Hacker News new | past | comments | ask | show | jobs | submit login
German court issues first GDPR ruling (natlawreview.com)
265 points by marichards 9 months ago | hide | past | web | favorite | 81 comments

The Register had an item about this recently [0]. If you read the whole thing and follow the links to the earlier articles it's somewhere in the uncanny valley between fascinating and horrifying. ICANN is a deeply conflicted organization. Basically they have been on notice about this since 2003 and have done nothing. As of now, they don't have a plan to resolve this. ICANN and any registrar with EU customers providing the whois service are non-compliant with the GDPR. So the EU based registrars have stopped and ICANN is sueing to force them to continue.

eta: One of the big reasons ICANN can't do the sensible thing and just discontinue whois is that it is heavily influenced by the big copyright corporations who presently can start enforcement against a domain by lookup in whois. Once whois is gone they will have to use legal process to compel registrars to reveal the identity of domain owners.

[0] https://www.theregister.co.uk/2018/07/06/europe_no_to_icann_...

It does seem like ICANN are delusional idiots. Even their own Non-Commercial Stakeholders Group disowned them when they asked for a moratorium on GDPR: [0]

> We do not believe a moratorium on enforcement of the law should be granted to ICANN.

[0] https://www.icann.org/en/system/files/files/gdpr-comments-nc...

> It does seem like ICANN are delusional idiots.

Oh yes. I followed the link I gave and read all the linked articles and some of their links and some of the comments on it all. It's quite extraordinary and hilarious.

> ICANN can't do the sensible thing and just discontinue whois

Note that this is not about discontinuing WHOIS, but discontinuing the collection of the "technical contact" and "administrative contact".

The domain owner's data are still collected, and this collection is still being carried out by the registrar without dispute (page 3, last sentence).

The argument is that if ICANN needs to contact someone with regards to a specific domain, contacting the domain owner should be sufficient, so ICANN's argument that they "need" the Tech-C and Admin-C aren't valid.

The court agreed with that, but note that at this point, this is only about a preliminary injunction.

This misses the main privacy point. The registrar is the "data controller" and has to disclose and get consent for any use of the information collected including the domain owner identity other than what is required for registering the name. So without consent they cannot disclose or publish information about the domain owner. Which pretty much kills the whois service.

well you basically can write everything into Tech-C and Admin-C and you would still get a valid domain.

While factually correct, I assume that one is contractually obligated to provide valid details, and then, not doing so would then be a breach of contract.

You can't be contractually compelled to do something illegal.

Yep, and that's the argument that the registrar made in this case, and the court agreed.


Well, technically, the court agreed that you cannot be compelled to provide this information.

However, I don't see why not one could voluntarily provide this information, in which case providing invalid information would still probably be a breach of contract.

Well what's the problem of providing an Tech-C Email and an Admin-C Email and fill the other values with "technically" correct values. i.e. Name: Personal Blog Administrator Email admin@example.com

the other information could be empty https://whois.icann.org/en/lookup?name=google.com

> that it is heavily influenced by the big copyright corporations who presently can start enforcement against a domain by lookup in whois

Why am I not surprised that it's again the copyright leeches that are lobbying to make everything worse? Somehow it seems that they are the most prominent anti-consumer lobbying group these days.

>> Once whois is gone they will have to use legal process to compel registrars to reveal the identity of domain owners.

Well, sounds like the way it is supposed to work... Besides, the ones they are trying to get with it have TLDs without whois requirement, are at cloudflare or use onion services alltogether.

don't doubt that the things you mention are dimensions here, but:

a) non-US organizations/gov's have been critical of US hegemony of internet policy for some years - this also is a good way to attack that

b) various multinational treaty organizations have been attempting to create agreements where cross-jurisdictional legal actions are valid but haven't been very successful (see also TTIP) - some provisions in GPDR are another instance of this pattern, and would appear relevant here

c) logically, hiding website ownership also benefits large media entities as it facilitates a way to obscure ownership information across many domains, potentially making them appear more independent than they actually are

disclaimer: dont have direct insight on any of this

I think you're muddying the waters unnecessarily here.

c) this doesn't stand up on closer examination. it was already possible if you had the money using shell/holding companies and the various privacy guard options registrars offer. besides, GDPR is mainly about individual's privacy.

b) maybe true, but irrelevant. there are plenty of domain registrars operating in Europe, which have to comply with European laws anyway.

a) absolutely, and fair point. however, ICANN's behaviour shows they were right to criticise this artificial hegemony over shared or national critical infrastructure (e.g. country or region-specific TLDs).

15yrs to do something and do it wrong? seems on line with every other registrar worldwide

> One of the big reasons ICANN can't do the sensible thing and just discontinue whois is that it is heavily influenced by the big copyright corporations who presently can start enforcement against a domain by lookup in whois. Once whois is gone they will have to use legal process to compel registrars to reveal the identity of domain owners.

Doesn't WHOIS typically just show the registrar anyway?

For .nl, the whois information for individuals is hidden except for a) interested parties (manually approved) b) investigative/enforcement authorities c) CAs (need to validate ownership). It's all explained in English at https://www.sidn.nl/a/nl-domain-name/sidn-and-privacy?langua...

The organization handling .nl, SIDN, has worked like this for a pretty long time. It's pretty much a solved problem. The data is available, just not to a lot of people.

Since the core issue is about registered domains for natural persons it becomes a bit unclear what administrative and technical contact would mean in the context of this lawsuit. Most registries that I have to work with do not use those fields or have hijacked those for their own local purpose (such as local presence). ICANN however only accredit registrars for a few of the generic TLDs so there doesn't seem to be any meaningful reason to have administrative and technical contact for natural persons. Those that do fill in those fields anyway usually just copy the data from the registrant fields, or put the registrar data in as administrative and/or technical contact. Neither adds anything meaningful to whois.

When the registrant is a company it make sense to have admin and technical contact but then good practice for the last decade is to not have natural persons in those fields. If John Doe leaves the company then its a major pain to change contact information for 100+ domains, so from a pure practical reason it is better to have a company, role and the company address in the fields (except when local policy for each of the country code top-level domain demand something else). That information is naturally not protected by GDPR.

Like most Hacker News users, I have a bunch of domains. I'd be happy if my personal info wasn't in whois.

As a German who owns domains, I don't really know if who is changes anything. The German Telecommunications Media Act (Telemediengesetz) requires website operators to publish an imprint including snail-mail contact info.

I'm not gonna link it here to not push it up in SERPs, but my blog is linked in my profile and the imprint is linked there.

I think it is at least a slight difference, if it is possible to collect data about many domains in one place, or if you have to visit each and check out the notice in the impressum.

Also sitting hacker jeopardy champion, huh? Nice :)

In reality, though, the problem only gets slightly more different. Addresses are relatively uniform, and easy to Regexp (especially if you do not care for a few false positives).

That being said: No, you cannot just hide the address in an image - that would be illegal (the imprint information needs to be "easily parseable").

There is a need for a proxy service, and indeed, they do exist. Just not usable for most people.

Such a service enters a contract with the domain owner to forward (or scan and mail, or shred, or whatever) everything (or only non-spam) that is sent there.

The law is happy, because that is your address now, and failure to forward is something between you and the service you used; you bear all responsibility wrt the sender.

The author of a popular novel writing application offers that for his customers, as many write under a pen name and don‘t want their name to be publically known.

Other than that... nothing. You could employ a lawyer, but that would be expensive. You could get one of those „hire a post box“ services, but again, too expensive if not really used for business.

Some registrars offer that, but not for .de domains.

> You could get one of those „hire a post box“ services, but again, too expensive if not really used for business.

They're not too expensive, at least in the US. I an extra-small size PO box, and it costs the equivalent of $7 a month if rented yearly. Besides domain registrations, I've also used it as my mail forwarding address when moving, to help shake off junk-mail senders.

Commercial website operators, no?

One thing that "would be funny" would be having the contact information show up only for IPs from Germany

„Commercial“ in German would be „geschäftlich“ or „beruflich“, but the word used in legislation here is „geschäftsmäßig“ which probably also translates to „commercial“, but maybe better as „in the style of a business“.

The word has been chosen specifically and distinctly in this field of law so it can mean something specific, not the run-of-the-mill meaning of „commercial“.

You show ads (or Wordpress does for you in the free offering)? Geschäftsmäßig. For certain.

You have a web site with information that is interesting to many people (maybe how to repair bikes)? Geschäftsmäßig. Very probably.

You have a photo gallery of aunt Mary‘s 80th birthday. It‘s password protected, and you share the password only with family. Everyone else only sees the link text „Aunt Mary‘s birthday“ and noth8ng more? Not geschäftsmäßig. For certain.

Everything between examples two and three? Uncertain. Assuming „geschäftsmäßig“ is a good idea.

Ah I see, thanks for the explanation.

Privacy in Germany seems to be complicated, in one way some things are much more private, but you can't have a website without a mailing address.

Yes, you can, for personal purposes, as explained above.

One thing I don't understand about this, is what practical means does the state have of enforcing this? Why don't people just ignore this law?

Many private people ignore it. Theoretically there is an office that can fine them, but why should they?

It gets interesting when you‘re in any way, shape or form having a business (even a non-profit or a club — anything that is not personal). Suddenly there are other organizations that can be seen as competitors (another freelance designer, another sports club in town etc.).

And now you‘re not being fined by the state, you‘re being sued by other private parties. Because that‘s unfair business practices. You‘re not following the law, so you have an illicit advantage.

Badicly any website which is not strictly private: which courts ruled as something like a family photo album, a (personsl) blog is by their definition targeted at a wider audience.

"Commercial" has a different definition in Germany and really, in much of Europe.

At least in the Netherlands, I'm not aware of any requirements for 'commercial' web sites. If they exist, they are not enforced.

Typically it is mostly the tax office that cares about your commercial activities: if you sell stuff, they may want you to collect VAT. If you have regular income from those activities, you have to pay income tax, etc.

They'll be bound by the EU "E-commerce" and "Distance Selling Regulations" directives assuming they've been ratified, they're quite old (well over a decade) so I doubt they're not nationally implemented.

I'm not an expert, but it seems that this is about actually selling something. In addition, if the item is sold by a private person who is not acting in any professional capacity selling then it doesn't apply.

So my naive reading is that having ads is fine, because you are not actually selling something. Having professional information and getting paid is also fine. Having a hobby and occasionally selling something as part of your hobby is fine.

I thought about this. I write about my own tech adventures on my blog, and I'm also working in tech, so I figured a lawyer could construe this as being a commercial website, even though I have not (as of this date) written about my paid work on my blog.

website != domain

Sure, but the vast majority of people who purchase domains do so to put up websites.

Yes, but that piece of German legislation is (IIRC) specifically concerned with websites and not domains so has nothing to do with whois - which I think is the previous poster's point in distinguishing between the two. It does not dictate putting correct (or any) information in whois, nor does putting correct information into whois data satisfy (or otherwise release site owners from) its requirement to include correct contact details on your site if it has any commercial nature.

It‘s concerned with publishing, because that‘s where it originally comes from, centuries ago. People distributing newspapers, and earlier, flyers and pamphlets needed and still need to name a responsible person.

This person sometimes gets called ironically „Sitzredakteur“. „Sitting editor“. Not because he is currently the editor, as in „sitting president“, but because he‘s the one who is going to sit in prison.

It changes a lot. Content creators want an API to quickly check who owns the domain that violates their copyright and without citing legal reasons to do it. Having it done through snail mail changes the game entirely.

There's EU legislation requiring businesses (including sole traders) to publish an "address for service" on their website. It comes from the E-commerce Directive 2000/31/EC IIRC.

Some of the registrars I use have announced free-for-life WHOIS protection to appease the GDPR. When I recently checked my domains, none provided real contact information except for my .CH domains (yay Switzerland).

Use Njalla (https://njal.la) to have privacy from whois services

This is about Admin-Contact and Tech-Contant, not the Owner part of WHOIS.

It is also about not publishing the owner part of whois. Private persons names will have to be hidden under GDPR.

That's not due to the GDPR.

The GDPR is about informed consent. Do you want a domain? Yes. Great, now we need your name, and we'll put it into the WHOIS. Do you consent? Yes. Great, here's your domain. No! Okay, then you might try a different TLD, that doesn't require WHOIS publication.

The part that the GDPR is very much up to the courts, is that whether WHOIS publication is necessary for the function of the domain. Because if not, then it can be argued that it's an undue burden and it should be a separate thing, so the lack of consent for it must not mean domain registration rejection. However, ICANN thinks differently about the issue.

> whether WHOIS publication is necessary for the function of the domain

It is not (e.g. see the paid privacy guard services), and the article 29 working party (WP29) has been telling them this since 2003. ICANN has been ignoring it for 15 years. Until now, there was no way to enforce that. And now they reap what they sowed, with registrars stuck in the middle.

Interesting that the first case deals with an injunction to comply an EU company to collect information -- not to punish a company from collecting information. I'm actually very surprised that ICANN even tried to do this as it looks like a slam dunk defence. I'll be interested to see the result of the appeal.

What this article may miss, is that ICANN's lawsuit isn't exactly hostile: https://www.icann.org/news/announcement-2018-05-25-en and https://www.epag.de/en/tucows-statement-on-icann-legal-actio...

The lawsuit was filed in order to get an official legal answer on the books as to how Whois data should be handled for GDPR. The easiest way to get actual precedent on the matter is to sue someone over it.

I don't think I came to the same conclusion you did after reading those 2 articles. While you say the lawsuit "isn't exactly hostile", I think it isn't exactly "friendly" either, and it's not like ICANN is neutral and just looking to the courts for guidance. I don't think ICANN is pleased with this ruling, at all.

ICANN clearly wants to preserve the requirement around personal details in Whois data, while Tucows pretty much thinks that requirement goes against the spirit of GDPR. From your second link:

> ICANN’s goal, since discussions about the impact of the GDPR on domain registration began, has been to preserve as much of the status quo as possible. This has led ICANN to attempt to achieve GDPR-compliant domain registration via ‘process reduction’, as opposed to Tucows’ approach of starting with the GDPR and rebuilding from the ground up.

> ICANN clearly wants to preserve the requirement around personal details in Whois data

They may just not want to get sued by the MPAA et al over facilitating copyright infringement. Without WHOIS, pursuing rogue domains gets harder.

We're not talking about no WHOIS, we're talking about reducing the number of WHOIS contacts, and not publishing WHOIS information for everybody to see it. Which yes, would means now you need e.g. a court order first before you'd get that information. So I guess "pursuing rogue domains gets harder" is one way to put it, or more legally correct another.

For law enforcement this isn't a problem. For scummy copyright lawyers looking to make a quick buck, maybe it is. Guess which of those funds ICANN? And how exactly would not making WHOIS info public "facilitat[e] copyright infringement"? Nobody is buying it.

Yes. Also:

> Tucows will continue to ensure that those with legitimate purposes, including law enforcement, intellectual property, and commercial litigation interests will have access to domain registrant information. On a daily basis, we see plenty of important circumstances wherein we find sharing that information to be legally necessary, and this will not change. We collect a contact for the owner of each domain name sold on our platforms, and have the ability to contact the owner. When necessary, we also share that contact with law enforcement and others with a legitimate interest.

So there's no loss of data access for those with legal right to it. It's just that there's no free public access.

> The easiest way to get actual precedent on the matter is to sue someone over it.

Precedent is of little relevance in countries that use civil law (as opposed to common law like the US does) so establishing it sounds somewhat futile.

Poor internet. Designed to survive atomic wars. But can it withstand lawyers?

I'm curious (and ignorant): how can Europe fine an organization like ICANN? I can imagine that they can forbid them to do any business in Europe if they don't pay their fine, anything else? If it come to this, what does it mean for registrar in Europe?

It seems that at the moment registrars have chosen to comply with the GDPR and ignore any requirements from ICANN that violate the GDPR.

If ICANN leaves it at that, then with respect to the GDPR the situation is fine.

If ICANN decides to enforce their policies and for example starts excluding European registrars, then we have a completely new situation that goes way beyond the GDPR.

Note that the DNS root is technically the IANA function, which is operated by ICANN. A lot of what ICANN can do derives from that.

If the EU would withdraw support from that, then a lot of chaos is going to result. Chaos that is certainly not in the interest of the US government. So my guess is that at the end of the day, the EU can have their GDPR and ICANN will just to accept that.

They likely can't, but they can fine EPAG, which is a German domain registrar. The matter at hand is that ICANN was trying to allegedly force EPAG to violate GDPR.

Nobody fines ICANN.

A German registrar doesn't fulfill its contract with ICANN anymore. ICANN sues them at a German court to fulfill it. The court rules that the contract clause is illegal according to German law, so the registrar is not obliged to fulfill it.

It's arrogance; see the Brexit negotiations for more examples of this.

It's acting in their peoples's best interest.

Why should EU be nice to ICANN? (actually, they even have been nice for 15 years)

Why should EU be nice to UK? It's just tough negotiations where both parties try to close the best possible deal.

Do you have any examples?

[1] https://www.scmp.com/news/world/europe/article/2109958/brexi...

[2] There has been little if any compromise in the negotiations from the EU side, and much from the UK.

1. I'm not sure it's arrogance. The EU is big, the UK is comparatively smaller, guess what happens in a divorce? :)

2. See 1. Also, there have been compromises, the UK wants to get unicorns. Full access to the single market yet no freedom of movement...

> The EU is big, the UK is comparatively smaller, guess what happens in a divorce? :)

A divorce seems an odd comparison to choose, but the UK has a large trade deficit with the EU. If the UK leaders had a backbone, they would walk away or be tougher in negotiations.

> 2. See 1. Also, there have been compromises, the UK wants to get unicorns. Full access to the single market yet no freedom of movement...

Do you have any examples?

Why should the idealogical idea of freedom of movement be linked to an economic market? This is an EU idea, and the separate of the two is not a unicorn. See: other trade agreements.

If the UK wants a simple trade agreement then it can have it. But that's not what the UK wants. The UK wants an open Irish border, an open border between Northern Ireland and the main island, but without submitting to EU regulations on goods. That's impossible.

Single market without freedom of movement is possible, but the thing about the EU is that different countries disagree about what the good parts and the bad parts are. Austria, if acting alone, might be willing to agree to single market without freedom of movement, but Poland is not going accept that. And so on. If you compromise with everyone, well, congratulations, you've joined the EU.

> Why

> This is an EU idea

I think you answer your own question. It's a founding principle of the EU.

Yes, it is. My intention was to highlight that the separation of these concepts is not a 'unicorn'.

The EU is willing to negotiate a trade agreement. The UK wants that trade agreement to include full access to the Single Market, without freedom of movement. That's an unicorn.

The EU is not a trade agreement.

And it's not Groucho Marx either ("these are my principles, if you don't like them, I have others!").

Related, with some insights (3 months ago): https://news.ycombinator.com/item?id=16856090

The judgement seems to rest on whether collecting data is necessary for the business. But what place is the judge in to decide that? Isn't the fact that ICANN demands the data from registrars good proof that it is necessary to EPAG's business?

Then go one level deeper: why is this data necessary for ICANN?

If you there is no good reason, then there's also no good reason for EPAG to collect this information.

This seems like the worst first take possible for a policy that otherwise seems to have good intentions.

Basically this is pedantry around something that completely does not matter. Every major registrar already provides mechanisms for hiding this info from the general public should you choose to do so.

Seems like lawyering for lawyering's sake. When can we get rid of that?

The point of GDPR is to implement privacy by default, not privacy for those who know how to pick the right companies and the right options. ICANN have been trying to get an exemption for this, unsuccessfully, for a while. Hence this lawsuit.

> Every major registrar already provides mechanisms for hiding this info from the general public should you choose to do so.

I think you missed a "by charging a fee to not do something they have no reason to otherwise do except to force you to pay a fee" in there.

Seems like charging fees for charging fees sake, when can we get rid of that?

As much as I appreciate the privacy-first aims of the GDPR, I think that at some point it collides head-on with property records.

Privacy and property rights are interconnected: after all, what is privacy but the right to do with yourself and your property as you see fit without outside observation/interference?

These rights are sometimes at odds with each other: can you really own property if your ownership is not publicly recorded/recognized?

Is the balance of your bank account recorded publicly? So it seem there is no need for a public record.

And GDPR does not prohibit voluntary owner entries into a central whois directory, it just prohibits transferring personal data without consent.

Talk to ICANN. It wanted to cut out registrars trying to comply with the law.

OTOH maybe you shouldn't have to pay extra to keep your privacy?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact