On 29 May 2018, only five days after the GDPR became applicable, the Regional Court of Bonn issued the first ruling applying the GDPR in Europe (file no. 10 O 171/18).
Facts of the Case
The dispute involved the Internet Corporation for Assigned Names and Numbers (ICANN) and the ICANN-accredited registrar EPAG Domainservices GmbH (EPAG). ICANN is a non-profit company that coordinates the assignment of domain names and ensures that website names are not duplicated on the network. By means of an agreement between the parties, EPAG is authorized by ICANN to assign Second Level Domains to interested parties (so-called registrants).
For each domain name assigned, ICANN requires registrars to collect and further process not only the name and contact details of the registrant of the domain name, but also the name and contact details of a technical contact and of an administrative contact within the registrant. This personal data becomes public through publication on the WHOIS website platform. With the GDPR becoming applicable on 25 May 2018, EPAG argued that there was no legal basis for the processing of the personal data of the technical and administrative contacts of registrants and therefore, based on the GDPR, informed ICANN that it would no longer process such personal data. ICANN then filed an application for interim relief with the Regional Court of Bonn aiming at forcing EPAG to continue obtaining this information from registrants and making it available to ICANN.
According to Article 5 (1) (b) and (c) of the GDPR, personal data may only be collected for specified, explicit and legitimate purposes (purpose limitation principle), and must be adequate, relevant and limited to what is necessary for the purposes for which the personal data is processed (data minimization principle). Moreover, pursuant to Article 25 (1) of the GDPR, companies must take appropriate organizational and technical measures to implement the GDPR principles, such as purpose limitation and data minimization.
Relying on this, EPAG held the view that the processing of the name and contact details of one responsible person within the registrant of a domain name should be deemed sufficient for the purpose of identifying the registrant and allowing contact by third parties, and therefore no legal basis existed for the processing of name and contact details of a technical and an administrative contact of registrants.
ICANN opposed that the identification of a technical contact person is necessary to find solutions to technical problems, and that the processing of personal data of a technical and administrative contact of registrants is also necessary for security and criminal prosecution purposes; Prosecutors and trademark representatives are particularly interested in such additional information.
The Regional Court of Bonn denied ICANN’s request and decided that processing personal data of a technical and an administrative contact persons of registrants violates Article 5 (1) (b) and (c) of the GDPR. The specified, explicit and legitimate purpose of processing personal data in the context of assigning domain names shall be the identification of the registrant, which in turn is sufficient to address ICANN’s concerns regarding the security of the network. The owner of the domain name is the only person responsible for the content of the website and therefore only the processing of their personal data shall be deemed necessary for this purpose.
Interestingly, the discussion did not focus on the lawfulness of processing (Article 6 of the GDPR), but rather on the implementation of the GDPR principles of purpose limitation and data minimization. Nonetheless, the central issue was the necessity of data processing, which is one of the foundations of the GDPR, reflected both in the GDPR principles and in their concretization through the grounds for processing.
The Court did briefly address Article 6 of the GDPR though. One fact that caught the Court’s attention in particular was that the registration of a domain name has always been possible even if a technical and an administrative contact were not made available by the registrant. This was considered by the Court as a clear sign that such personal data is not necessary for the purposes of the processing of personal data. As such, registrants should be free to decide if they want to provide such additional contact details or not, based on Article 6 (1) (a) of the GDPR (consent). They shall not, however, be forced to provide such data, there is no other legal ground for their processing.
This rationale will probably be used by other Courts when applying the necessity test, so companies should analyze carefully whether they really need the personal data they are processing, and if not, take measures to assure that their processing is lawful based on another GDPR legal ground.