The General Data Protection Regulation (GDPR) entered in force last May 25th, 2018 and has overturned all the companies operating online and on how the personal information of their customers and employees are processed and protected. It turned out that the GDPR also has a significant, yet underestimated, impact on the availability of the WHOIS data (i.e. the personal information relating to domain name registrants) and, consequently, on the enforcement of trademarks against infringing domain names.
The changes on the availability of WHOIS data
Every individual or company who proceeds with the registration of a domain name must provide their identity and contact information such as their name, address, email, phone number… Such data is managed by registrars and registries, whom are required to “maintain timely, unrestricted and public access to accurate and complete WHOIS information“ under the Internet Corporation for Assigned Names and Numbers (ICANN) regulations.
Under the new data protection regulation, companies must protect personal data, including a person’s name, address, email, phone number… that is to say all the information supposed to be collected and displayed publicly by registrars and registries. Yet, displaying such information publicly and without the consent of registrants is not GDPR compliant.
Despite the requirements set forth in the Temporary Specification for gTLD Registration Data (“Temporary Specification”) adopted by ICANN on last May 25th, 2018 to address the conflicts between ICANN’s regulations and GDPR restrictions, the lack of concrete guidance has led the registrars and registries to remove nearly all contact details from WHOIS records.
What are the practical implications for trademarks owners?
Until then, trademarks owners and IP professionals have relied upon unlimited and open access to WHOIS data for the past couple of decades, as a first step to enforcement against infringing domain names. With the GDPR now in force, enforcement of trademarks online has become significantly more complex since it is much more difficult to identify domain name registrants. The critical information, namely registrants’ personal data, are indeed no longer available on WHOIS.
Without access to these data, the first consequence for rights owners is the complexity or even the impossibility to identify the registrants and contact them. Domain name disputes that may once have been settled on an amicable basis with a cease and desist letter or through an undercover purchase of a domain name nowadays require administrative or legal proceedings– and the associated costs – to discover the identity of a registrant.
There are still possibilities to attempt to directly contact the domain name registrants but there is currently no uniform way of obtaining registrants’ contact details from registrars and registries. Under the above-mentioned “Temporary Specification”, registrars are required to provide an anonymized email address or an online contact form (such as GoDaddy for example) on their WHOIS databases, and, by default, requests can be sent to registrars to obtain contact details, which however rarely lead to a satisfactory response.
Other issues have also arisen from the GDPR implementation. For example, while it is possible to file one sole UDRP complaint against several domain names owned by the same individual, tying up together group of domain names has now become nearly impossible. Unless trademarks owners successfully consolidate several domain names within one sole UDRP complaint with the corroborating element in their possession, they will have to file an individual complaint against each domain names, which incurs substantial costs. Finally, infringing and cybersquatting behaviors set aside, it is important to recall that domain names can constitutes enforceable prior rights against trademarks and the lack of information regarding the identity of registrants can be challenging in the conduct of prior searches among domain names and to identify registrations made by individuals or entities with legitimate interest.
In light of the above, the changes on the availability of WHOIS records resulting from the new regulation has significantly impacted trademark protection among domain names in terms of effectiveness and costs.
What will happen next?
Further to the above-mentioned “Temporary Specification”, ICANN is currently working on a proposal of unified access model in to provide access to full WHOIS data to a defined set of users with legitimate interest such as trademarks owners and IP professionals, which would accommodate both GDRP requirements and the interests of rights owners. However, the discussions between ICANN and the European Data Protection Board (EDPB) are still ongoing and many aspects of the new WHOIS policy must be clarified and defined.
Until an access model is definitively approved by the European Data Protection Board (EDPB) and effective, trademarks owners as well as IP professionals will have to familiarize themselves with the changes, and challenges, introduced by the new regulation and to continue their trademark protection efforts in the most efficient way possible.
In the meantime, our firm remains at your disposal for any further assistance.
Lucie PRUNIERES
IP lawyer