On Friday the 25th of May, ICANN filed a legal action1 against EPAG Domainservices GmbH, a Tucows-owned Registrar based in Bonn, Germany. This action was taken because of a disagreement between Tucows and ICANN on how the GDPR should be interpreted, with respect to our contracts. While we look forward to defending our position in court, the below is intended to provide some context and insight into the dispute.
The GDPR begins with a statement of its core principle: “The protection of natural persons in relation to the processing of personal data is a fundamental right.” Tucows has long been concerned with privacy and the rights of our customers, and takes the principles enshrined in this law extremely seriously.
In order to have a domain registration system reflective of “data protection by design and default”, we started with the GDPR itself and crafted our procedures and policies around it. We built a new registration system with consent management processes, and a data flow that aligns with the GDPR’s principles. Throughout the registration life-cycle, we considered things like transparency, accountability, storage limitation, and data minimization.
We realized that the domain name registration process, as outlined in ICANN’s 2013 Registrar Accreditation Agreement, not only required us to collect and share information we didn’t need, it also required us to collect and share people’s information where we may not have a legal basis to do so. What’s more, it required us to process personal information belonging to people with whom we may not even have a direct relationship, namely the Admin and Tech contacts.
ICANN’s goal, since discussions about the impact of the GDPR on domain registration began, has been to preserve as much of the status quo as possible. This has led ICANN to attempt to achieve GDPR-compliant domain registration via ‘process reduction’, as opposed to Tucows’ approach of starting with the GDPR and rebuilding from the ground up. These two approaches have led to significantly different results, and consequently a need to determine whether ICANN’s insistence on the collection of the full thick Whois data and this data’s transfer to gTLD Registries is in compliance with the GDPR. It is this disagreement and need for legal clarity that is at the heart of the lawsuit filed by ICANN.
On the 17th of May 2018, the ICANN board passed a ‘Temporary Specification2’, meant to temporarily bring gTLD registration services in line with the GDPR. The goal of the Specification is to serve as a stop-gap while the ICANN community works to resolve and balance issues between privacy law and existing ICANN policy.
With that background in mind, we perceive three core issues with the Temporary Specification that we do not believe are compliant with the GDPR. These issues are the collection, transfer, and public display of the personal information of domain registrants and the other contractually-mandated contacts.
Personal Data Collection
Article 5(1)(c) of the GDPR speaks to data minimization: collecting and processing only that personal data that is necessary. It is clear to Tucows that we need to continue capturing some information about the domain Registrant—we always want to ensure we have the ability to contact the person legally responsible for the domain. However, in the vast majority of gTLD registrations, the Registrant (Owner), Admin, and Tech contacts are the same. As such, collection of Admin and Tech contacts is meaningless, as the data belongs to the Registrant.
That said, in the less common scenario, the Admin or Tech contact does not match the Registrant. In these cases the mandatory collection of their contact data is problematic because it requires us to store and process personal data belonging to people with whom we have no legal or contractual relationship.
ICANN will need to prove that the minor, marginally incremental benefit of collecting, processing and transferring Admin and Tech contact data at the request of third parties outweighs the principles of data minimization and lawful processing enshrined in the GDPR. We find the argument that duplicative technical contacts are necessary for the security and stability of the DNS implausible. We were not convinced this was the case when we first examined the law, and we remain unconvinced following the release ICANN’s Temporary Specification.
Tucows will continue to ensure that those with legitimate purposes, including law enforcement, intellectual property, and commercial litigation interests will have access to domain registrant information. On a daily basis, we see plenty of important circumstances wherein we find sharing that information to be legally necessary, and this will not change. We collect a contact for the owner of each domain name sold on our platforms, and have the ability to contact the owner. When necessary, we also share that contact with law enforcement and others with a legitimate interest.
Personal Data Transfer to a Registry
ICANN’s continuing requirement that registrars transmit all data collected to the relevant registry is counter to the GDPR’s principle of use of data only when a legitimate legal basis applies. There are circumstances where this transfer is necessary and reasonable, for example where a TLD has specific registrant requirements such as geographic restrictions. We are not opposed to these circumstances, but require agreements between ourselves and the registry for the specific collection, processing and transfer of that personal data.
However, as the registrar, we collect data that we need in order to enter into a contractual relationship with and provide requested services to the registrant. Transfer of that data to a registry is unnecessary—this is proven by the decades-old ‘thin model’ that 140 million .com and .net domains follow. We don’t feel that the temporary specification offers a robust legal basis for the transfer of data to registries and therefore presents an unacceptable risk under the GDPR.
Personal Data Display
ICANN has also required that we continue to publish the organization, state/province, and country fields in the public Whois. We disagree that the organization should be published because, although it is optional, many people do not realize this and put their own first and last names in the organization field. We do not want to expose the personal data of these registrants because of a misunderstanding, and it will take considerable time to educate registrants and cleanse this data from the field.
Desire for Clarity
Fundamentally, ICANN and Tucows disagree on how the GDPR impacts our contract. The facts and the law, as we see them, do not support ICANN’s broader view of what will impact the security and stability of the internet. Neither do we find the purposes outlined in the temporary specification proportional to the risks and consequences of continuing to collect, process and display unnecessary data. We look forward to, and welcome the clarity that will come from this legal action.