E18: ICANN Loses First GDPR Court Ruling in Germany

In this episode of the “Are You DataSmart?” podcast, the Ward brothers discuss the first court ruling on GDPR that went against ICANN, the non-profit domains platform that powers the internet. What is so fascinating about this first decision is that it specifically puts “data minimization” on display. It isn’t a theory anymore!



Jay: “Are You Data Smart?” A weekly podcast on data security, information management, and all things related to the data you have, how to protect it, and maximize its value. I’m Jay Ward.

Christian: And I’m Christian Ward. Today, we’re going to tackle the first ruling on GDPR that, Jay, went against ICANN, ICANN being the internet corporation for assigned names and numbers. That’s the non-profit organization that basically oversees all the assignment of both IP addresses and domain names. They handle all the TLDs or top-level domains across the web. And it’s really a consortium, Jay, of a lot of different companies. Principally a network of registrars and resellers that take the, you know, or provide the service by which if you go to GoDaddy, or Name.com, or Domains.com and start to purchase a domain, I normally run into these guys when I’m looking up a website that I’m may wanna try and buy the domain of and then click into their WHOIS system. The WHOIS system allows for us to see, sometimes not all the time, the person that was responsible for purchasing the domain, the company, and usually contact information around the admin, so I can admin contact as well as a technical contact. The only times you don’t really see that or when you have someone that purchases as many people do the privacy services through a reseller, or through a registrar like GoDaddy. So in that case, the data doesn’t really show up and you can’t tell who is to use the phrase behind the domain.

Jay: Yeah, so the interesting issue here is ICANN has been using the WHOIS directory forever and it’s sort of a mainstay of the internet. If you want to know who is the owner of website, who’s the registrant, you just go here. It’s all compiled in one place and it’s been a boon to people looking to expand businesses or to do direct marketing, but also to law enforcement. They use WHOIS a great deal when trying to sort of track down internet-based activity. And even before the GDPR came out, ICANN was sort of concerned about the applicability of GDPR’s requirements for the data that it possessed and the data that it processed because what’s at play here is the concept of data minimization. And that’s one of the real principles that underlie the GDPR, it’s one of the most important concepts to understand, which is, if you don’t have an actual demonstrable need for an individual piece of data, why do you have it? No reason to keep it if you’re not using it for a purpose that’s necessary to the services that you’re providing.

Christian: But wait, before we get to data minimization because that’s definitely the punch line of this thing and the most, not necessarily scary, but the realization that’s coming out this ruling, let’s back up and tell me a little bit about…because it was actually ICANN going after and trying to get sort of an affirmative injunction against Egad who is one of the registrars. Can you give us some of the backdrop against what this ruling was based upon?

Jay: Sure. So the way that the registration system works is that the registrar will take information in from a registrant, an individual person trying to, you know, start up a website and some of the information that’s collected includes the administrative and technical contact point for the company that’s forming the website. That’s in addition to the information for the owner of the website, so you’ll have the registrant, but then they wanted all of this other information. And Egad, E-G-A-D, which is a registrant in Germany said to ICANN, “Look, we’re not going to do that anymore. We don’t need that data. All we need is the data on the actual registrant of the website, that should be enough.” And ICANN said, “No, that’s not enough. We’ve been doing this forever.” And ICANN filed a lawsuit in federal court in Western Germany, in Bonn, actually used to be the capital of West Germany. And they asked for an injunction requiring Egad to continue to provide this data, to collect it, and to put it into the registration database.

Now, that’s interesting because getting an injunction, a preliminary injunction in this way, is just about one of the most difficult things you can do in the law. Because to win on an injunction, you not only, and this is the case in the U.S., but also in Germany, you have to show a reasonable likelihood of success on the merits, and you have to show that there’s an urgency associated with it. And so in this situation ICANN not only needed to have shown this needs to happen immediately, they also had to show we’ll likely win based upon our interpretation of the GDPR.

They filed this the week after the GDPR went into effect and the ruling came out earlier this week. So, you know, we’re talking about a very expedited timeline, that’s the way injunctions go. They’re very fast-moving things. So this scenario where ICANN was basically saying no, you must continue to collect this information, from a legal perspective is interesting for two reasons. Number one, that’s a tough thing to win on and number two, it required a court for the very first time to interpret the provisions of the GDPR. And so those are two reasons why this is such an interesting case.

Christian: Yeah, and I mean, hell man, I can’t get my kids to continue to clean their room every day, so to get another company or organization actually continue to do something sounds very difficult. Obviously, most of the time we think of injunctions we think of it ceasing an activity, but to continue an activity is certainly a higher bar. I understand why that would be so difficult. The other thing that was fascinating about this is anyone out there that’s registered your own domain and taking a look at, you know, setting up domains or multiple domains, many times you’ll find that you are the person purchasing the domain with the initial data, but then you just fill in your name, and number, and address contact into details for the technical as well as the admin role. And that was one of the findings that the court had, which was kind of interesting that generally if it’s possible in all of these mandatory fields in the forms as you’re filling them out, if it’s possible to use the same name, number of contact, and home address all that for the same 6 or 12 fields, they basically took a stand of like look, this is obviously not such unique data that you are absolutely needing it to continue to provide the service.

Jay: Yeah, this is something the courts do a lot which is they find the narrowest grounds possible to rule on. And in this case, the conclusion that the court reached was that it’s not absolutely necessary to get the admin c [SP] and tech c [SP] that the contact information for those fields because ICANN allows you to just put in the main registrant’s name anyway. So it sort of was in the courts view much ado about nothing. If you don’t absolutely need this, then what’s the big deal? You can get along without it. And so, you know, it doesn’t hurt Egad that the standard of review in the situation was in its favor, but under the circumstances, it was very interesting to see that as the reasoning that the court gave, because it was a direct construction, a direct interpretation of the GDPR and that’s when we get to the minimization principle.

Christian: Yeah, so minimization in this case, and this I think, is pretty fascinating, because when we look at online forms, anything, it doesn’t matter what you’re purchasing, signing up for newsletter, signing up to get a free business credit report, or a business evaluation, or a free social score analysis, most of those platforms ask for a lot of content. And the number of mandatory fields that are out there, now, look, for every one of us that have worked in marketing and conversion, conversation ratios and things like friction, we try to minimize just because we know fewer fields probably means more signups. But a lot of times it also means more crap signups, meaning people or bots that are signing up for something that isn’t really good data.

But from this perspective, do you think this sort of opens the door, when we think about data minimization, to courts interpreting what you really need in order to provide a service from a data perspective? Because, you know, I look at this going, wow, every newsletter, “The Wall Street Journal”, “Barron’s”, anything I’ve signed up for in the past, have 12 mandatory fields. Really all they need is my email address. So what do you think that sets us up for?

Jay: This is an interesting aspect of this case, because it was filed and there was no involvement from the German Data Protection Authority. This was just a purely legal case, so you don’t get the sort of not as formal regulatory process by which a Data Protection Authority will say, “Okay, here’s what we think is right. Here’s what we think is wrong. We think you really need to do this, we think you don’t need to do that, remediate.” This is just a straight interpretation of the law, which means that there’s going to be, in European member states, a dual approach to what it means to be using data in a way that’s necessary. And those things can conflict. So imagine this example, you’re a company that operates in the United Kingdom, and so you are subject to the regulation of the ICO and you’re also, of course, subject to the jurisdiction of the courts and parliament.

Well, your business model states that you need to collect five individual data fields, name, address, birth date, government-issued ID number, and credit card number. Your competitor has seven. In addition to those two fields they also have, you know, health-related information and tracking, personal tracking, so they’re seeing where you are in real time. You may in a litigation in court be told that all five of your data fields that you collect are appropriate and necessary for the services that you render, the ruling from the ICO, the Data Protection Authority, might be that not only are the tracking data and the health data that your competitor collects not necessary to the service that they provide, which is just like yours, but neither is the home address or the government issued ID.

Well, whose guidance do you follow in this situation? You got a binding ruling from a court saying that you’re fine, but you now have guidance from the ICO saying that what you’re doing is not appropriate. These types of divergences in the law create huge headaches. And in the United States, we see this situation sometimes when multi-net, you know, companies that operate across all 50 states are subject to multiple requirements, because the U.S. Court of Appeals for the First District in Boston said something entirely different from the U.S. Court of Appeals for the Ninth Circuit in San Francisco. And so do you need to have different rulings and different operational requirements in Massachusetts and California? Well, probably, until the Supreme Court steps in and resolves it, if they do. These are the kinds of problems that arise when two separate lines of authority have the ability to interpret the same law, and the law itself gives a lot of leeway and a lot of requirement for interpretation.

Christian: Well, it’s also a little bit concerning when we think about the United States. Obviously, we don’t plan on seeing necessarily federal oversight of data privacy or concepts around data minimization or anonymization. But I think from a business perspective, what is so concerning about this to me is that we are stating that various courts, various jurisdiction or regulatory authorities are going to opine on my business as to what is absolutely necessary for me to provide the service. And look, while I think that there are a lot of good things coming from this, this data minimization concept literally flies in the face of almost, I don’t know, 50 years of data collection practices when people would originally show up to your front door with a clipboard and ask you 50 questions, they try to get as much data as they could.

And now that could be rendered illegal under the GDPR. That’s not necessarily just scary, it’s one of those situations where if it’s different and varies from jurisdiction to jurisdiction, or region, or country to country, how does a business build a global data platform? I mean, I think of the fact of now, we certainly have country codes and we have browser codes that can let us know what country you are coming in from, but to literally have to build multiple versions of an entry form where the mandatory field, usually denoted by an asterisk, appears and disappears based upon prior rulings, that can be very, very messy.

Jay: Or impossible to do. I mean, you can’t have that many versions of your website running, it’s just not practicable. I think the interesting thing here is that data minimization as a principle is one that’s easy to understand, and in some ways makes sense. You only keep that what you need, you don’t need to be processing all of this additional…

Christian: And I agree with that. I think there’s a real, real good reason for that, but it’s sort of gone.

Jay: No, but of course, I mean, that can make sense, but there’s also a lot of value to be had in additional data, so it’s a balancing act. But the application of data minimization in a perverse way, is going to create a massive amount of data in the form of legal requirements. Because we’re talking about the balkanization of the law into, you know, the jurisdictional and sub-jurisdictional rulings. We’re seeing it already in the United States, you know, California has its own approach to data security, it’s becoming a little bit more stringent. Vermont just, you know, enacted their new law related to data brokers, Alabama finally created a data breach notification law, they were the 50th state to do so. But every state is taking a different approach because there’s no guidance from the federal government.

In Europe, we have the opposite situation where there is a clear set of guidance that emerged from Brussels, but there’s going to be so many different ways of interpreting it and applying it. You may operate in five different European countries and you could get five different rulings in each country, and two different rulings within each country based upon the courts there and the data protection authorities there. So there is a multiplicity of jurisdictional problems that are posed by the GDPR. In this case it may seem small, this is just the first one of them. And you need to be watching this because even if it seems confusing and wrong, this is still the law that’s going to apply to you.

Christian: Yeah, it’s a fascinating case to be the first one ruled obviously by the courts. I think there’s a lot to be learned from this that we are only seeing the beginning of how courts and various nations will deal with the concept of data minimization. And because it is so drastically different, I think it’s something that all companies, all businesses really need to start thinking about, you know, having loyalty programs and other platforms where you ask a bunch of data about people’s interests or other things so that you can later use that information or that data. Which, quite frankly, is one of the reasons why I really question why ICANN, at all, really cares.

If we know that the administrative and technical contact is either anonymized anyway through a registrar, or a reseller, or it’s common, that’s the same name as the person that, you know, bought the website or the domain to begin with, you know, it’s kind of interesting. They’re probably utilizing that data, and I don’t know for sure, but I certainly get a lot of marketing from different platforms when I look for various domains. So I wonder if some of that data once I’ve registered puts me on a marketing list that’s shared back with registrars, so I could see them being interested in that. Knowing every technical contact at, you know, 7 billion websites isn’t a bad business model if you’re allowing that through your non-profit to go back to the registrars to boost their business.

But, you know, that being said, I think the concept that we have to deal with here is that minimization is real. It’s something companies have to be ready to deal with. I think it’s highly likely we can see this as sort of mandatory fields under attack, but I think there’s also, like we said, some really valid reasons for a minimization and it’s gonna be a balancing act. I don’t think there’s gonna be a clear cut path, companies need to start thinking about this now, how can they build a data architecture that does not completely rely upon fields which are obviously not absolutely necessary to conduct the business, and don’t build sort of pitfalls and cliffs into your platform. Because that’s what I view that Egad is really causing trouble for ICANN. They’re essentially now gonna send them 7 or 10 less fields than they had been before and that could present them with a structural problem in their database that they’re not prepared to handle.

Jay: Right. Yeah, I think the lesson here is when you’re thinking about the data that you take in, you need to do a cost-benefit analysis. And one thing to remember is that if the data is valuable, but it’s risky, that analysis needs more than a cursory review.

Christian: Absolutely. Well, thank you everybody for listening to this episode of “Are You Data Smart?” We look forward to talking to you next time.

Leave a Reply