Monday, July 9, 2018

In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be "for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes," and "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and administration contact information. ICANN argued that contact information was necessary to address problems that could arise in connection with the domain name registration. Rejecting ICANN's request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.

ICANN has appealed the Bonn court's decision to the Higher Regional Court of Cologne, Germany. The challenges to privacy practices of Google and Facebook filed when the GDPR became effective in May are still wending their way through the system, but this case illustrates that both for-profit and not-for-profit organizations must take care to consider GDPR obligations. This first GDPR decision is a reminder that businesses should assess and document why the personal data they collect and process is necessary for a specific, legitimate purpose, and ensure that the information is limited to what is required to achieve that purpose.