ICANN loses injunction bid in dispute over WHOIS data in Germany

ICANN had applied for a court order to be issued against EPAG Domainservices to force EPAG to collect the personal data of technical and administrative contacts of organisations that register domain names with it.

EPAG already collect the domain name holder's contact data in accordance with the terms of its contractual agreement with ICANN. It previously collected the data of technical and administrative contacts too on a voluntary basis, but has changed its policy to stop doing so in light of the introduction of new EU data protection laws.

ICANN has challenged EPAG's change in practice and earlier this year applied for a preliminary injunction that, if applied, would have required EPAG to collect the data. It claimed the data it seeks access to would be "irretrievably lost" if the preliminary injunction was not applied. This is because EPAG is "changing its technical systems in a way that the domain holders will no longer be able to provide [administrative and technical contacts] data at all in the future", according to a new ruling by the Appellate Court of Cologne.

The Cologne court upheld an earlier ruling by the Regional Court of Bonn in the case. The reasons articulated by the Bonn court for rejecting ICANN's application were "convincing", the appeals court said. It concluded that ICANN failed to satisfy the legal test for justifying the issue of a preliminary injunction. ICANN did not show there was an urgent need for the injunction and that it was necessary to "avoid substantial disadvantages", it said.

ICANN will still have an opportunity to "enforce the rights it asserts" in the main proceedings in the dispute, according to the new ruling. However, the Cologne court took issue with the reasons ICANN claimed the collection of the administrative and technical contacts data was necessary.

"To the extent [ICANN] argues that in the case of abusive practices (e.g. online fraud) there may be – if the data of the [administrative and technical contacts] were not available – delays in establishing contact and that this would therefore impede the effective combatting of abusive practices, this does not justify another assessment," the Cologne court said. "Irrespective of the fact that only the abstract danger of delays in a case of abusive practices cannot justify the sought preliminary injunction, [EPAG] also stated, undisputed by [ICANN], that previous practical experiences do not confirm this."

Information that serves to identify the people behind domain name registrations is published on the WHOIS system, a series of online databases. The data is useful for a range of purposes necessary for the operation of the internet, but is also used upon by law enforcement agencies and by intellectual property (IP) owners seeking to enforce their IP rights.

Information identifying individual persons behind websites is personal data and subject to data protection laws. In the EU, the data protection regime was recently updated when the GDPR came into effect. The new rules and stiffer sanctions regime now in operation have prompted many domain name registrars to take a conservative approach to the collection of information from those registering web addresses with them.

The change in approach has not been welcomed by ICANN. It sought guidance from EU data protection authorities on the issue – a response was issued by the European Data Protection Board (EDPB) last month.

Dublin-based Karen Gallagher of Pinsent Masons, the law firm behind Out-Law.com, an expert in data protection and IP law, said at the time that the EDPB's guidance would effectively require ICANN to "go back to the drawing board to make its rules around the collection and use of WHOIS data compliant with the General Data Protection Regulation(GDPR)".