The European Union’s General Data Protection Regulation (GDPR) which came into force on 25 May 2018 has brought significant new challenges for brand owners, in terms of their ability to enforce trade mark rights.
ICANN’s WHOIS domain name lookup service has been an invaluable research tool for trade mark owners and their representatives, enabling them to look up the contact details for the owner of a domain name. However, GDPR has caused a conflict between the contractual requirements of ICANN to collect and make certain personal data publicly available and the obligations of GDPR to protect personal data.
ICANN contractually requires the collection of three sets of contact data, so that as well as requiring the domain name registrant’s personal details (including name, email and telephone number), it also requires personal information belonging to administrative and technical contacts. However, this requirement is incompatible with the data protection principles under GDPR.
Under GDPR, there must be a lawful basis for the processing and the processing must comply with the data protection principles. Personal data must, amongst other things, be collected for “specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes” and further, the data minimisation principle of the GDPR requires that organisations only collect as much data as it needs for a specific business purpose. The publication of the contact details of individuals is not necessary in order to register a domain name and the collection and publication of three different sets of contact details conflicts with the data minimisation principle.
ICANN tried to come up with a workable solution by which the database would be GDPR-compliant but this was not achieved prior to the 25 May deadline. As a result, for at least the next several months, WHOIS is undergoing a blackout during which critical domain registration information will no longer be publicly available. Currently, only very basic information is available, e.g. domain registration date and registrar details.
Without ownership data available through WHOIS, it is going to be very difficult for trade mark holders to identify cybersquatters or the registrant of an infringing domain name, making it easier for infringers to avoid detection.
ICANN is currently appealing a recent ruling by a court in Germany on the issue of domain data gathering “to seek clarity on how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR”. In addition, ICANN has recently published a framework with a process for third parties wishing to access non-public WHOIS data. This foresees the creation of an accreditation system, whereby rights holders would apply for a token, to enable them to request access to hidden WHOIS information. The cost implications remain uncertain.
In the meantime, brand protection representatives will have to pursue other routes, including sending complaints to the registrar abuse contact.