ICANN sues registrar over GDPR and WHOIS data

[Update] The Regional Court in Bonn dismised the case, opining that the collection and storage of the data of the administrative and technical contacts for a domain name was not necessary, and that the collection of personal data of the domain name registrant was sufficient for purposes related to safeguarding against misuse of domain names​.

The Internet Corporation for Assigned Names and Numbers (ICANN) has filed a legal action against Germany-based domain name registrar EPAG, over the registrar’s decision to stop collecting administrative and technical contact information when domain names are registered. While EPAG – an ICANN accredited registrar – is of the view that its decision is in line with the EU General Data Protection Regulation (GDPR), ICANN argues that the registrar is breaching its contract by not complying with the requirement to continue to collect WHOIS data. The ICANN Board has recently adopted a Temporary Specification regarding the collection and publication of WHOIS data, which the organisation believes to be compliant with the GDPR. Through this filling against EPAG, ICANN is seeking ‘a court ruling to ensure the continued collection of WHOIS data, so that such data remains available to third parties demonstrating’. The organisation also noted that it ‘does not seek to require its contracted parties to violate the law’, but that it has filed the lawsuit to seek clarification on the different interpretations of GDPR provisions.