On May 25, 2018, the European General Data Protection Regulation (“GDPR”) went into effect. Although the GDPR has many provisions that will impact the way all companies operate online and how they protect the personal information of their customers and employees, the GDPR will also have a significant impact on the information available online to the general public about domain name registrants. The GDPR requires changes that make it much more difficult to identify registrants of domain names. These changes will also significantly impact the costs, effectiveness, and complexity of investigating and pursing infringers, counterfeiters, and all other domain registrants.
ICANN regulations require that all domain registrants provide accurate contact details including their name, address, telephone number, and email address when registering a domain. Registries and registrars are still required to provide access to these contact details though ICANN’s WHOIS database. Some registrants can choose additional steps to maintain their privacy by registering their domain name(s) through privacy-protection services that mask the registrants’ actual contact details but which agree to forward any communications addressed to the privacy-protection service to the actual domain registrant.
The GDPR now requires companies to protect the personal data and privacy of individual residents of EU countries. The GDPR limits the information that may be collected to that which is “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.” The information that companies must protect includes a person‘s name, telephone number, postal address, and email address—precisely the information that registrars and registries must collect and make public under ICANN’s rules. ICANN has acknowledged that its requirement for full public disclosure of a registrant’s contact details cannot co-exist with the requirements of the GDPR. However, until additional ICANN rules are implemented, the GDPR’s restrictions will likely override ICANN’s goals and policies and prevent the publication of registrant contact details in the WHOIS database.
The GDPR applies to all registrants, registrars, and registries where the registrar or registry is established in the EU or offers services to registrants located in the EU, or where the registrar or registry processes the personal data of registrants on servers located in the EU. Therefore, although it is an EU-issued regulation, the GDPR has far-reaching impact that will require all but a few closed registries to comply with its requirements.
Since its implementation, the GDPR has resulted in nearly all contact details being removed from publically-available WHOIS records. These changes have made it far more difficult to contact any domain registrants unless the registrants have opted to allow their information to be publically displayed or have posted contact details at their websites.
On May 17, 2018, ICANN adopted a new resolution intended to address the conflict between ICANN’s regulations and the GDPR requirements. ICANN’s temporary specification still requires registrars to collect all registration data but makes clear that the only information that must be shared in public WHOIS inquiries includes details identifying the sponsoring registrar, the status of the registration, and the creation and expiration dates. Users seeking additional contact details for a domain registrant must have a legitimate purpose for obtaining this information. Users with a legitimate purpose should be able to request non-public registrant contact information from the registrar. The temporary specification also states that registrars and registries should enable interested parties to contact domain registrants through an anonymized email or web form.
Despite the requirements set forth in the temporary specification, it provides no clear instructions to registrars and registries as to what purposes would be considered legitmate bases for obtaining otherwise private contact details for registrants, what methods an interested user can use to request protected contact information from a registrar or registry, or how registrars and registries should provide anonymized email or web forms to enable communications with registrants.
Because of this lack of guidance, few registrars or registries have published guidelines for who may request information protected by the GDPR or how such requests should be made. In some instances, a subpoena or other court order may be required before those details will be released. It is also possible that the information published in WHOIS will be limited to just one or two relevant details, although it is not clear if those limited details will facilitate communications with the registrant. Another potential solution would have registries request that parties seeking complete WHOIS contact details for a domain registrant explain their reasons for doing so (e.g., the inquiry comes from law enforcement, the domain raises a legal problem and the inquiry comes from an interested party or their legal representative, or the information is being collected for a legitimate business purpose). An example of one such questionnaire can be found at the German registry for the .de ccTLD extension (https://www.denic.de/webwhois/). Until ICANN issues further guidance on this issue, there will likely be a hodgepodge of solutions offered by the over 2,000 registrars and registries currently operating around the world with policies and procedures that that vary from country to country and among registrars and registries.
Ultimately, until ICANN issues new rules and guidance on the matter, it is going to be far more complicated to identify domain-name registrants, particularly when those domains or registrants are based in the EU. The ability to search for all domains owned by a single registrant will be severely compromised. It may be difficult to find a postal or email address to which a cease and desist letter can be sent. Disputes that may once have been resolved with a letter or through an undercover purchase of a domain may now require litigation, as it will be impossible to contact the registrant until legal proceedings have begun.
In addition to the workarounds being offered by registries, Fross Zelnick intends to rely on historic WHOIS records which should continue to show contact details for registrants as they existed before implementation of the GDPR. Although these records will grow stale over time, they should help bridge the gap until a permanent solution is adopted by ICANN, or registrars and registries agree to an accepted industry standard to allow brand owners to continue to police their rights without having to proceed with litigation in the first instance, whether in court, or through UDRP or URS proceedings. Fross Zelnick will also be monitoring the various ways that registrars and registries implement ICANN’s temporary specification and report any emerging trends as they become apparent.
Plans are also in place to help brand owners protect their rights by permanently modifying ICANN’s rules and procedures to accommodate both the GDPR and the interests of brand owners. Many of the concerns and proposals that have been submitted are summarized in “The Cookbook,” a proposed Interim Model for Compliance with ICANN Agreements and Policies in Relation to the European Union’s GDPR. Though it is unlikely that the Cookbook will result in any official ICANN policy changes before the temporary specification is up for review in August 2018, we will continue to monitor the discussion and proposals that are currently under consideration and will update our clients as the final implementation of ICANN’s rules arising from the Cookbook and other negotiations begin to take shape.