
German court issues first GDPR ruling - marichards
https://www.natlawreview.com/article/german-court-issues-first-gdpr-ruling
======
davidgould
The Register had an item about this recently [0]. If you read the whole thing
and follow the links to the earlier articles it's somewhere in the uncanny
valley between fascinating and horrifying. ICANN is a deeply conflicted
organization. Basically they have been on notice about this since 2003 and
have done nothing. As of now, they don't have a plan to resolve this. ICANN
and any registrar with EU customers providing the whois service are non-
compliant with the GDPR. So the EU based registrars have stopped and ICANN is
sueing to force them to continue.

eta: One of the big reasons ICANN can't do the sensible thing and just
discontinue whois is that it is heavily influenced by the big copyright
corporations who presently can start enforcement against a domain by lookup in
whois. Once whois is gone they will have to use legal process to compel
registrars to reveal the identity of domain owners.

[0]
[https://www.theregister.co.uk/2018/07/06/europe_no_to_icann_...](https://www.theregister.co.uk/2018/07/06/europe_no_to_icann_whois/)

~~~
ckastner
> ICANN can't do the sensible thing and just discontinue whois

Note that this is not about discontinuing WHOIS, but discontinuing the
collection of the "technical contact" and "administrative contact".

The domain owner's data are still collected, and this collection is still
being carried out by the registrar without dispute (page 3, last sentence).

The argument is that if ICANN needs to contact someone with regards to a
specific domain, contacting the domain owner should be sufficient, so ICANN's
argument that they "need" the Tech-C and Admin-C aren't valid.

The court agreed with that, but note that at this point, this is only about a
preliminary injunction.

~~~
merb
well you basically can write everything into Tech-C and Admin-C and you would
still get a valid domain.

~~~
ckastner
While factually correct, I assume that one is contractually obligated to
provide valid details, and then, not doing so would then be a breach of
contract.

~~~
TheSpiceIsLife
You can't be contractually compelled to do something illegal.

~~~
ckastner
Yep, and that's the argument that the registrar made in this case, and the
court agreed.

Edit:

Well, technically, the court agreed that you cannot be _compelled to_ provide
this information.

However, I don't see why not one could _voluntarily_ provide this information,
in which case providing invalid information would still probably be a breach
of contract.

~~~
merb
Well what's the problem of providing an Tech-C Email and an Admin-C Email and
fill the other values with "technically" correct values. i.e. Name: Personal
Blog Administrator Email admin@example.com

the other information could be empty
[https://whois.icann.org/en/lookup?name=google.com](https://whois.icann.org/en/lookup?name=google.com)

------
bkor
For .nl, the whois information for individuals is hidden except for a)
interested parties (manually approved) b) investigative/enforcement
authorities c) CAs (need to validate ownership). It's all explained in English
at [https://www.sidn.nl/a/nl-domain-name/sidn-and-
privacy?langua...](https://www.sidn.nl/a/nl-domain-name/sidn-and-
privacy?language_id=2)

The organization handling .nl, SIDN, has worked like this for a pretty long
time. It's pretty much a solved problem. The data is available, just not to a
lot of people.

------
belorn
Since the core issue is about registered domains for natural persons it
becomes a bit unclear what administrative and technical contact would mean in
the context of this lawsuit. Most registries that I have to work with do not
use those fields or have hijacked those for their own local purpose (such as
local presence). ICANN however only accredit registrars for a few of the
generic TLDs so there doesn't seem to be any meaningful reason to have
administrative and technical contact for natural persons. Those that do fill
in those fields anyway usually just copy the data from the registrant fields,
or put the registrar data in as administrative and/or technical contact.
Neither adds anything meaningful to whois.

When the registrant is a company it make sense to have admin and technical
contact but then good practice for the last decade is to not have natural
persons in those fields. If John Doe leaves the company then its a major pain
to change contact information for 100+ domains, so from a pure practical
reason it is better to have a company, role and the company address in the
fields (except when local policy for each of the country code top-level domain
demand something else). That information is naturally not protected by GDPR.

------
ape4
Like most Hacker News users, I have a bunch of domains. I'd be happy if my
personal info wasn't in whois.

~~~
majewsky
As a German who owns domains, I don't really know if who is changes anything.
The German Telecommunications Media Act (Telemediengesetz) requires website
operators to publish an imprint including snail-mail contact info.

I'm not gonna link it here to not push it up in SERPs, but my blog is linked
in my profile and the imprint is linked there.

~~~
raverbashing
Commercial website operators, no?

One thing that "would be funny" would be having the contact information show
up only for IPs from Germany

~~~
Tomte
„Commercial“ in German would be „geschäftlich“ or „beruflich“, but the word
used in legislation here is „geschäftsmäßig“ which probably also translates to
„commercial“, but maybe better as „in the style of a business“.

The word has been chosen specifically and distinctly in this field of law so
it can mean something specific, not the run-of-the-mill meaning of
„commercial“.

You show ads (or Wordpress does for you in the free offering)? Geschäftsmäßig.
For certain.

You have a web site with information that is interesting to many people (maybe
how to repair bikes)? Geschäftsmäßig. Very probably.

You have a photo gallery of aunt Mary‘s 80th birthday. It‘s password
protected, and you share the password only with family. Everyone else only
sees the link text „Aunt Mary‘s birthday“ and noth8ng more? Not
geschäftsmäßig. For certain.

Everything between examples two and three? Uncertain. Assuming
„geschäftsmäßig“ is a good idea.

~~~
raverbashing
Ah I see, thanks for the explanation.

Privacy in Germany seems to be complicated, in one way some things are much
more private, but you can't have a website without a mailing address.

~~~
wsy
Yes, you can, for personal purposes, as explained above.

------
mikekchar
Interesting that the first case deals with an injunction to _comply_ an EU
company to collect information -- not to punish a company from collecting
information. I'm actually very surprised that ICANN even tried to do this as
it looks like a slam dunk defence. I'll be interested to see the result of the
appeal.

~~~
ocdtrekkie
What this article may miss, is that ICANN's lawsuit isn't exactly hostile:
[https://www.icann.org/news/announcement-2018-05-25-en](https://www.icann.org/news/announcement-2018-05-25-en)
and [https://www.epag.de/en/tucows-statement-on-icann-legal-
actio...](https://www.epag.de/en/tucows-statement-on-icann-legal-action/)

The lawsuit was filed in order to get an official legal answer on the books as
to how Whois data should be handled for GDPR. The easiest way to get actual
precedent on the matter is to sue someone over it.

~~~
hn_throwaway_99
I don't think I came to the same conclusion you did after reading those 2
articles. While you say the lawsuit "isn't exactly hostile", I think it isn't
exactly "friendly" either, and it's not like ICANN is neutral and just looking
to the courts for guidance. I don't think ICANN is pleased with this ruling,
at all.

ICANN clearly wants to preserve the requirement around personal details in
Whois data, while Tucows pretty much thinks that requirement goes against the
spirit of GDPR. From your second link:

> ICANN’s goal, since discussions about the impact of the GDPR on domain
> registration began, has been to preserve as much of the status quo as
> possible. This has led ICANN to attempt to achieve GDPR-compliant domain
> registration via ‘process reduction’, as opposed to Tucows’ approach of
> starting with the GDPR and rebuilding from the ground up.

~~~
JumpCrisscross
> _ICANN clearly wants to preserve the requirement around personal details in
> Whois data_

They may just not want to get sued by the MPAA _et al_ over facilitating
copyright infringement. Without WHOIS, pursuing rogue domains gets harder.

~~~
guitarbill
We're not talking about no WHOIS, we're talking about reducing the number of
WHOIS contacts, and not publishing WHOIS information for everybody to see it.
Which yes, would means now you need e.g. a court order first before you'd get
that information. So I guess "pursuing rogue domains gets harder" is one way
to put it, or more legally correct another.

For law enforcement this isn't a problem. For scummy copyright lawyers looking
to make a quick buck, maybe it is. Guess which of those funds ICANN? And how
exactly would not making WHOIS info public "facilitat[e] copyright
infringement"? Nobody is buying it.

------
phobosdeimos
Poor internet. Designed to survive atomic wars. But can it withstand lawyers?

------
Joky
I'm curious (and ignorant): how can Europe fine an organization like ICANN? I
can imagine that they can forbid them to do any business in Europe if they
don't pay their fine, anything else? If it come to this, what does it mean for
registrar in Europe?

~~~
samdoidge
It's arrogance; see the Brexit negotiations for more examples of this.

~~~
oblio
Do you have any examples?

~~~
samdoidge
[1]
[https://www.scmp.com/news/world/europe/article/2109958/brexi...](https://www.scmp.com/news/world/europe/article/2109958/brexit-
was-stupid-decision-it-would-be-arrogant-intervene-eu)

[2] There has been little if any compromise in the negotiations from the EU
side, and much from the UK.

~~~
oblio
1\. I'm not sure it's arrogance. The EU is big, the UK is comparatively
smaller, guess what happens in a divorce? :)

2\. See 1. Also, there have been compromises, the UK wants to get unicorns.
Full access to the single market yet no freedom of movement...

~~~
samdoidge
> The EU is big, the UK is comparatively smaller, guess what happens in a
> divorce? :)

A divorce seems an odd comparison to choose, but the UK has a large trade
deficit with the EU. If the UK leaders had a backbone, they would walk away or
be tougher in negotiations.

> 2\. See 1. Also, there have been compromises, the UK wants to get unicorns.
> Full access to the single market yet no freedom of movement...

Do you have any examples?

Why should the idealogical idea of freedom of movement be linked to an
economic market? This is an EU idea, and the separate of the two is not a
unicorn. See: other trade agreements.

~~~
Symbiote
> Why

> This is an EU idea

I think you answer your own question. It's a founding principle of the EU.

~~~
samdoidge
Yes, it is. My intention was to highlight that the separation of these
concepts is not a 'unicorn'.

~~~
oblio
The EU is willing to negotiate a trade agreement. The UK wants that trade
agreement to include full access to the Single Market, without freedom of
movement. That's an unicorn.

------
kilburn
Related, with some insights (3 months ago):
[https://news.ycombinator.com/item?id=16856090](https://news.ycombinator.com/item?id=16856090)

------
brainwad
The judgement seems to rest on whether collecting data is necessary for the
business. But what place is the judge in to decide that? Isn't the fact that
ICANN demands the data from registrars good proof that it is necessary to
EPAG's business?

~~~
sobani
Then go one level deeper: why is this data necessary for ICANN?

If you there is no good reason, then there's also no good reason for EPAG to
collect this information.

------
alexmorse
This seems like the worst first take possible for a policy that otherwise
seems to have good intentions.

Basically this is pedantry around something that completely does not matter.
Every major registrar already provides mechanisms for hiding this info from
the general public should you choose to do so.

Seems like lawyering for lawyering's sake. When can we get rid of that?

~~~
roderickm
As much as I appreciate the privacy-first aims of the GDPR, I think that at
some point it collides head-on with property records.

Privacy and property rights are interconnected: after all, what is privacy but
the right to do with yourself and your property as you see fit without outside
observation/interference?

These rights are sometimes at odds with each other: can you really own
property if your ownership is not publicly recorded/recognized?

~~~
wsy
Is the balance of your bank account recorded publicly? So it seem there is no
need for a public record.

And GDPR does not prohibit voluntary owner entries into a central whois
directory, it just prohibits transferring personal data without consent.

