Padlock and EU flag inside smartphone and EU map, symbolizing the GDPR

On 29 May 2018, only five days after the GDPR became applicable, the Regional Court of Bonn issued the first ruling applying the GDPR in Europe (file no. 10 O 171/18).

Facts of the Case

The dispute involved the Internet Corporation for Assigned Names and Numbers (ICANN) and the ICANN-accredited registrar EPAG Domainservices GmbH (EPAG). ICANN is a non-profit company that coordinates the assignment of domain names and ensures that website names are not duplicated on the network. By means of an agreement between the parties, EPAG is authorized by ICANN to assign Second Level Domains to interested parties (so-called registrants).

For each domain name assigned, ICANN requires registrars to collect and further process not only the name and contact details of the registrant of the domain name, but also the name and contact details of a technical contact and of an administrative contact within the registrant. This personal data becomes public through publication on the WHOIS website platform. With the GDPR becoming applicable on 25 May 2018, EPAG argued that there was no legal basis for the processing of the personal data of the technical and administrative contacts of registrants and therefore, based on the GDPR, informed ICANN that it would no longer process such personal data. ICANN then filed an application for interim relief with the Regional Court of Bonn aiming at forcing EPAG to continue obtaining this information from registrants and making it available to ICANN.

Legal Assessment

According to Article 5 (1) (b) and (c) of the GDPR, personal data may only be collected for specified, explicit and legitimate purposes (purpose limitation principle), and must be adequate, relevant and limited to what is necessary for the purposes for which the personal data is processed (data minimization principle). Moreover, pursuant to Article 25 (1) of the GDPR, companies must take appropriate organizational and technical measures to implement the GDPR principles, such as purpose limitation and data minimization.

Relying on this, EPAG held the view that the processing of the name and contact details of one responsible person within the registrant of a domain name should be deemed sufficient for the purpose of identifying the registrant and allowing  contact by third parties, and therefore no legal basis existed for the processing of name and contact details of a technical and an administrative contact of registrants.

ICANN opposed that the identification of a technical contact person is necessary to find solutions to technical problems, and that the processing of personal data of a technical and administrative contact of registrants is also necessary for security and criminal prosecution purposes; Prosecutors and trademark representatives are particularly interested in such additional information.

Decision
The Regional Court of Bonn denied ICANN’s request and decided that processing personal data of a technical and an administrative contact persons of registrants violates Article 5 (1) (b) and (c) of the GDPR. The specified, explicit and legitimate purpose of processing personal data in the context of assigning domain names shall be the identification of the registrant, which in turn is sufficient to address ICANN’s concerns regarding the security of the network. The owner of the domain name is the only person responsible for the content of the website and therefore only the processing of their personal data shall be deemed necessary for this purpose.

Take away

Interestingly, the discussion did not focus on the lawfulness of processing (Article 6 of the GDPR), but rather on the implementation of the GDPR principles of purpose limitation and data minimization. Nonetheless, the central issue was the necessity of data processing, which is one of the foundations of the GDPR, reflected both in the GDPR principles and in their concretization through the grounds for processing.

The Court did briefly address Article 6 of the GDPR though. One fact that caught the Court’s attention in particular was that the registration of a domain name has always been possible even if a technical and an administrative contact were not made available by the registrant. This was considered by the Court as a clear sign that such personal data is not necessary for the purposes of the processing of personal data. As such, registrants should be free to decide if they want to provide such additional contact details or not, based on Article 6 (1) (a) of the GDPR (consent). They shall not, however, be forced to provide such data, there is no other legal ground for their processing.

This rationale will probably be used by other Courts when applying the necessity test, so companies should analyze carefully whether they really need the personal data they are processing, and if not, take measures to assure that their processing is lawful based on another GDPR legal ground.

On 25 May 2018, the General Data Protection Regulation (GDPR) of the European Union entered into force, accompanied by some uncertainties regarding its application. For example, some legal commentators believe there are “irreconcilable” differences between blockchain technologies and some of GDPR’s core principles, raising doubts as to whether the technology can achieve widespread adoption under the new data protection regime.  Continue Reading GDPR Implications for Blockchain and Distributed Ledger Technologies

The European Union (“EU”) General Data Protection Regulation 2016 (“GDPR”) entered into effect on 25 May 2018. A brief summary of the GDPR can be found in our Legal Update.

Organisations in Hong Kong may need to comply with the GDPR if it (1) has an establishment in the EU, where personal data is processed in the context of the activities of the establishment, regardless Continue Reading Privacy Commissioner for Personal Data Issues Booklet on how Hong Kong Businesses Should Prepare for GDPR

The 13th People’s National Congress (“NPC”) recently approved the State Council’s proposal to restructure China’s State Intellectual Property Office (“SIPO”). The proposal intends to consolidate the administration of trademarks and patents and to streamline the enforcement of IPR in China. Continue Reading China Unveils Plan to Restructure State Intellectual Property Office

The UK ratified the Unified Patent Court Agreement (“UPCA”) on 26 April 2018. The UPCA will introduce the Unified Patent Court which will establish a single scheme for patent litigation across contracting Member States.

Continue Reading Unified Patent Court Agreement Ratified by the UK

In April 2018, Amazon Technologies, Inc., a subsidiary of e-commerce giant Amazon, was granted a patent relating to a “technology for a streaming data marketplace” by the United States Patent and Trademark Office (USPTO). The technology underlying the patent is described as gathering (online) data streams from various sources and enhancing those streams “by correlating the raw data with additional data.” The patent description lists a number of potential use cases for the streaming data feeds that participants in the market place are offering subscriptions to. One notable use case relates to “bitcoin transactions,” with the ultimate goal of identifying users of the virtual currency by their Bitcoin addresses. Continue Reading The Bitcoin Implications of Amazon’s New Streaming Data Patent

On 1 May 2018, the “Information Security Technology – Personal Information Security Specification” (PI-Specification) by China’s National Information Security Standardization Technical Committee (NISSTC) will come into effect. The PI-Specification, inter alia, provides guidance on the collection, storage, use, transfer and disclosure of personal information. While the PI Specification is voluntary and not legally binding, it is likely that Chinese regulators will take into account breaches of the PI Specification when enforcing cybersecurity obligations.

The requirements for the collection, use, and storage of personal information are briefly outlined below. Continue Reading China Issues New Standards on Personal Information Security

In preparation of Brexit, the European Commission published its Draft Withdrawal Agreement on 28 February 2018, which sets out the arrangements for the withdrawal of the United Kingdom (UK) and Northern Ireland from the European Union (EU). Title IV of the Withdrawal Agreement is in Articles 50 to 57 suggesting a framework for continued protection of intellectual property in the United Kingdom after Brexit. Continue Reading BREXIT – Commission consistent with IP industry demands

Christian Wulff, a former German Federal President who resigned in February 2012, caught the attention of the public in May 2015 with his announcement that he was back together with his ex-wife Bettina Wulff. Following this, the press published a photograph of him pushing a cart at the parking lot of a supermarket next to his wife, Bettina Wulff. Mr. Wulff felt hurt in his right to privacy. He filed a lawsuit aiming to prohibit the publication of this private photo. In first and second instance Mr. Wulff was successful; the German Federal Court now overruled the previous decisions and decided that Mr. Wulff’s right to privacy were not infringed by the publication of the photo. Continue Reading The Right to Privacy of a Former Federal President

Back in 2015 Constantin Film AG, the production company of the German movie „Fack ju Göhte“, filed an European Union trademark application (“EUTM”) for its movie title „Fack ju Göhte“ with the European Union Intellectual Property Office (“EUIPO”). The EUTM application was refused by the EUIPO based on an alleged infringement of public policy and common decency. On top of that, EUIPO was of the opinion that the title of the movie is an offensive insult that would damage the German highly respected writer Johann Wolfgang von Goethe posthumously. Constantin Film’s appeal against this decision was also not successful, so that they now brought that case before the General Court of the European Union. Continue Reading The General Court of the European Union Rules on the Immorality of the Movie Title „Fack ju Göhte“