Earlier this month, the Regional Court of Bonn in Germany highlighted the importance of data minimisation and purpose limitation in Europe’s first ever ruling to apply the GDPR principles.
ICANN, a non-profit organisation that coordinates the assignment of domain names sought to maintain its current practices which sees contact details of a technical and administration contact publically published online alongside the contact details of the domain’s registered owner (known as WHOIS Data).
EPAG Domainservices GmbH (EPAG), who is accredited with ICANN and so obliged to hand over WHOIS data for public publishing when they register a domain, argued that these practices went against the purpose limitation and minimization principles of the GDPR as only the details of the registered owner were necessary for ICANN’s purposes. As such, there was no legal basis for the processing of the personal data of the technical and administrative contacts.
Although lawfulness was not at the forefront of this decision, the Court in Bonn agreed with EPAG, stating that the registered owner of the domain name should be the only data subject whose details are publically published for security and registration purposes. As such, GDPR had been breached by ICANN.
What do we learn from this decision?
Germany is known to have some of the strictest data protection laws in the world. It seems only fitting that its courts be the first to apply the regulation.
Yes – the application doesn’t have direct effect in our courts in England and Wales but we must pay attention.
GDPR is in its infancy with a great deal of uncertainties surrounding it. It would be foolish to not acknowledge any approach taken by our fellow EU members, as it is very probable that such decisions will be influential to our courts.
In this case, we can learn that if the GDPR tells you to minimise and limit your data to what is necessary, then you must do so. You cannot dismissively apply legitimate interests to everything as the courts WILL apply a necessity test.
The case also highlighted that the courts will look at practices as a whole in determining what is necessary. ICANN could not publish technical and administrator contact details if those details had not been provided upon registration – in other words, it was not a mandatory. This led to the question, if it’s necessary for one, why isn’t it for another.
We will continue to keep you updated.