GDPR: ICCAN loses data-gathering court battle - Read the full decision and and a first legal assesment
In the preliminary injunction proceedings of on May 29, 2018, the 10th Civil Division of the Regional Court of Bonn has delivered the following judgment (10 O 171/18):
- The application for an injunction (of May 25, 2018) is dismissed at the expense of the Applicant.
- The value in dispute is set at EUR 50,000.00.
Facts of the Case
The Applicant seeks a preliminary injunction to prohibit the Respondent from refraining from the (additional) collection of data for technical and administrative contact purposes when assigning Internet domains.
The Applicant is a non-profit organization that coordinates the assignment of unique Internet names and addresses to ensure the stable and secure functioning of a clear online identification system. This includes, in particular, the coordination of the domain name system. In this function, the Applicant concludes contracts with other organizations for the assignment of so-called generic top-level domains and – here in dispute – second-level domains within the respective top-level domains. For the specific top-level domains specifically assigned by the Applicant, reference is made to Annex AS 1.
By means of the so-called “WHOIS” service, the data collected and stored in connection with new registrations are – for identification purposes – published on a publicly accessible Internet portal.
The Respondent, as a so-called “accredited registrar” of the Applicant, is authorized by contract between the parties to assign second-level domains to a Registered Registrar under a top-level domain assigned by a separate contract.
Clause 3.4 of the contract between the parties, the “Registrar Accreditation Agreement” of January 22, 2014 (abbr.: RAA, Annex AS 4) – on the basis of the translation of the original English-language contract provided by the Applicant – stipulates the following regulations:
“3.4.1 For each Registered Name sponsored by Registrar within a gTLD, Registrar shall collect and securely maintain, in its own electronic database, as updated from time to time: [ ... ]
188.8.131.52 The data elements listed in Subsections 184.108.40.206 through 220.127.116.11;
The subsections referred to in this regard state:
“18.104.22.168 The name of the Registered Name;
22.214.171.124 The names of the primary name server and secondary name server(s) for the Registered Name;
126.96.36.199 The identity of Registrar (which may be provided through Registrar's website);
188.8.131.52 The original creation date of the registration;
184.108.40.206 The expiration date of the registration;
220.127.116.11 The name and postal address of the Registered Name Holder;
18.104.22.168 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact for the Registered Name; and
22.214.171.124 The name, postal address, e-mail address, voice telephone number, and (where available) fax number of the administrative contact for the Registered Name.”
Subsection 3.7.2 of the RAA stipulates that the Registrar shall abide by applicable laws and governmental regulations.
On the basis of this RAA, the Respondent, as such Registrar, assigns Internet domains to third parties wishing to register, including natural and legal persons. Up to now, the Respondent, in accordance with the contractual provisions described above, has collected (and stored) – in addition to the contact details of the domain owner – also other personal data, on the one hand for technical and on the other for administrative contact purposes. Now – under the validity of the GDPR recently entered into force – the Respondent announced to the Applicant, when assigning domain names in the future, to collect only the data of the domain owner him- or herself and to refrain from the additional collection of data for technical and administrative contact purposes.
The Applicant is of the opinion that the Respondent was contractually obliged to collect also the data for technical and administrative contact purposes. According to the Applicant, those data were also absolutely necessary for the fulfillment of her purposes. The GDPR recently entered into force is in general no obstacle to that. There is also a need for urgency, because the Respondent had announced that she would now like to change her previous methods.
The Applicant requests that, by way of a preliminary injunction, which is (due to particular urgency) to be issued without prior oral proceedings and by the Chairman in lieu of the trial court, to demand of the Respondent – by threatening her with a fine of up to EUR 250,000.00 – to refrain from offering and/or registering second-level domain names (as ICANN accredited Registrar and with regard to each Generic Top Level Domain listed in Annex AS 1) without collecting the following data of the registrant wishing to register a second level domain name through the Respondent:
Name, mailing address, e-mail address, telephone number and (if available) fax number of the technical contact for the respective domain name;
Name, mailing address, e-mail address, telephone number and (if available) fax number of the administrative contact for the respective domain name.
The Respondent, in the context of the protective claim filed by her, requests that the application for a preliminary injunction be dismissed.
To her mind, the collection (and storage) of personal data for administrative and technical contact purposes violates against the provisions of the GDPR entered into force on May 25, 2018, particularly against Article 5 (1) lit. c) in conjunction with Art. 25 GDPR, and can therefore no longer be admissible to claim this from her – especially as the contested contract with the Applicant also stipulates that the Respondent must comply with applicable law.
For the details of the state of affairs and disputes, reference is made to the application of the Applicant, incl. enclosures, and to the Respondent's protective claim.
Reasons for the decision
The Regional Court of Bonn is responsible for the decision on the application for a preliminary injunction. It is true that the parties have agreed on an arbitration clause in Article 5.8 of the RAA at issue, according to which the following applies:
"For the purpose of aiding the arbitration and/or preserving the rights of the parties during the pendency of arbitration, the parties shall have the right to seek temporary or preliminary injunctive relief from the arbitration panel or in a court located in Los Angeles, California, USA, which shall not be a waiver of this arbitration agreement.”
Derogation with regard to the state court located at the registered office of the arbitral tribunal is, however, not effectively possible in the field of preliminary relief, which is why (also under general rules) the State Court remains to be competent (cf. Higher Regional Court of Cologne [OLG Köln], GRUR-RR, 2002, 309).
The admissible application for the envisaged preliminary injunction had to be dismissed because it proved unfounded. An injunction was not made credible.
It is true that the Applicant can formally rely on the content of the contract concluded with the Respondent, in particular subsection 3.4.1 in conjunction with subsections 126.96.36.199 and 188.8.131.52 RAA; accordingly, in addition to the data of the registrant him- or herself, also the other data about the so-called Tech-C and Admin-C shall be collected (and stored), which corresponded to previous practice method(s) of the Respondent. However, the contract also contains the – generally valid – regulation that the Respondent as a registrar, in turn, has to comply with applicable laws and regulations. Against this background, the Applicant can request from the Respondent compliance with the contract regulations only to the extent that the contractual agreements are in accordance with applicable law, § 242 of the German Civil Code (BGB).
Here, Art. 5 (1) Iit. b) and c) of the GDPR shall apply, according to which personal data shall only be collected for specified, explicit and legitimate purposes (which is undeniably the case, at least partially) (lit. B) and shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (lit. C); therefore, according to the Board, a sufficient need in the above sense has not been made credible by the Applicant – even taking into account Article 6 (1) GDPR.
The fact that the storage of personal data other than that of the domain holder, which are undisputedly still collected and stored, are indispensable for the purposes of the Applicant, the Applicant has not made credible. While it is obvious that more data make identifying and contacting persons behind a domain more reliable than if only one data set of the person responsible for the domain is known. However, the owner of the registered domain name (or still to be registered) is the person responsible for the contents of the website in question, who does not necessarily have to be person-different from the categories Tech-C and Admin-C, in other words, who can unite all those functions.
Insofar as the general interests to be safeguarded by the Applicant are primarily criminal or otherwise punishable or as far as security problems are concerned for which the Applicant is responsible, the Board considers that this need is also satisfied by solely collecting and storing the data of the applicant domain owner who wishes to register (the Board does not understand why for this purpose less data are collected than for the additional categories Tech-C and Admin-C). Moreover, the Board does not understand why, in addition to the data of the main controller, further data sets are required, especially against the background of the principle of data economy. At least in relation to the so-called Tech-C, the Applicant also speaks decisively of the solution of (purely) technical problems which, by their nature, can only be indirectly related to the pre-dominant safety aspects.
It has to be taken into account above all that according to the concurrent arguments of both parties in all three categories, i.e. those of the domain owner himself, of the so-called Tech-C as well as the Admin-C, the same personal data could hitherto be used, which means that with corresponding information only one data set instead of three was collected and stored for the registrant, and that in the past this did not lead to a non-registration of the domain in the absence of data that go beyond the domain owner him- or herself either. However, if this was possible and should continue to be possible, this proves that any data that go beyond the domain owner, i.e. different from his or her person, were not necessary for the fulfillment of the Applicant's purposes either. If they had been necessary in the proper sense, one would not have been able to refrain from collecting (and storing) such data before; on the contrary, a registration would have been made dependent on the content of different data sets and otherwise one would not have granted such registration. Since the choice of the domain owner to provide different contact information for the Tech-C and Admin-C, could actually already in the past be exercised by the registrant him- or herself (which was then not a prerequisite for registration by the Respondent), this leads to the fact that in the future, the registrant can also communicate them voluntarily by means of a consent when collecting and storing appropriate personal data (Art. 6 (1) lit. a) GDPR as well as section 7.2.2 of the RAA) – however, he or she has also before not been forced to do so.
It does not even matter whether the data provided by the Respondent regarding the number of those domain holders, who have not specified different contact details, are correct. Insofar as the Applicant bases her claim on a parallel of the so-called “WHOIS” system on international agreements on trade mark registries, the Board cannot follow this. For the legal bases existing for trade mark registries on the basis of international agreements are missing, as far as the “WHOIS” service asserted by the Applicant is concerned. This is not affected by the fundamental comparability of the respective general need for protection either.
As the first German Court, the Regional Court of Bonn (LG Bonn) had to deal with the new data protection law on the day the GDPR entered into force. The fact that the judges are struggling with this is already clear from the careless use of terminological terms, because the Court appears to be continuing to differentiate various stages in the handling of personal data – as it was done in the BDSG 2009 – and considers itself obliged in this respect to differentiate between the terms “collection” and “storage” of personal data. However, the GDPR does not distinguish between different stages when handling data, but only knows the uniform concept of processing (Article 4 No. 2 GDPR), with which the Regional Court does not even concern itself. Without prejudice to this, it seems that the LG Bonn interprets the principles of purpose and storage as GDPR reforms, which now required a reassessment of the admissibility of the cooperation between ICANN and its designated Registrar under data protection law. Again, this is not true, as the two principles mentioned above have already been inherent in the BDSG 2009 and the Data Protection Directive. In this matter, the applicability of the principles of purpose and storage limitation – contrary to the view of the LG Bonn – does not seem to be an obstacle to the Applicant's request. Since the processing of the personal data of Tech-C and Admin-C is, based on the factual findings, down to a defined, clear and legitimate purpose of ICANN – at least as long as a domain registered and the Tech-C and/or Admin-C for this domain is “responsible” –, this purpose justifies also the processing (and thus the storage) of the personal data of these persons, because the pursuit of this purpose also justifies the processing. The LG Bonn would have done well to go more closely into the actually relevant provision in Article 6 (1) GDPR and the legal foundations of processing that can also be found there, rather than generally denying the justification under Art. 6 (1) GDPR in just a single sentence. In that regard, it should have been taken into account that a total of six legal bases for processing are standardized there, which, with the exception of the consent (Article 6 (I) (a) GDPR), all to a certain extent depend on the “necessity” of the data processing, but which are each evaluated from a different perspective. It seems that the LG Bonn in this case – even if unmentioned – takes into account only the legal basis of Art. 6 (1) lit. f) GDPR (“legitimate interest”) , which it considers to be not given or present here; this, too, is inappropriate. In general, any interest recognized by the legal system, which may not be outweighed by the rights and freedoms of data subjects, is regarded to be a legitimate interest. However, such an overriding interest would have to be carried forward and made credible by the Respondent, not by the Applicant, who – as it has been evidenced – asserted and presented a legitimate interest. Why this should be subject to the interests of the persons affected by the processing (here: Admin-C or Tech-C) has neither been submitted by the Respondent, nor has it been proven by the LG Bonn. This is not obvious either – given the fact that Admin-C or Tech-C are considered liable in exceptional circumstances. The LG Bonn is in this regard of the mistaken, but common opinion that the GDPR prohibits all data processing and requires a strict prevention of processing operations that do not appear to be obviously useful; however, this is not the case. It is therefore to be hoped that the Applicant will – as already put forward – take the path to the Court of Appeal, giving the Cologne Higher Regional Court (OLG Köln) the opportunity to make the necessary assessment.
Dr. Robert Kazemi, German Lawyer and Partner of Kazemi & Partner Rechtsanwälte PartG, Bonn, www.medi-ip.de