Million-euro Tucows GDPR lawsuit may not be ICANN’s last
ICANN has filed a lawsuit against a Tucows subsidiary in Germany in an effort to resolve a disagreement about how new European privacy law should be interpreted, and according to ICANN’s top lawyer it may not be the last.
The organization said late Friday that it is taking local registrar EPAG to court in Bonn, asking that the registrar be forced to continue collecting administrative and technical contact information for its Whois database.
According to an English translation of the motion (pdf), and to conversations DI had with ICANN general counsel John Jeffrey and Global Domains Division president Akram Atallah over the weekend, ICANN also wants an injunction preventing Tucows from deleting these fields from current Whois records.
At its core is a disagreement about how the new General Data Protection Regulation should be interpreted.
Tucows plans to continue collecting the registrant’s personal information, but it sees no reason why it should also collect the Admin-C and Tech-C data.
Policy director Graeme Bunton argues that in the vast majority of cases the three records are identical, and in the cases they are not, the registrar has no direct contractual relationship with the named individuals and therefore no business storing their data.
ICANN counters that Admin-C and Tech-C are vital when domain owners need to be contacted about issues such as transfers or cyber-attacks and that the public interest demands such records are kept.
Its new Temporary Policy — which is now a binding contractual commitment on all registries and registrars — requires all this data to be collected, but Tucows feels complying with the policy would force it to break European law.
“Strategically, we wanted to make sure we don’t let the Whois and the pubic interest get harmed in a way that can’t be repaired,” Atallah said.
“The injunction is to actually stop any registrar from not collecting all the data and therefore providing the opportunity for the multistakeholder model to work and come up with a long-term plan for Whois,” he said. “”We don’t want to have a gap.”
Jeffrey said that the suit was also necessary because ICANN has not received sufficient GDPR guidance from data protection authorities in the EU.
EPAG is not the only registrar planning to make the controversial changes to data collection. There are at least two others, at least one of which is based in Germany, according to Jeffrey and Atallah.
The German ccTLD registry, DENIC, is not under ICANN contract but has also said it will no longer collect Admin-C and Tech-C data.
They may have all taken their lead from the playbook (pdf) of German industry group eco, which has been telling ICANN since at least January that admin and tech contacts should no longer be collected under GDPR.
That said, Tucows chief Elliot Noss is a vocal privacy advocate, so I’m not sure how much leading was required. Tucows was also a co-developer (pdf) of the eco model.
The injunction application was filed the same day GDPR came into effect, after eleventh-hour talks between ICANN legal and Tucows leadership including chief legal officer Bret Fausett hit an impasse.
Tucows has agreed to freeze its plan to delete its existing Admin-C and Tech-C stored data, however.
The suit has a nominal million-euro value attached, but I’m convinced ICANN (despite its budget crunch) is not interested in the money here.
It’s my sense that this may not be the last time we see ICANN sue in order to bring clarity to GDPR.
Recently, Jeffrey said that ICANN would not tolerate contracted parties refusing to collect full Whois data, and also that it would not tolerate it when they decline to hand the data over to parties with legitimate interests.
The German lawsuit does not address this second category of non-compliance.
But it seems almost certain to me that intellectual lawyers are just days or weeks away from starting to file compliance tickets with ICANN when they are refused access to this data, which could lead to additional litigation.
“Whether it would result in a lawsuit is yet to be determined,” Jeffrey told DI yesterday. “The normal course would be a compliance action. If people aren’t able to gain access to information they believe that they have a legitimate right to access they will file compliance complaints. Those compliance complaints will be evaluated.”
“If it’s a systematic decision not to provide that access, that would violate the [Temporary Policy],” he said. “If they indicated it was because of their interpretation of the law, then it could result in us asking questions of the DPAs or going to court if that’s the only action available.”
The injunction application is a “one-sided filing”, which Jeffrey tells me is a feature of German law that means the court could issue a ruling without requiring EPAG/Tucows to appear in court or even formally respond.
The dispute therefore could be resolved rather quickly — this week even — by the court of first instance, Jeffrey said, or it could be bounced up to the European Court of Justice.
Given how new GDPR is, and considering the wider implications, the latter option seems like a real possibility.
I could maybe make a case for a technical contact, but I’d love to understand what an admin contact is meant to do (other than fill a historical space).
Some people that outsource domain management make a difference between the registrant (ownership) and the administrator (management).
Also, the transfer process specifies the admin contact as being allowed to authorize it, so it’s the technical contact that is currently less defined than the admin contact in gTLD policy.
That said, some TLDs have been redefining these contacts as “legal matters” and “technical matters”, so there is already some fragmentation in those definitions as well.
Yeah – I see that’s IANA policy at the root level as well.
And if the Rant agrees and the Admin disagrees?
Heck – I’d go after the Rant if the domain is causing me damages – who cares about Admin.