ICANN asked the Regional Court of Bonn to issue an order to force EPAG Domainservices to collect the personal data of technical and administrative contacts of organisations that register domain names with EPAG.
EPAG previously collected the information, but advised ICANN that it would stop doing so in order to comply with the EU's General Data Protection Regulation (GDPR).
Although EPAG does collect the domain name holder's contact data in accordance with the terms of its contractual agreement with ICANN, ICANN challenged EPAG's right to waive the collection of further details of technical and administrative contacts. It argued that EPAG was contractually obliged to collect the additional personal data and that it needed the information to achieve its purposes.
Information that serves to identify the people behind domain name registrations is published on the WHOIS system, a series of online databases. The data is useful for a range of purposes necessary for the operation of the internet, but is also used upon by law enforcement agencies and by intellectual property (IP) owners seeking to enforce their IP rights.
The Regional Court of Bonn ruled (6-page / 143KB PDF) in favour of EPAG and said ICANN's application for an injunction to be served against the registrar was "unfounded".
The court said ICANN had failed to show that the collection of the contact information was necessary, as required by the GDPR.
It considered the fact that EPAG collects contact data for the domain name holder and the contractual duties the company is under to comply with applicable law, such as the GDPR.
The court said ICANN "can only claim loyalty to the contract from [EPAG] to the extent that the contractual agreements are in accordance with applicable law".
"[ICANN] has not demonstrated that the storage of other personal data than that of the domain holder, which continues to be indisputably collected and stored, is indispensable for the purposes of [ICANN]," the court said.
While collecting more data would make "the identification of persons behind a domain and contacting them appear more reliable than if only one data record of the person generally responsible for the domain is known", there is nothing to stop the same contact data being provided for the domain name holder as the technical and administrative contacts, it said.
"Against the background of the principle of data minimisation, the [court] is unable to see why further data sets are needed in addition to the main person responsible," the court said.
Ann Henry, an expert in data protection and intellectual property law at Pinsent Masons, the law firm behind Out-Law.com, said: "The narrow view taken to GDPR interpretation in this case demonstrates the challenges that intellectual property rights holders are going to face in enforcing their trade mark rights in Europe and how additional costs will come into play in seeking to do so."
"It is to be expected that, going forward, intellectual property rights owners will assert the EU Charter of Fundamental Rights and specifically the ‘freedom to conduct a business’ principle in seeking to ensure that any judicial consideration of intellectual property rights and GDPR is balanced and proportionate," she said.
