On May 25, 2018, the European Union's new General Data Protection Regulation (GDPR) will take effect. While the regulations are a welcome change for many privacy advocates, they will introduce a new set of challenges for brand owners seeking to enforce their intellectual property rights online by essentially disabling an important tool in a brand owner's arsenal. It appears increasingly likely that the WHOIS system, which makes the contact details of domain name registrants publicly available, will soon enter a months-long blackout period, since the publication of certain WHOIS data runs afoul of GDPR and any interim compliance model will not be fully operational by May 25.
GDPR
GDPR replaces the EU's current Data Protection Directive of 1995. It is intended to protect the personal privacy and data of individuals in the EU, though its impact will be global. The regulation generally applies to any individual, company, or organization - regardless of their location - that processes personal data relating to individuals in the EU. Among other things, GDPR requires organizations to have a lawful basis for any personal data they process, such as consent of the individual. For purposes of GDPR, "personal data" means "any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."
Failure to comply with GDPR could result in administrative fines of up to €20 million or 4% of a company's annual global turnover of the preceding fiscal year, whichever is higher. More information is available here.
Impact on WHOIS Data
The WHOIS system, which contains information including the name, address, email, phone number, and administrative and technical contacts for domain name registrants, is maintained by the Internet's global domain name organization, the Internet Corporation for Assigned Names and Numbers (ICANN). Currently, ICANN requires that domain name registrars and registries provide the public with unrestricted access to this data. However, in some instances, ICANN arguably does not have a lawful basis to process such personal data under GDPR. Thus, the disclosure of WHOIS information may soon subject ICANN's contracting registrars and registries to harsh penalties under GDPR.
ICANN is now racing to devise a solution that will balance data protection considerations and GDPR compliance against the desire to maintain the existing WHOIS system to the greatest extent possible. ICANN recently proposed an "Interim Compliance Model" and has called for a temporary moratorium on enforcement of GDPR with respect to WHOIS data. For the latest updates from ICANN, see here.
The Interim Compliance Model
ICANN's Interim Compliance Model proposes layered access to WHOIS data. Under this approach, the publicly available WHOIS data will include the registrant's organization (if applicable), the registrant's state or province and country, and an anonymized email address or web form from which email can be forwarded to the registrant. The data will not include real names of individual registrants or actual email addresses. Other information will not be public, but may be available to approved users such as law enforcement officials and IP attorneys "based on predefined criteria and limitations that would be established as part of [a] formal accreditation program."
Various aspects of the Interim Compliance Model have been criticized by EU data protection authorities, ICANN's contracting parties, brand owners, and stakeholders such as the International Trademark Association (INTA). For example, INTA has commented that providing an anonymous email address or web form to contact a registrant is not a sufficient substitute for an actual email address, since elimination of this information may prevent investigators from recognizing patterns of abuse and illegal activity by repeat offenders. INTA has also expressed concern about the lack of clarity about access to non-public WHOIS data, including who would be considered an authorized third party, what criteria or limitations would be in place for accreditation, and the timeline for finalization of any accreditation program. ICANN's contracting registrars and registries, on the other hand, may fear that even the Interim Compliance Model could subject them to GDPR's penalties, if publishing registrant organization information would include personal data. In bids for compliance, various registrars have started to roll out their own policies regarding the availability of certain WHOIS data, which threatens to create a fragmented universe of WHOIS information.
How Brand Owners May Be Affected
Without access to certain WHOIS data, brand owners may be unable to identify and contact directly the registrants of websites that sell counterfeit goods or host infringing content, making enforcement initiatives more difficult or costly to pursue. Further, it may become more difficult to prove that websites have been registered and used in bad faith when bringing a complaint under the Uniform Dispute Resolution Policy (UDRP), since WHOIS data can often be a valuable source of information to show a pattern of bad faith or abusive registrations. Without full access to WHOIS data, UDRP complainants may also run into procedural snags, including difficulty determining when multiple domains are commonly owned and may be consolidated into one complaint.
On May 25, ICANN will likely place all of the currently available WHOIS data behind a wall until it implements its accreditation mechanism for access to certain restricted data. In a draft timeline released on April 20, ICANN indicated that it could take up to a year for any interim model to be fully implemented. In short, it appears that the WHOIS system will never be the same and that there may be little to no access to WHOIS data for a significant period of time.
In the interim, brand owners and their counsel will be forced to investigate and pursue online infringements more creatively. Where an infringing website does not provide any clues about the infringer, it may be possible to glean information from the site's IP address or nameservers. Counsel may consider making demands to registrars or other intermediaries for registrant contact information, bringing proceedings under the UDRP where possible, filing "John Doe" lawsuits with subpoenas for information, or referring matters to private investigators or law enforcement officials.
Brand owners are encouraged to consider their online enforcement
priorities and legal budgets ahead of the likely May 25 blackout
period, with the understanding that certain initiatives may become
more costly to pursue during any WHOIS data blackout.
This alert provides general coverage of its subject area. We provide it with the understanding that Frankfurt Kurnit Klein & Selz is not engaged herein in rendering legal advice, and shall not be liable for any damages resulting from any error, inaccuracy, or omission. Our attorneys practice law only in jurisdictions in which they are properly authorized to do so. We do not seek to represent clients in other jurisdictions.
