“GoDaddy and WHOIS.com appear to have selectively redacted the information only for registrants providing an EU contact address… the GDPR has effectively made it easier for counterfeiters and infringers to evade detection.”
On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR), which regulates data protection and privacy for all European Union citizens, took effect. Under the GDPR, technical and organizational measures, such as pseudonymisation or anonymisation, must be implemented during data processing and storage, so that data is not publicly available without the individual’s consent. (Article 25 GDPR.) The regulation has wide reaching impact, applying to companies processing and storing data of any individual in the European Union, regardless of location. (Article 3(2) GDPR.) In particular, the regulation has trademark enforcement implications in light of efforts by the Internet Corporation for Assigned Names and Numbers (ICANN) to comply with the GDPR with respect to the WHOIS database.
The WHOIS database provides technical information about the date of creation and expiration of a domain, as well as contact information for the registrant of a website, including name, physical address, email address, and phone numbers. The WHOIS database is regulated by ICANN, which has agreements with domain registrars worldwide to maintain the WHOIS data. In response to the GDPR, ICANN enacted a Temporary Specification which provides temporary modifications to existing requirements for how registrars collect and display registrant data in the WHOIS database. Under the Temporary Specification, only the country and state or province of the registrant will be publicly displayed, while the remaining data, name, address, email address, and physical address, will not be displayed. This is an interim resolution, which may be in effect for no more than one year, so it remains to be seen what the final ICANN policy will be.
GoDaddy and WHOIS.com appear to have selectively redacted the information only for registrants providing an EU contact address. However, given the difficultly of determining which domain owners are EU citizens, many registrars, such as Tucows, removed data for all domains regardless of where the registrant is located, listing only the state or province and country of the registrant contact, and an anonymous email address directed to the registrar. For example, in the case of a domain owned by a French company and for which the registrar is Gandi SAS, the email address would comprise a long string of numbers/letters followed by @contact.gandi.net.
In light of this WHOIS blackout, the GDPR has effectively made it easier for counterfeiters and infringers to evade detection. One of the first actions taken by companies who wish to enforce their trademarks against online infringers or counterfeiters is searching the WHOIS database to obtain information about the domain in order to conduct investigations and send cease and desist communications. Accordingly, trademark owners will need to devote increased resources to locate information about the registrant. The International Trademark Association (INTA) has prepared a toolkit of tips for investigation and enforcement in light of the GDPR, called “Whois Challenges: A Toolkit for IP Professionals.” Some of the investigation tips listed in the toolkit include using manual searches of websites, traditional investigations (such as corporate and trademark databases), and using the IP address to provide location detail. Specifically, various online resources such as cqcounter.com and arin.net can provide information on the IP address, and the website service MXToolbox, can assist in evaluating whether a domain is associated with spam or phishing.
Additionally, ICANN’s Temporary Specification provides rights holders the ability to request the personal data on the registrant from the registrar based on “legitimate interests not outweighed by the fundamental rights of relevant data subjects, consistent with GDPR” (Temporary Specification for gTLD Registration Data, section 4.4.2, available). If the request is not granted, rights owners may resort to other means, such as filing a court action and securing a subpoena to serve on registries and registrars to obtain the desired information.
There are also implications for enforcement beyond the investigative stage. Trademark rights holders can institute a Uniform Dispute Resolution Policy (UDRP) proceeding to obtain cancellation or transfer of a domain. Current UDRP rules require the complainant’s complaint to provide the name of the respondent (the domain name registrant) and the respondent’s contact information. However, complying with this requirement will be difficult in light of the WHOIS blackout. ICANN’s Temporary Specification allows the dispute resolution provider to accept a UDRP case in the absence of contact information for the respondent and requires the registrar to provide the dispute resolution provider with the full registration data of the registrant. As mentioned above, the Temporary Specification may only be in effect for up to a year, so this procedure is currently temporary.
Trademark rights holders can use the anonymized email addresses to contact registrants. However, there is no way to confirm receipt, because the communication is relayed by the registrar.
Rights owners can also report any abusive conduct to the registrar’s abuse point of contact, which is required of a registrar by ICANN’s Registrar Accreditation Agreement (Section 3.18). Under this provision, registrars are required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”
At this stage, organizations are gathering data and working to implement long-term strategies for complying with the GDPR. ICANN has created an Expedited Policy Development Process (ePDP), comprised of 33 individuals representing major stakeholder groups, including intellectual property interests, governments, contracted parties and users, to provide a report and proposed model for granting access to the non-public WHOIS data. INTA has encouraged its members to share any challenges resulting from the WHOIS changes, which INTA will anonymize and gather for informational and advocacy purposes.
There has been one significant court challenge related to the GDPR to date. One domain registrar, the German-based EPAG Domainservices GmbH, announced that it will stop collecting the administrative contact and technical contact information of a registrant, because it believes that mere collection of this data would violate the GDPR. On the same day the GDPR took effect, ICANN filed a legal action in Germany for injunctive relief against EPAG, seeking a determination that the GDPR permits the collection of information and merely prevents the public display of such information. ICANN argued in its motion that the collection and preservation of information is required for the “stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content.” On May 30, 2018, the Regional Court of Bonn rejected the motion for preliminary injunction, stating that the collection and storage of the administrative and technical contact information of the registrant violates the GDPR. The Court also stated that the extra contact details, namely the administrative and technical contact, are not necessary for a domain to be registered, and indeed, many registrants list the same information provided for the registrant contact as the administrative and technical contact. However, on June 21, 2018, the Regional Court of Bonn has decided to revisit its ruling, and it has the option to re-evaluate its decision or affirm its initial decision for appeal. The matter is currently pending.
In the meantime, trademark rights owners will look to both the creative and traditional strategies discussed above until ICANN’s policies become settled and the case law develops.