A court has issued the first ruling which applies the General Data Protection Regulation.
ICANN (Internet Corporation for Assigned Names and Numbers) is an American non-profit that oversees a global database of registered internet domain names.
It contracted German domain registrar EPAG to collect personal data from people who bought domain names. However EPAG refused to provide the name and contact details of technical and administrative contacts for registering entities.
It argued that it would be a violation of Article 5 of GDPR because there was no business need, and therefore no legal basis, to do so.
ICANN turned to a court in Germany in its attempt to compel EPAG to provide the contact information, saying it was necessary to address problems that could arise in connection with the domain name registration.
However the Regional Court of Bonn ruled on the basis that collecting data on technical and administrative contacts would violate the data minimisation rule, according to the National Law Review in the United States.
GDPR states that personal data collection shall be “for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” and “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”.
The court said registrants had not previously been required to provide technical and administrative contact details while ICANN had failed to provide adequate evidence that such data collection was necessary.
ICANN has appealed the court’s decision to the Higher Regional Court of Cologne.
The first major fine for a GDPR breach is just months away, according to a legal expert.
Companies have also been told to stay alert for GDPR ‘chancers’ who deliberately try to identify data breaches in a bid to try and get compensation.