European Center for Digital Rights Joins Privacy Fight
In June, we told you about Facebook’s efforts to force Namecheap to divulge private details about all of our domain registrants — people like you. Since then, there have been a number of new developments we wanted to share with you.
We are currently litigating in federal court to dismiss the lawsuit for, among other things, Facebook’s lack of a right to the information. In our fight, we’ve received unexpected support from the most respected and renowned European data privacy enforcement organization, the European Center for Digital Rights.
Recap: Here’s What’s At Stake
Let’s recap the situation with Facebook and how it affects you. Facebook’s lawsuit against us originates from their demand for your private domain registrant information. This is the information you provide when you register a domain, and which we protect by using a privacy product by our third-party partner, domain privacy.
Facebook claims they have a “legitimate interest” to this information and, therefore, should be given access to it just because they request it.
They offer no subpoena or no court order and, in fact, claim it’s not required of them. They refer to the Temporary Specifications from ICANN (the not-for-profit regulatory organization that oversees domains and other Internet functionality). The Temporary Specifications are ICANN’s contractual amendments to ensure registrars and registries are in compliance with the General Data Protection Regulation (GDPR), which is globally considered the strongest set of privacy laws to protect personal information) as the legal reason as to why they have a right to it.
They haven’t limited their argument to just those of you who are protected by the GDPR, either. They argue that they have a right to anyone’s information — in the E.U., U.S., and anywhere — because of their claim of “legitimate interest” and their referral to ICANN language.
In other words, they are in a U.S. federal court asking the court to determine that, because they are Facebook with various trademarks, they can demand and receive your personal information — without due process, without court intervention, and often without a claim of abuse, and/or to silence their critics. A federal court’s decision may impact all U.S. companies.
Equally invasive, the argument they make and the decision they seek will require disclosure of personal information of consumers across the globe, which many countries consider illegal.
Facebook Has No Right to Your Personal Information
Namecheap’s long-held position is that Facebook has no right to receive your personal information on a blanket request. Our stance is that they, like any other third party, must establish a legal right to obtain it using the proper legal forum such as a court of law. This ensures due process, which is a fundamental right in the United States.
Remember, Facebook is using a hidden foothold to try to get blanket access to your information, regardless of where you reside: they are using ICANN’s language that is meant to ensure compliance with the GDPR only. A decision by a U.S. court, based on what Facebook is requesting, would be much broader than the GDPR. However, they don’t have a right to your information under the GDPR or on any other legal basis outside of a court order or subpoena.
As Electronic Frontier Foundation (EFF) said recently (in a quote for this article),
“Facebook’s suit against Namecheap overreaches on trademark law, and it also ignores important privacy concerns that Facebook claims to defend in other contexts.”
While it’s certainly easier and financially better for Namecheap to turn over your information when asked by a powerful bully (it would save litigation costs) — that is not what we stand for. We understand that domains and hosting services are the portals to free speech, livelihood, and autonomy. We’ve witnessed Facebook and other companies irresponsibly using their clout to silence digital rights. For example, check out this article discussing how they forced their most powerful critics offline.
We stand and fight, not only for your privacy but also for your fundamental rights of Free Speech and Due Process in this lawsuit.
We Are Not Alone in This Fight — NOYB Has Joined Us
To our surprise and great gratitude, another privacy warrior has joined this fight. Our case, and the significant privacy issues that it involves, caught the attention of the European Center for Digital Rights, commonly known as NOYB, or “None of Your Business.” They are privacy warriors based in the E.U. whose sole purpose is ensuring enforcement of privacy rights. As a result of Facebook’s actions, they have engaged a U.S. attorney and have filed their first filing ever in the U.S., joining us in our fight to support your privacy rights.
Who Is NOYB, and Why Is This Significant?
NOYB is a nonprofit organization founded by Max Schrems, and their entire mission is to enforce privacy rights. They have sued and won many litigation cases about privacy violations against giants like Facebook and Google. They selectively choose to engage in cases where they can have the greatest impact on strengthening your privacy rights.
Prior to our case, the entirety of their filings was in the European Union (E.U.). Among many of their efforts are the 101 Transfer Complaints, where they are litigating against giants who collect and allegedly illegally transfer personal information in violation of E.U. privacy rights.
NOYB has identified this case as significant to your privacy rights (or violation of rights.) EFF put it this way:
“NOYB’s brief provides very important context by showing how Namecheap’s policies are driven by the GDPR’s requirements.”
Does Facebook Have a Legitimate Interest under the Law? No.
European law makes this clear. According to the NOYB Amicus Brief, Section I.C.:
“The legitimate interest of Facebook is not established under the GDPR.”
Furthermore, NOYB shares that Facebook is not entitled to your personal information and that it would be illegal to provide it to them. Moreover, they explain in detail why Facebook fails every element of the “legitimate interest” test.
Let’s look at this test in more detail.
“Legitimate Interest” under the GDPR requires:
- That the data is “necessary.”
- That the data cannot be obtained through a more privacy-protected manner.
These are “gateway’ requirements that must be met before a requestor can proceed to the “balancing test” (meaning balancing the rights of the requestor against your privacy rights).
Here’s how Facebook fails at every step:
- The data is not “necessary” for them to pursue their rights. Since it’s not necessary, the test fails at the outset and ends here.
- Even if we assumed it was “necessary,” there are less invasive means by which to obtain it, which are more privacy-protecting. Facebook is required by the GDPR to use those means. Thus, again, they fail the standard, and the test ends.
- While Facebook would never reach the “balancing test” portion of legitimate interest, if they did — they would still fail. Why? Because their interest is merely economic in nature, whereas the impact would be a breach of fundamental privacy rights and protections. Again, they fail the test.
Where We Are Now
Currently, the court still must determine whether to accept NOYB’s Motion to File An Amicus Brief. Even if the judge chooses not to accept NOYB’s Amicus Brief at this time — their filing is still significant for all the reasons we’ve shared. They’ve made clear that under the GDPR, Facebook has no legal right to the data they are seeking — which is your data.
They’ve also shared that Namecheap’s practices in protecting your data and not releasing it to Facebook upon demand is fully compliant with and required by the GDPR.
Make Your Voice Heard
We had a significant response to our June blog and many asked what you can do. We believe that, by working together, privacy rights can be enforced.
Now is the time to take action. Here are several things you can do.
- If you are in Europe (the EEA) – Contact your Data Protection Authority (DPA). Alert them about what Facebook is trying to do that violates your fundamental rights. Share NOYB’s Amicus Brief and request that they publicly align themselves with NOYB so there can be no confusion or misunderstanding on the lack of right to your data.
Here’s where to find and how to contact your Data Protection Authority
- If you are in the U.S. – Contact your elected federal officials. Let your representatives in the Senate and House of Representatives know you don’t agree with what Facebook is attempting to do and demand that they fight for your privacy rights.
Here’s how to find and contact your federal elected officials
- Contact ICANN. ICANN has an upcoming public comment period for proposed ways to obtain private registrant information. This directly relates to this Temporary Specification and will be a way they can set rules globally.
- Support organizations that fight for your privacy rights. There are privacy organizations that have the sole mission of protecting your privacy rights. NOYB, based in Vienna, is one of them. Also check out Electronic Frontier Foundation, a U.S.-based global leader that focuses on defending civil liberties in the digital world.
- Inform your family + friends. Inform those you know about Facebook’s effort and share how they, too, can help.
For More Information:
- Learn more about NOYB
- Learn more about Electronic Frontier Foundation
- VICE News: “Facebook Just Forced Its Most Powerful Critics Offline” (They used the same tactics they have tried with Namecheap.)
- Belgium court orders Facebook to stop collecting data on people who don’t have an account with them. (Facebook drops cookies on anyone who visits one of their pages or clicks a like button and tracks your online activity — whether or not you have a Facebook account.) See: Facebook to Appeal a Belgian Court’s Ruling on Data Privacy and/or Facebook told to stop tracking in Belgium.