Facebook is fighting for the blanket right to access your information. Should it persuade a US court that it has this blanket right, it will create a backdoor to the GDPR and to your personal information.
Facebook’s arguments attempt to open a door to your personal information. To understand the significance and breadth of the proposed backdoor, you need some context on the GDPR. You also need a little info on the domain industry and ICANN.
The General Data Protection Regulation (GDPR) went into effect across the European Union on May 28, 2018, and now covers countries in the EEA. The GDPR is held as one of the most comprehensive pieces of privacy legislation in existence. It grants a set of privacy rights to individuals that, among other things, provides you with protections that limit who collects your data, what they do with your data and who they share your data with. To be able to do any of these acts, a company must have one of six legal bases. Most of the legal bases are obvious, like when you “consent” to let someone collect your data. It also covers when you enter into a “contract” (such as when you buy services) and collecting and processing your information is needed to provide the service to you. Another is when a company is “legally required” to do something that involves your data, such as retain it for a certain period of time when it is required by law.
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit that, among other things, works with stakeholders in the domain industry to establish policies, procedures, and governing contracts between parties like registries and registrars. When the GDPR went live, it fell to ICANN and its community to create additional contractual terms to enable its community to comply with the GDPR. So, it put together what is called a Temporary Specification (like an addendum to a contract) that covered GDPR and incorporated GDPR language. For our purposes, that included the term “legitimate interest” as a basis for obtaining your personal information and it adopted the relevant “legitimate interest” GDPR language.
Facebook recently started a campaign where it seeks to market itself as a company striving to protect internet users against cybercriminals. In fact, it used this claim when it sued a company called Namecheap of which this writer has a domain registered, because Namecheap refused to hand over its customers’ personal information to Facebook just because Facebook demanded it. In doing so, it is attacking the fundamental right of privacy by attempting to set a dangerous precedent that could expose anyone’s information. Facebook’s claim for a right to the information is based on alleged trademark violations and/or abuse activity related to the alleged trademark infringement.
In Facebook’s lawsuit, it repeatedly claims Domain Registrars “MUST” turn over your confidential information to them. Why? Because they have a “legitimate Interest.”
In its stance that it has a right to your information, Facebook is asking the court to focus only on the language of ICANN’s Temp Spec for “legitimate interest.” Their argument does not include GDPR interpretations of what constitutes “legitimate interest”. It is simply a blanket statement: we have a “legitimate interest.” Yes, that’s it. On that statement alone, Facebook contends that your data should be turned over to it. No court order or subpoena required. Facebook filed its case and is making this argument in a US court presently.
But, remember, the Temp Spec is wholly based on the GDPR. Indeed, its language refers specifically to the GDPR. Yet, in Facebook’s court filings, it specifically omits the GDPR reference and also omits that the Temp Spec language includes that a company cannot provide the information to Facebook where Facebook’s “interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder.
What Does This Mean?
It means that, when looking at the Temp Spec and what is considered a “legitimate interest,” parties are both contractually and legally required to follow the relative GDPR law. For “legitimate interest” that means that Facebook must:
- Have a specific purpose;
- The data they request must be necessary for that purpose;
- There can’t be a less intrusive means to achieve the same purpose.
It does not mean that Facebook meets the standard of ”legitimate interest” just because it says so. In fact, at least as it relates to a domain’s Registered Name Holder personal information — Facebook will always fail the “legitimate interest” standard.
Facebook’s possible purposes for using the data (all related to its trademarks) are:
- To contact the Registered Name Holder directly
- To file a lawsuit (to enforce their trademark)
- To file a UDRP (which is like a lawsuit and used to enforce a trademark)
Facebook does not need your private information to accomplish any of these. This bears repeating: Facebook does not need your private information to exercise any of these trademark actions.
If a court agreed with Facebook’s argument regarding the meaning of ICANN’s Temp Spec language for “legitimate interest,” the result would be that Facebook doesn’t have to meet the GDPR’s standards for disclosing your information and it means that companies are required to hand over your information to them.
For the full story in it’s entirety, please follow the link below to Namecheap’s Blog who broke this news this week to this writer.