GDPR and the UDRP: Opposites Don’t Attract

If you’ve checked your email at all in the past month, you’ve likely been inundated by messages with titles like “Privacy Policy Updates.” These updates come en masse in the wake of the European Union’s new General Data Protection Regulation (GDPR), which regulates the processing of personal data relating to individuals in the EU. While the GDPR was intended to protect the privacy of European citizens, it has already had an impact on intellectual property enforcement across the world, particularly on ICANN’s Uniform Domain Name Dispute Resolution Policy (UDRP) and similar services, as well as the integral “WHOIS” search function.

WHOIS is a protocol used to search online databases and identify domain name registrants. Rather than being centrally managed in a single database, WHOIS data is collected and administered by various registries and registrars according to the terms of their contracts with the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN has agreements with thousands of domain registrars around the world such as GoDaddy and HostGator which require registrars to post WHOIS data – such as names and contact information like emails and phone numbers – for every person who registers a domain with their service. Through WHOIS, anyone can then look up the contact information of a website domain name registrant (unless that registrant has opted to hide their information through an online privacy service). This set of tools has proven to be invaluable to trademark owners pursuing domain name disputes against cybersquatters –those who register Internet domain names containing trademarks belonging to others with the intent to extort money by selling the domain name to the trademark owner or a third party   

As an alternative to more expensive and time-consuming federal court litigation, a trademark owner may address abusive registration of domain names by pursuing an expedited administrative proceeding under the UDRP, where WHOIS serves as a crucial source for identifying the proper respondent and proving other elements of the claim, which include that (i) the alleged infringer’s domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; and (ii) the alleged infringer has no rights or legitimate interests in respect of the domain name; and (iii) the disputed domain name has been registered and is being used in bad faith.

Under the GDPR, however, identifying domain-name holders, including cybersquatters, and consequently proving the key elements of a UDRP claim, becomes a much more challenging process. Previously, trademark owners and their attorneys could easily access a WHOIS database to find out who owned and operated an infringing website. The GDPR, however, prohibits publishing personal information that identifies individuals. This means that the WHOIS agreements between ICANN and domain registrars like GoDaddy are now potentially illegal under the new regulation. While the GDPR allows certain carve-outs for uses of personal information, such as where a user has a “legitimate interest,” the applicability of these safe harbors is not clear.  As a result of this increased uncertainty and liability exposure, some domain name registrars such as the German-based EPAG, are already refusing to honor their agreements with ICANN. Citing concerns that collection of WHOIS data would violate the GDPR, EPAG informed ICANN that it would no longer collect administrative and technical contact data when it sells new domain name registrations.  This dispute is now working its way through the German court system.[1]

In the face of this resistance from domain name registrars, ICANN has in place a “Temporary Specification,” effective as of May 25, 2018, which establishes temporary requirements to allow ICANN and domain registrars to continue to honor their contractual agreements while also complying with the GDPR. Under the Temporary Specification, WHOIS queries return only “thin” data, which includes technical data sufficient to identify the registrar, status of the registration, and creation and expiration dates for each registration, but not personal data. Users can contact registrants, but only through an anonymized email or web form. The feasibility of requiring registrants to have only one uniform anonymized email address across domain name registrations at a given domain registrar (as opposed to each domain name registration having a unique anonymized email address) remains unclear.  While ICANN has recently released a “Toolkit” for IP professionals to assist in post-GDPR information gathering, this is a far cry from the easy public access to WHOIS data previously allowed and it greatly impacts the ability of trademark owners to rely upon the UDRP as a method of pursuing cybersquatters.

For instance, one method of establishing bad faith in connection with a UDRP complaint is showing that there has been a prior pattern of bad faith registration. According to WIPO, “a pattern of bad faith conduct requires more than one, but as few as two instances of abusive domain name registration,” and includes situations “where the respondent registers, simultaneously or otherwise, multiple trademark-abusive domain names corresponding to the distinct marks of individual brand owners.” Thus, it’s helpful to look up other UDRP decisions in which a cybersquatter has been involved and cite any prior losses in a UDRP complaint.

Without knowing the name of a domain name registrant, however, it becomes incredibly difficult to find other UDRP proceedings in which the registrant is involved to establish a pattern of cybersquatting. While there are certainly other ways of proving the element of bad faith, the GDPR effectively renders this method useless.

The GDPR also makes the second element of a UDRP claim – proving that the alleged infringer has no rights or legitimate interests in the domain name – more difficult. One of the ways a domain registrant can have legitimate interests in a domain name is if the registrant has been commonly known by term(s) used in the domain name, even if it has acquired no trademark rights. Without knowing the name of a registrant, a complainant cannot determine whether the registrant has been commonly known by the domain name.

Lastly, under the UDRP, complainants can consolidate disputes. This means that a trademark owner can include several domain names in a single complaint as long as the domain names are all registered by the same domain name holder. This helps to streamline the UDRP process. Without knowing the identity of a registrant, however, it is near impossible for a trademark owner to identify other domain names registered by that same domain name holder. This means that under GDPR, consolidation is likely more difficult and the UDRP process less efficient, forcing trademark owners to file more complaints than before. Similarly, the continued viability of the “reverse-WHOIS” search, which can pull a list of other domain names owned by a registrant (and often show a pattern of questionable registrations), is in question given the uncertainty of whether or how registrants will be anonymized in the future.

Although it is aimed at achieving the laudable goal of protecting the privacy of European citizens, the GDPR clearly has the unintended side effect of making it more difficult for trademark owners to pursue cybersquatters. ICANN is still struggling to update its contracts in the wake of the GDPR and as a result, the fate of WHOIS is left up in the air and the UDRP administrative process is rendered less efficient, at least for now, and at least as it applies to domain names sitting in the catalogues of certain registrars.

[1] ICANN filed injunction proceedings against EPAG to ensure the continued collection of WHOIS data. LG Bonn, a German regional court, declined to issue an injunction. The Court did not, however, indicate in its ruling whether collection of such data would be a violation of GDPR.