Just over one year since the implementation of the General Data Protection Regulation 2016/679 (GDPR), and the scrutiny by supervisory authorities across Europe is in full swing as they shape their powers with investigations and penalties to meet national appetite towards data protection compliance. While the GDPR continues to fulfil its intentions of protecting the privacy of individuals, a lesser-known impact has been on brand owners who face additional hurdles in tackling website and domain name infringements.

Identifying the registrant is an inevitable starting point in any online enforcement action. Quite often, this leads to new strands of enquiry, unearthing other activities of the registrant that may support a brand owner’s claim of infringement, including discovering other domain names or websites that could cause concern. More importantly, stern letters with a threat of proceedings can be directly addressed to registrants and this remains the most cost effective option to provide rapid relief.

Prior to the GDPR, a crucial investigative step for a brand owner systematically involved consulting the WhoIs database to obtain publically available details such as the name of the registrant of the domain name in question, and their contact details. Post-GDPR, the masking of registrant details on the WhoIs database has naturally impeded on a brand owner’s ability to rapidly respond to online infringements.

The aim of this note is to consider self-help options available to brand owners in a post-GDPR world, where the details of the registrant of a website or domain name are less readily available.

Now what?

A majority of the redaction has resulted from ICANN’s (the registry managing ‘generic’ top-level domain names or ‘gTLDs’ such as .com.net and .org) response to the GDPR, involving a blanket redaction of all registrant details irrespective of whether they are legal or natural persons. ICANN is currently in consultation for the development of a Unified Access Model for non-public WhoIs data aimed at law enforcement and intellectual property rights holders. But until this is finalised, registrant information for gTLDs will continue to be limited.

Having said this, brand owners should bear in mind that although there has been a substantial stripping of publically available WhoIs data, not all registries have applied the same approach as ICANN towards their compliance with the GDPR. Approaches towards collection, redaction and disclosure of a registrant’s details will vary between registries, especially between those that manage territory-specific domain names (like .fr or .eu, known in tech-jargon as ‘country-code top-level domains’ or ‘ccTLDs’).

ccTLD registries are bound by domestic legislation that may mandate the disclosure of the registrant’s details, thereby providing a lawful basis under the GDPR for publication of those details. A clear example of this is the Danish Act on Internet Domains under which the Danish registry, DK Hostmaster, is obliged to maintain a public WhoIs database for registrants of the .dk ccTLD [1]. By comparison, in absence of any express UK legislation for disclosure, the UK registry Nominet (.uk) has taken the approach of relying on the registrant’s consent provided to the registrar under article 6(1)(a) of the GDPR [2] to publish their details on WhoIs. It is therefore still worth conducting a search against the WhoIs database as some registrant details may still be available post-GDPR.

Where a brand owner comes across domain names that no longer have registrant details publically available, some creativity and sleuthing skills will need to be applied. These include:

  1. Investigating the website associated to the domain name for contact details (which, if any services are directed at European consumers, must be available on the website in accordance with Article 5 of the Electronic Commerce (EC Directive) Regulations 2002).
  2. Consulting historic WhoIs data and historic snapshots of websites.
  3. Contacting the engaged registrar, whose details may be more readily available on the WhoIs database, to seek disclosure of the registrant’s details (although in the absence of a court order compelling disclosure, this is rarely fruitful).
  4. Considering whether the registry managing the domain name provides a ‘data release’ procedure under which a request may be made to obtain a registrant’s details. For example, the .uk registry Nominet has published their policy here.
  5. Investigating whether the registry in question provides for any other grounds for cancelling or transferring a domain name under their terms and conditions or policies. For instance, providing inaccurate information about the registrant (as the case may be for websites looking to hide behind false identities) may be a breach of a registry’s terms and conditions.
  6. Using, where available, an anonymised email address or web-based contact form that a registrar makes available for direct correspondence with registrants.
  7. If a website is being used to sell infringing goods, conducting a “test purchase” of a sample item for the purpose of inspecting any accompanying packaging or paperwork. If a telephone number is provided, one possibility is then to try to obtain a “returns address” to be used for correspondence purposes.

It is difficult to be certain which of the above routes will achieve the quickest result. A combination of the above may need to be undertaken, and with enough perseverance, somewhere, someone or something will hopefully reveal the registrant.

Domain Name Dispute Resolution Services

A further option where a trade mark is used in an offending domain name itself would be to consider making use of the relevant registry’s dispute resolution services.

The most widely used dispute resolution service is the Uniform Domain Name Dispute Resolution Policy (UDRP) adopted by ICANN and 40 other ccTLD registries [3]. An advantage of UDRP complaints is that these can be filed and accepted without registrant details. Subject to a filing fee (which starts at $1,500), UDRP complaints may prove to be a more suitable solution where brand owners simply seek to take down a website by cancelling or transferring a domain name.

A further advantage of the UDRP process is that registrars are required to provide registrant information to the UDRP provider, which is then transmitted to the complainant. A brand owner’s resources may, therefore, be put to better use on filing a UDRP complaint than independently pursuing registrant details. Furthermore, where a dispute is referred to the World Intellectual Property Office (WIPO) (the most active provider of domain name dispute services), complainants are entitled to a partial refund of the filing fees if the complaint is withdrawn early enough in the process, which can be a cost-cutting strategy in itself [4].

Roughly 20% of cases at the WIPO settle before a panel is appointed [5], and in March 2019, WIPO reported that domain name complaint filings had increased by 12% in 2018 [6]. This suggests that brand owners are flocking towards the UDRP process as a viable alternative, and potentially only to use the process to obtain registrant details to engage in informal enforcement tactics.

Registries who have not adopted the UDRP Policy, will have their own dispute resolution service, although these are subject to different rules, fee structures and, even more frustrating, may require the elusive registrant’s details. On a positive note, these registries can often be cooperative in releasing registrant data for no fee. By way of example, the UK Registry Nominet has adopted a policy which expressly states that a request made by a rights holder requiring registrant data “so that they can be included in a Dispute Resolution Service complaint” will be a legitimate request [7].

However, an important limitation in using such dispute resolution services is that remedies are constrained to the transfer or cancellation of the infringing domain name. Furthermore, the domain disputes process alone may not be a deterrent to infringers who can subsequently register other infringing domain names (such as typo-squatting), forcing brand owners to deal with a “whack-a-mole”-like problem. A brand owner seeking more appropriate remedies such as damages, a substantial costs award or an injunction will therefore still need to issue formal court proceedings.

Summary

The GDPR and lack of harmonisation between registrars and registries have contributed to a less friendly environment for enforcement of intellectual property rights online.

Although some ccTLD registries maintain public records or have provided some guidance for access to registrant details, the persisting popularity of gTLDs among businesses (of which 133.9 million .com domains alone were registered as of 31 March 2018), is such that a brand owner is now far more likely to face issues arising from hidden registrant details. This article has explored some of the investigative steps and processes which can be adopted and there is some hope that the position could revert back to something closer to a pre-GDPR world as discussions are ongoing around a ‘Unified Access Model’. The aim here will be to balance the interests of protecting an individual’s personal data and the interests of combatting intellectual property infringement.

However, until then, brand owners will need to accept that obtaining registrant details will be slightly more… domain-ding.

Sources

[1] https://www.dk-hostmaster.dk/en/node/473

[2] https://registrars.nominet.uk/news/nominet-announcements/gdpr-changes-uk

[3] https://www.wipo.int/amc/en/domains/cctld/

[4] Para 5(c) https://www.wipo.int/amc/en/domains/supplemental/eudrp/newrules.html#10

[5] https://www.wipo.int/amc/en/domains/gdpr/

[6] https://www.wipo.int/pressroom/en/articles/2019/article_0003.html

[7] https://www.nominet.uk/privacy-notice/releasing-your-personal-data-to-third-parties/