The first court decision interpreting the General Data Protection Regulation (GDPR) has been issued by German courts. The decision, issued just days after the GDPR’s entry into force, serves as a key reminder that an organisation must continually and carefully assess its products and contracts, as well as policies, in light of privacy law requirements. The decision also provides valuable confirmation of the way courts are likely to account for the public value of an organisation’s work and pre-existing work toward compliance, when assessing privacy law infringements, and accompanying penalties.
The Internet Corporation of Assigned Names and Numbers (ICANN) is a not-for-profit, public-benefit corporation formed in 1998, to manage Internet domain names. It accredits registrars across the world to assign various domain names in that jurisdiction. ICANN maintains the public WHOIS database of contact and other information about the owners of each domain name.
On 29 May 2018, the Regional Court (Landgericht) of Bonn refused an injunction requested by ICANN seeking to force ICANN-accredited German domain registrar EPAG Domain services GmbH to reinstate the collection of administrative contact and technical contact data of domain registrants, in line with its obligations under the standard ICANN contract. The court agreed with EPAG that collection of this information was not permitted under the GDPR, even though it was required under the standard ICANN contract. It was not clear to the court that the collection of administrative contact and technical contact information was “necessary” in relation to any of ICANN’s legitimate purposes – domain name registrant data was deemed to be sufficient in this respect.
This decision underscores how important it is for organisations to review and reassess their processes and contracts, in view of the GDPR. Organisations need to reassess what data they are permitted to process in each circumstance, as well as the permitted purposes for such processing. Organisations should complete a thorough inventory of their data and map it to the purposes for which it is processed, to avoid future courts having to make the analysis on their behalf. Such an analysis is crucial to clarifying how organisations can modify their contractual and product requirements to avoid conflicts such as the one faced by EPAG.
On 13 June 2018, ICANN announced it is appealing the Regional Court’s decision, seeking to “maintain clarity of how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR,” as specified John Jeffrey, ICANN’s General Counsel and Secretary in the company’s press release announcing the appeal. ICANN has been working with the Article 29 Working Party (WP29) since 2003, to identify how it can make the WHOIS database compliant with data protection laws. However, the European Data Protection Body (the post-GDPR name of the WP29) has recently rejected ICANN’s request for a moratorium on enforcement until it has clarified its compliance with the GDPR, highlighting that data protection authorities should not be providing special treatment to any organisations, even those that serve a public interest function. They made it clear that data protection authorities would nevertheless not be precluded from taking into account progress already made toward compliance, when determining the appropriate enforcement measures.
The Board’s assessment seems to confirm that all organisations, even those doing public interest work, including charities, will be held to the same compliance standard, but the means by which the law will be enforced will be assessed on a case by case basis, with the effort put into compliance by the organisation weighing significantly.