October 21, 2020

Volume X, Number 295


October 21, 2020

Subscribe to Latest Legal News and Analysis

October 20, 2020

Subscribe to Latest Legal News and Analysis

October 19, 2020

Subscribe to Latest Legal News and Analysis

German Court Issues First GDPR Ruling

In the first decision (available in German only) applying the General Data Protection Regulation (GDPR), a German court held that data collection that exceeds what is necessary to achieve legitimate business purposes violates one of the basic tenets of the GDPR. Article 5 of the GDPR states that personal data collection shall be "for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes," and "adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

The case concerns ICANN, an American non-profit company that oversees the global WHOIS database of registered domain names, and EPAG, a German domain registrar. EPAG had a contractual relationship with ICANN to collect personal data from people who bought domain names. Additionally, ICANN wanted EPAG to provide the name and contact details of a technical and administrative contact for the registering entity. EPAG refused to collect the latter information, arguing that doing so would violate Article 5 of GDPR because there was no business need, and therefore no legal basis, to collect and process personal data of technical and administrative contacts.

ICANN filed suit in Germany seeking an injunction to compel EPAG to collect the technical and administration contact information. ICANN argued that contact information was necessary to address problems that could arise in connection with the domain name registration. Rejecting ICANN's request, the Regional Court of Bonn held that collecting data on technical and administrative contacts would violate the data minimization rule. In support of its finding, the court noted that registrants had not previously been required to provide technical and administrative contact details, and ICANN failed to provide adequate evidence that such data collection was necessary.

ICANN has appealed the Bonn court's decision to the Higher Regional Court of Cologne, Germany. The challenges to privacy practices of Google and Facebook filed when the GDPR became effective in May are still wending their way through the system, but this case illustrates that both for-profit and not-for-profit organizations must take care to consider GDPR obligations. This first GDPR decision is a reminder that businesses should assess and document why the personal data they collect and process is necessary for a specific, legitimate purpose, and ensure that the information is limited to what is required to achieve that purpose.

© 2020 Keller and Heckman LLPNational Law Review, Volume VIII, Number 190



About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and commercial e-mail messages, contests and sweepstakes, endorsements and testimonials, marketing to children, and data breach notification. Ms. Marshall also helps clients establish best practices for collecting, storing, sharing, and disposing of data, and manage outsourcing arrangements and transborder data flows. In addition, she assists with drafting and implementing internal privacy, data security, and breach notification policies, as well as public privacy policies and website terms and conditions.

As to intellectual property matters, Ms. Marshall helps clients protect their copyrights and trademarks through registration, enforcement actions, and licensing agreements.

She also represents clients in proceedings before the Federal Communications Commission and Federal Trade Commission.

Ms. Marshall is a Certified Information Privacy Professional (CIPP/US) through the International Association of Privacy Professionals (IAPP) and a contributing author of Beyond Telecom Law Blog and Consumer Protection Connection.

Education: Washington and Lee University (B.A., 1997); American University, Washington College of Law (J.D., 2002).

Admissions: District of Columbia; Maryland

Memberships: American Bar Association