the central registry for internet addresses (Icann) in the USA.

Bonn Regional Court has made one of the first decisions on the new General Data Protection Regulation.
In a decision dated May 29, 2018, the Bonn judges ruled that ICANN was in breach of the GDPR (Ref.: 10 O 171/18).

The domain registration authority based in the USA is the central registry for Internet addresses.
However, it collects too much personal data during the registration process.

US company ICANN wants comprehensive personal data for domain registration

The US agency not only wanted to know who operates the site to be registered, but also the names, addresses and telephone numbers of all persons with full access rights to the website.
This includes the so-called Admin-C and also the technically responsible persons (Tech-C).

During the proceedings, ICANN was of the opinion that the domain registrant was also contractually obliged to collect further technical and administrative contacts.
After all, this data was absolutely necessary to achieve the registrant’s purposes.

German domain trader sees data collection as a violation of the GDPR

The German domain trader Epag has now defended itself against ICANN’s requirements.
The Bonn-based company is allowed to sell domains in Germany, Austria and Switzerland with the permission of iCANN.
However, according to the contract, it must transfer comprehensive personal data to ICANN.
However, in compliance with the requirements of the GDPR, the company is only prepared to hand over all address data of the domain owner.
But not that of the Admin-C and Tech-C.

Personal data of the domain holder sufficient

ICANN could not credibly demonstrate to the Bonn Regional Court that the extensive personal data was necessary to achieve the purposes.
After all, the collection of personal data is only permitted for specified, clear and legitimate purposes.
In addition, the collection must be adequate, relevant and limited to what is necessary for the purposes of the processing (Art.
5 para.
1 lit,
b) and
c) GDPR).

In light of the principle of data minimization, the Chamber was unable to see why further data records should be required in addition to the main controller.

Identification of the people behind it difficult

It is obvious that more data makes it more reliable to identify the persons behind a domain and to contact them.
However, the holder of the registered or to be registered domain name is only the person responsible for the content of the website in question, who does not necessarily have to be a different person from the Tech-C and Admin-C categories.

Restricted Whois query makes identification even more difficult

Insofar as ICANN bases its claims to the many personal data on a parallel of the so-called “WHOIS” system to international agreements on trademark registers, the chamber of the Regional Court of Bonn does not follow this.
This is because there is no legal basis for the trademark registers based on international agreements.
The fundamental comparability of the respective general need for protection does not change this.

Many companies, including Denic, no longer allow WHOIS queries without further ado.
What every Internet user used to be able to find out with just a few clicks, Denic and others now only give out to users who can at least prove a legitimate interest.

The restricted WHOIS query has recently made the work of journalists and IT security researchers on the Internet more difficult.
When researching fake news sites, spam slingers and blackmail software, it has become more difficult to track down the people behind them without the query.

Contact person

Free newsletter

Matching contributions

Search

Request