The Secret Fight For Your Personal Information
Is Facebook using US courts to create a GDPR backdoor to your data?
Namecheap has a long history of advocating for and protecting our customers’ privacy. We were early champions for your rights, we embraced the GDPR, and we will continue to go above and beyond in fighting for your privacy rights. We refuse to hand over your private information unless the company requesting it has established a legal right to it. For many companies, this is good news and a standard they practice as well. A small group, however, believe they are entitled to your information just because of who they are and because they ask.
Today, we find ourselves in a battle for your privacy with one such company: Facebook.
In this battle, Facebook is fighting for the blanket right to access your information. Should it persuade a US court that it has this blanket right, it will create a backdoor to the GDPR and to your personal information. We cannot, in good conscience, be silent and allow this to happen. We will fight this fight and want to give you the information you may need to understand how Facebook’s arguments attempt to open a door to your personal information. To understand the significance and breadth of the proposed backdoor, you need some context on the GDPR. You also need a little info on the domain industry and ICANN.
The General Data Protection Regulation (GDPR) went into effect across the European Union on May 28, 2018, and now covers countries in the EEA. The GDPR is held as one of the most comprehensive pieces of privacy legislation in existence. It grants a set of privacy rights to individuals that, among other things, provides you with protections that limit who collects your data, what they do with your data and who they share your data with. To be able to do any of these acts, a company must have one of six legal bases.
Most of the legal bases are obvious, like when you “consent” to let someone collect your data. It also covers when you enter into a “contract” (such as when you buy services) and collecting and processing your information is needed to provide the service to you. Another is when a company is “legally required” to do something that involves your data, such as retain it for a certain period of time when it is required by law. Two more bases include when processing is of “vital interest” to you (i.e. you were in an accident and your doctor needs to share your info) and when there is a “public interest” (which generally covers the collection of data by government agencies for research purposes).
The last legal basis is “legitimate interest.” Legitimate interest is a legal basis one company would use with another company to request your private information. A company cannot use legitimate interest (nor would they) if they could use another legal basis for obtaining your information. And, it is rightly known as the hardest standard to meet because to apply it loosely would have a significant impact on privacy rights and freedoms. That’s why, even if the asking company can meet the standard, it doesn’t give it a right to the data, it only gives a third-party company who has the data permission but not the obligation to share it with the asking party.
The GDPR applies globally. So, regardless of where a company is located, it must comply with the GDPR if it has a customer who is covered by the GDPR.
The Internet Corporation for Assigned Names and Numbers (ICANN) is a non-profit that, among other things, works with stakeholders in the domain industry to establish policies, procedures, and governing contracts between parties like registries and registrars. When the GDPR went live, it fell to ICANN and its community to create additional contractual terms to enable its community to comply with the GDPR. So, it put together what is called a Temporary Specification (like an addendum to a contract) that covered GDPR and incorporated GDPR language. For our purposes, that included the term “legitimate interest” as a basis for obtaining your personal information and it adopted the relevant “legitimate interest” GDPR language. Given that the Temporary Specification (Temp Spec) solely covers the GDPR and uses GDPR language, interpretation of any of its terms must be interpreted using GDPR related law. It also means that if Temp Spec language is interpreted wrong, it creates a large scale, global privacy risk (if not a violation).
Facebook + Privacy + GDPR
Facebook recently started a campaign where it seeks to market itself as a company striving to protect internet users against cybercriminals. In fact, it used this claim when it sued Namecheap because Namecheap refused to hand over its customers’ personal information to Facebook just because Facebook demanded it. In doing so, it is attacking the fundamental right of privacy by attempting to set a dangerous precedent that could expose anyone’s information.
Here’s an important quick aside: Facebook’s claim for a right to the information is based on alleged trademark violations and/or abuse activity related to the alleged trademark infringement.
However, trademark protection is a very specialized legal field. Whether a mark is protected and whether the use of something similar to the mark violates that protection depends on a multitude of factors. This inquiry is complicated by differing laws of differing jurisdictions, both U.S. and foreign. Because it is so specialized, we believe that only a court of law is the proper forum to make a legal determination on whether there has been a trademark infringement and Namecheap (or a similarly situated company) should not have to act as the arbiter of complex facts and laws every time someone claims infringement. And, as I’ll explain later, Facebook does not need your personal information to investigate, act on, and/or enforce an alleged trademark violation in a court of law.
What about a claim of using the alleged mark for abuse? We investigate every allegation of abuse. We believe it’s our responsibility to do so. We also believe in due process. So, if there isn’t evidence of abuse, the person should not be treated as though it was committed. It’s simple. If abuse is confirmed, services are suspended. The process of investigating an alleged abuse does not require the blanket release of a person’s personal information to Facebook, or any other complainant. It requires either evidence provided by Facebook and/or our ability to independently verify the abuse.
Facebook’s Position on Trademarks
In Facebook’s lawsuit, it repeatedly claims that Namecheap (plus all other registrars) “MUST” turn over your confidential information to them. Why? Because they have a “legitimate interest.”
In its stance that it has a right to your information, Facebook is asking the court to focus only on the language of ICANN’s Temp Spec for “legitimate interest.” Their argument does not include GDPR interpretations of what constitutes “legitimate interest”. It is simply a blanket statement: we have a “legitimate interest.” Yes, that’s it. On that statement alone, Facebook contends that your data should be turned over to it. No court order or subpoena required. Facebook filed its case and is making this argument in a US court.
But, remember, the Temp Spec is wholly based on the GDPR. Indeed, its language refers specifically to the GDPR. Yet, in Facebook’s court filings, it specifically omits the GDPR reference and also omits that the Temp Spec language includes that a company cannot provide the information to Facebook where Facebook’s “interests are overridden by the interests or fundamental rights and freedoms of the Registered Name Holder or data subject…” (by the way, this is the GDPR language as well).
What Does This Mean?
It means that, when looking at the Temp Spec and what is considered a “legitimate interest,” parties are both contractually and legally required to follow the relative GDPR law. For “legitimate interest” that means that Facebook must: 1) have a specific purpose; 2) the data they request must be necessary for that purpose; and 3) there can’t be a less intrusive means to achieve the same purpose. It does not mean that Facebook meets the standard of ”legitimate interest” just because it says so. In fact, at least as it relates to a domain’s Registered Name Holder personal information — Facebook will always fail the “legitimate interest” standard.
Facebook’s possible purposes for using the data (all related to its trademarks) are:
- To contact the Registered Name Holder directly
- To file a lawsuit (to enforce their trademark)
- To file a UDRP (which is like a lawsuit and used to enforce a trademark)
Facebook does not need your private information to accomplish any of these objectives. It is, thus, not “necessary.” There are established (anonymous) methods to directly reach a Registered Name Holder. And, Facebook can file a lawsuit or UDRP using a domain name/John Doe. Because there are ways to do these things without your data, it also means that there are clearly less intrusive means for Facebook to achieve the same result.
This bears repeating: Facebook does not need your private information to exercise any of these trademark actions.
Is This Important to Your Privacy? It’s Very Important.
If a court agreed with Facebook’s argument regarding the meaning of ICANN’s Temp Spec language for “legitimate interest,” the result would be that Facebook doesn’t have to meet the GDPR’s standards for disclosing your information and it means that companies (like Namecheap) are required to hand over your information to them.
Even if Facebook’s motives are altruistic, the motive is irrelevant because such a decision would open the door for everyone to make this same claim to your data. The implications of such a decision are astounding. First, it would be US law interpreting a contract that is meant to provide compliance with another country’s law. Meaning, ICANN covered companies would be required under the Temp Spec to turn over information to Facebook despite the fact that Facebook is prohibited by the GDPR from receiving that information. Second, it would have ramifications across the entire domain industry that is governed by ICANN. This means Facebook could demand information — without court order, without subpoena, without meeting any legal standard — just because it claimed to have a “legitimate interest.” And, so could anyone and everyone who makes this same claim.
Most importantly, this tactic would create an end-run on not only your privacy, but the GDPR itself. Instead of being the hardest legal standard to meet, “legitimate interest” becomes the free pass for anyone who wants to use it, in particular Facebook. And, it would break wide-open unrestrained access to your private information — whether you are covered by the GDPR or not. Such a decision would open the door to your data for basically anyone who requests it with a very limited burden of proof.
Does Facebook really care about protecting you from cybercrime or are their recent efforts their newest Trojan Horse to get personal data that Facebook doesn’t have a right to have? We think it is the latter. What do you think?