For brand owners seeking to enforce IP rights, the first port of call when faced with potentially infringing behaviour over the internet is often a ‘WHOIS’ registry search. There are over 2,500 national registrars and registries, each approved by the Internet Corporation for Assigned Names and Number (ICANN), which collect information about internet domain names, including the registrant’s name, address, contact email address and telephone number, as well as certain technical and administrative contact details relating to a given domain name. ICANN is responsible for coordinating the global WHOIS database for generic top-level domains, based on the national records.
WHOIS registries are therefore an important tool for brand owners in seeking to enforce and protect intellectual property rights over the internet. This is because the information they provide is often instrumental in:
- preparing and issuing letters of claim
- filing challenges under the various alternative dispute resolution mechanisms (such as ICANN Uniform Domain-Name Dispute-Resolution Policy, which offers a cost-effective process by which to pursue domain registrations registered by third parties in ‘bad faith’)
- establishing patterns of infringing behaviour or otherwise communicating with registrants of specific domain names.
WHOIS registries are also vital to the work of law enforcement agencies in preventing fraud, phishing, illicit online activity and other serious internet-based crimes. However, since the coming into force of the EU General Data Protection Regulation (GDPR) in May 2018, the majority of WHOIS data (which falls within the definition of ‘personal data’ under data protection law) has now ceased to be available resulting in what many have termed the ‘WHOIS blackout’.
WHOIS Registries & Data Protection
The compatibility of the publication by WHOIS registries of this personal data with EU data protection laws, has been the subject of considerable and fraught debate since 2003. Exchanges between ICANN and the newly titled European Data Protection Board regarding the implementation of the GDPR, culminated in ICANN’s Temporary Specification for gTLD Registration Data, which was approved by ICANN’s board on 17 May 2018. The temporary solution requires registrars to collect registration, administrative and technical data in connection with a domain name registration, but proposes that access to this be restricted via a layered/tiered system. Users with a legitimate purpose are still, in principle, able to request access to non-public data through the registrars, although it is up to those registrars to determine which requests are permissible under the GDPR.
ICANN’s interim solution has been criticised as providing a vague and flexible model that leaves the door open to varying interpretations on compliance.
ICANN v EPAG Domainservices, GmbH
One such interpretation has recently come to the fore in the form of an announcement from German domain registrar EPAG (a Germany-based, ICANN-accredited registrar that is part of the Tucows Group) that it would no longer collect technical and administrative contact information following the GDPR’s implementation. In a bid to fend off potential further challenges, on 25 May 2018 – the same day that the GDPR took effect – ICANN filed for an injunction against EPAG requiring it to reinstate the collection of all WHOIS data (technical and administrative contact data included) under its existing agreement with ICANN.
ICANN's application, made before the Regional Court in Bonn, Germany, was unsuccessful. In issuing its ruling that ICANN could no longer compel the collection of this data, the Regional Court reasoned that, because it was possible for a domain registrant to provide the same data for the registrant and for administrative and technical contacts, ICANN had not demonstrated that the collection of such data was ‘necessary’ for those contacts. The collection of domain name registrant details, as the primary person with responsibility for the registration, should be sufficient for these purposes, especially with regard to criminal activity or infringement issues. In addition, the Regional Court noted that a domain registrant could consent and provide administrative and technical contact data at its discretion, should it decide to do so.
On 13 June 2018 ICANN issued a statement on its website indicating that it had filed an appeal with the German Higher Regional Court, and was willing to take the matter to the European Court of Justice in the event that the Higher Regional Court chose to follow the first instance decision or was ‘not clear about the scope of the GDPR’ generally. ICANN has said that its intention is to 'assure that all such data remains available to parties who demonstrate a legitimate purpose to access it, and to seek clarification that, under the GDPR, ICANN may continue to require such collection.’
On 21 June 2018, upon receipt of ICANN’s appeal, the Regional Court had the option to either re-evaluate its decision, or affirm its decision and immediately forward the matter to the Higher Regional Court for consideration of the appeal. The Regional Court has opted for the former course of action, and has asked EPAG to comment on ICANN's appellate papers within two weeks.
In the meantime, ICANN continues to pursue on-going discussions with the European Commission and the European Data Protection Board to gain further clarification of the GDPR as it relates to WHOIS services.
How the tensions between the two systems will play out in the long term remains uncertain. There continue to be a number of question marks over the practical implementation of ICANN’s temporary specification and, in particular, whether ICANN’s proposed layered/tiered system will lead to a fragmented approach with differing requirements for the access of registration data. This decision is likely to be the first of a series of challenges as the relevant parties attempt to navigate unchartered territory. While the decision of the German courts (and potentially the European Court of Justice) may deal specifically with the impact of the GDPR on the collection of technical and administrative data, it is hoped the decision will provide some welcome clarity and guidance towards the preservation of a global WHOIS system, which remains consistent with data protection requirements.