A new European data privacy law may complicate domain name enforcement efforts because the law shields information about domain names owners. On May 30, 2018, a German court interpreting the new law ruled that domain name registrars can collect less data about customers registering domains.
On May 25, 2018, enforcement of the European Union General Data Protection Regulation (“GDPR”) commenced. The GDPR replaces the 1995 Data Protection Directive and is intended to harmonize a prior patchwork of directives in the EU regarding the subject of personal data protection and privacy. The GDPR, which strives to protect EU residents from privacy and data breaches, applies to “personal data,” which is defined as any non-anonymized information relating to an identified or identifiable living individual. Under the GDPR, personal data may not be processed absent specified valid grounds, such as consent given by the individual or a showing that processing the data is necessary to fulfill an authorized legal basis.
Due to its various provisions and requirements, the GDPR is anticipated to – at least in the short term – have sweeping effects for enforcement of domain name infringement. Much of the information available prior to GDPR enactment – notably domain name registrant information such as the registrant’s name, address, email address, and telephone number – is expected to no longer be available on WHOIS queries for a considerable percentage of domain names. WHOIS is a publicly available database containing identifying information regarding domain name registrants and registrars. Law enforcement agencies and intellectual property owners typically deem WHOIS to be a vital tool for enforcing unlawful or bad faith domain name registration and use, and the ability to access domain name registrant information affords intellectual property owners an opportunity to more thoroughly investigate registrants and communicate with them to explore resolutions outside of a formal dispute (e.g., a Uniform Domain Name Dispute Resolution Procedure (“UDRP”) complaint or litigation), such as sending a cease-and-desist letter. Without the identity of a domain registrant or contact information to directly contact the registrant, intellectual property owners would be left with fewer enforcement options.
In terms of geographic scope, the GDPR applies to (1) entities that process personal data as part of the activities of one of its branches in the EU, regardless of where the data is processed; or (2) a company established outside the EU offering goods or services or monitoring the behavior of individuals in the EU. For practical purposes, it is expected that WHOIS information providers initially will, out of an abundance of caution, only provide GDPR-compliant data regarding domain registrants, regardless of whether a particular domain name bears a nexus to the EU.
The GDPR’s provisions likely will have a considerable substantive and procedural impact on domain name dispute resolution proceedings including the UDRP and the Uniform Rapid Suspension (“URS”) procedure. Under the UDRP and URS, complainants must prove elements including the following: (1) the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; (2) the registrant has no rights or legitimate interest in the domain name; and (3) the domain name has been registered and used in bad faith. Substantively, the reduced amount of WHOIS data available in the wake of GDPR enactment will make it more challenging for claimants to gather evidence necessary to establish the second and third elements. With full WHOIS information regarding a registrant, a potential claimant could more easily investigate possible defenses by a domain name registrant, including whether the registrant is commonly known by the domain name, whether the registration was authorized by a trademark owner, whether the domain name was registered primarily to disrupt the business of a competitor, and whether the registrant engaged in a pattern of bad faith or abusive registrations. Without full WHOIS information, it also becomes more difficult for a claimant to make the required certification of completeness and accuracy and that the assertions in the complaint are warranted under the UDRP, or that a sufficient good faith basis exists for the complaint under the URS.
Procedurally, the GDPR rules will create additional challenges. The GDPR will render it more difficult for a complainant to send a copy of the UDRP or URS complaints to the registrant, for a complainant to determine whether the complaint needs to be translated into a particular language, for a complainant to assert claims against multiple domains registered to the same owner in one complaint, and for determining and submitting to mutual jurisdiction.
Ultimately, WHOIS providers such as the Internet Corporation for Assigned Names and Numbers (“ICANN”) might provide an accreditation process for certain users to access the now-unavailable registrant information for legitimate purposes. Such a process might involve tiered or gated access, in which an individual or entity seeking the registrant’s personal data would need to provide the requisite legitimate basis for entitlement to that data. In the interim, to prepare for the GDPR going into effect, on May 17, 2018, ICANN issued a Temporary Specification for gTLD Registration Data (“Temporary Specification”). The Temporary Specification “establishes temporary requirements to allow ICANN and gTLD registry operators and registrars to continue to comply with existing ICANN contractual requirements and community developed policies in light of the GDPR.” https://www.icann.org/resources/pages/gtld-registration-data-specs-en.
Under the Temporary Specification, ICANN will maintain its extensive collection of registration data, but it will restrict most personal data to accredited access. Consequently, “[u]sers with a legitimate and proportionate purpose for accessing the non-public Personal Data will be able to request such access through Registrars and Registry Operators,” and users will “maintain the ability to contact the Registrant or Administrative and Technical contacts [for the applicable domain name] through an anonymized email or web form.” However, until a permanent, streamlined system is created for intellectual property holders to obtain information regarding registrants of concerning domain names, intellectual property holders can expect the GDPR to result in a more cumbersome, time-consuming, and costly enforcement system with considerable uncertainty regarding the efficacy of enforcement options that previously were relatively straightforward.
On the May 25, 2018 enforcement date of the GDPR, ICANN filed suit against a German domain name registrar for a preliminary injunction requiring the registrar to continue collecting, maintaining, and providing data concerning the domain name holder as required by a contractual registrar accreditation agreement entered into by ICANN and the registrar. See https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-prelim-injunction-redacted-25may18-en.pdf. According to the complaint, the registrar expressed to ICANN the opinion that continuing to collect this data would violate the GDPR, and that it could no longer comply with the registrar accreditation agreement. In the Complaint, ICANN contended that the collection of such data is justified under the GDPR’s provisions regarding processing data for certain legitimate interests.
The lawsuit, filed in the Regional Court of Bonn, Civil Chamber for Internet-related Disputes, resulted in a quickly issued decision on May 30, 2018, denying ICANN’s request for injunctive relief. See https://www.icann.org/en/system/files/files/litigation-icann-v-epag-request-court-order-prelim-injunction-redacted-30may18-en.pdf. As grounds for the denial, the court ruled that it would not require the registrar to collect administrative and technical data for new domain name registrations because it deemed the basic domain name registrant data to be sufficient in order to safeguard against misuse. The court also considered the additional administrative and technical data to be unnecessary for domain name registration, so – following a reference to the GDPR’s principle of data minimization – the court declined to compel the registrar to collect and process such information. The court did not, however, indicate whether it interpreted the collection of such data to be a violation of the GDPR. This decision might shed some light on how the GDPR will be interpreted by European courts, and the implications of such interpretations for the WHOIS database.
In the meantime, even following the GDPR’s effective date, certain tools remain for intellectual property owners to attempt to investigate unlawful use of domain names, identify domain name registrants, and enforce intellectual property rights. While personal data regarding the registrants will be substantially limited, attributes regarding the registration itself – such as the registrar contact information, the domain name creation date, expiration date, nameservers, and status – likely will remain available. Additionally, while the registrant’s personal email address likely will no longer be available, there may be an anonymized email address listed for contacting the registrant or the registrar for claims of abuse. Traditional tools such as a website “Contact Us” page, IP addresses, nameservers, and entity registration information available from government websites could provide useful information for effective investigation and initiation of enforcement in certain circumstances.