Internet Corporation for Assigned Names and Numbers (ICANN) is a company based in the US, which does not grant them immunity from the GDPR enforcement. ICANN has found complying with the EU law to be quite troublesome, given that they have been in a breach of the Data Protection Directive for 15 years.

Last year, ICANN initiated injection proceedings against EPAG – German Internet domain registrar that is accredited by ICANN. The case was introduced to the German court by ICANN, as they requested clarification of EPAG’s permissions. Namely, ICANN’s main concern with EPAG was whether they would be obligated to continue to collect additional administrative and technical information for new domain registrations, as they were contractually obligated to do so.

The Court in Bonn ruled in favor of EPAG, the foundation of their decision being the General Data Protection Regulation. Having lost this case, ICANN sought clarification of the Appellate court in Cologne – but the verdict remained the same.

It was concluded that ICANN wrongly interpreted GDPR and failed to follow the principles of the new regulation.

Lawfulness, Fairness, and Transparency

European data protection authorities found that it was difficult to grasp and clearly define the purposes of data collecting. In addition, the lawful basis for processing data of the WHOIS directory was not easy to comprehend.

One of the primary points of the GDPR is to motivate companies to formulate their privacy policies in an easily- readable and understandable way, in order for clients to provide the consent required under the regulations.  

Data Minimisation and Purpose Limitation

According to the General Data Protection Regulation, a company can’t store more information about users than necessary for the specific purpose of collection. While ICANN claimed that additional information is necessary, the Court’s opposed their claims. Finally, the Court ruled that the collection of domain name registrant data should suffice in order to prevent the misuse of the security aspects in connection with the domain name, and in this case, additional information was redundant.

Privacy by design and Privacy by default

EPAG claimed that their agreement with ICANN obligates the latter to comply with the current law, which is now the GDPR. In addition, they stated that the principle of data minimization (“Privacy by Default” and “Privacy by Design”) prohibits the collection of such data, as well. The Court agreed with this explanation and confirmed that ICANN failed to interpret the regulation for the third time.

Finally, ICANN failed to protect their clients’ data, by continuing to share their customers’ ongoing activities openly. More on this case can be found on ICANN’s website