First GDPR decision issued, what future for privacy compliance?

The GDPR has been in place for a few days, but German courts have already issued their first decision, what will happen next for the privacy compliance of companies?

This is an interesting blog post from my colleagues Jan Spittka and Kiana Mirzaei originally published on Privacy Matters Blog. I hope you will enjoy it!

*          *          *

What was the case about?

Only a few days after the GDPR became applicable, the first German court, the Regional Court (Landgericht) Bonn (in a decision dated 29 May 2018, case number 10 O 171/18 – in German only), issued a ruling on the practical application of the GDPR. This probably makes the court’s ruling the first GDPR court decision worldwide, and the decision addressed the hot-button issue of public availability of ICANN “WHOIS data”.

The court was called upon to rule in an interim injunction proceeding about the data minimization principle set forth in Art. 5 (1) lit. c) GDPR.  The Parties to the proceeding were the Internet Corporation for Assigned Names and Numbers (ICANN) against the German-based, ICANN-accredited Registrar EPAG Domainservices GmbH. ICANN sought to obligate EPAG to comply with the ICANN “Registrar Accreditation Agreement”, which requires registrars to collect administrative (Admin-C) and technical (Technical-C) contact information for a new domain name registration (“WHOIS data”). The court ruled that ICANN could not show credibly that the collection of Admin-C and Technical-C is necessary pursuant to Art. 5 (1) lit c) GDPR and therefore that EPAG is not obligated to collect such data.

What did the court hold on the GDPR case?

The court stated that an obligation to comply with the requirements of the Registrar Accreditation Agreement exists only in so far as the Agreement is in accordance with applicable law. Article 5 (1) lit b) and c) GDPR dictates that personal data may only be collected for specified, explicit and legitimate purposes and shall be adequate, relevant and limited to what is necessary in relation to the purpose. Per the court, ICANN could not credibly show the necessity to collect the Admin-C and Technical-C. Instead, the collection of the domain name registrant data should suffice to fulfill ICANN’s purposes, especially with regard to criminal activity, infringement or security problems, as the domain name registrant is the main person responsible. According to the court, the fact that a registration is also possible by naming the registrant (and not a third party) as Admin-C and Technical-C underlines this argumentation.

Was this decision expected?

WHOIS directories are valued by rights owners and law enforcement authorities for providing transparency as to who registered a domain and ICANN has been struggling with GDPR compliance regarding WHOIS directories and services.  They therefore entered into a dialogue with the Article 29 Data Protection Working Party (WP29, since 25 May 2018: the European Data Protection Board).

The WP29 stated concerns regarding ICANN’s GDPR compliance, outlined recommendations and announced to monitor ICANN closely (see WP20 letter from 11 December 2017 and  WP29 Letter from 11 April 2018). ICANN requested a moratorium on enforcement action by DPAs until a revised WHOIS policy is developed and implemented. This request was denied several days after the GDPR effective date by the European Data Protection Board on the ground that the GDPR does not allow national supervisory authorities nor the European Data Protection Board to create an “enforcement moratorium” for individual data controllers.

However, the Board noted that this does not preclude data protection authorities to take into consideration the measures which have already been taken or which are underway when determining the appropriate regulatory response upon receiving complaints (see Statement from 27 May 2018). Click here for more details on processing of WHOIS information.