Domain Names & GDPR
A recent ruling by a German court about GDPR also applies to personal information held in the worldwide whois service, and could mean that domain name admin and tech contact details may no longer be needed because of the GDPR ‘data minimisation principle’.
Up Until Now
Laws up until now have required ICANN, the Internet Corporation for Assigned Names and Numbers, to ask its accredited domain registrars to collect and store certain details of people who register / purchase domain names. These details include the owner's name and address, and the name, postal address, e-mail address, telephone number, and (where available) fax number of the domain's technical and administrative contacts. Many of these may, in fact, be the same person.
No More Collecting and Storing Details of Owners
The recent German court ruling came about because German registrar EPAG Domain services thought that one important aspect of GDPR, which came into force on May 25th, is the principle of data minimisation.
Under this key GDPR principle, personal data collected by companies should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In other words, under GDRR, companies should only collect the personal data that is absolutely necessary to provide the service.
The German registrar EPAG Domain services used this GDPR principle to argue that it no longer needed or wanted to collect the personal details for the technical and administrative contacts of domains, although it would still be happy to collect the personal details of the actual domain name owners.
ICANN Still Wanted Details Collected
ICANN didn’t agree with EPAG, and pushed for an injunction to ensure that EPAG either continued to collect administrative and technical contact details, or pay a €250,000 (US$291,000) fine!
The court came down on EPAG’s side, and refused to grant the injunction on the grounds that there was no evidence that the extra information was needed, especially since the same person could be listed as the owner, technical, and administrative contact.
ICANN’s Own Policy Proposal
ICANN had already published its own temporary policy to cover how information gathered by registrars should be made publicly available through the global whois service. ICANN’s policy was for tiered / layered access to personal information, limiting it to users with a legitimate and proportionate purpose e.g. law enforcement, competition regulation, consumer protection or rights protection.
One ironic aspect of the court’s ruling is that ICANN itself doesn’t register any personal details for administrative and technical contacts, and only lists a single number for both contacts' phone and fax, which turns out to be the main number for its network operations centre. It could be argued that this is data minimisation in action from a company that appears to have argued against it.
What Does This Mean For Your Business?
This story is a practical example of how GDPR could affect aspects of company operations that may not have really been considered until now. It shows how current ways of doing things can be, relatively easily challenged in some courts, the results of which could spread across a whole industry.
If the ruling, in this case, is taken on board in other European countries e.g. most other EU countries, it could save domain registrars some time, and could cut through bureaucracy while protecting privacy at the same time.
It is still early days for GDPR, and there are likely to be many different challenges and changes to come across many industries as a result.