Our series "Online enforcement" deals with particularities in the enforcement of rights on the Internet.
The identification of the person responsible for an online infringement is a major challenge for the rights owner. Proxy services and the EU General Data Protection Regulation restrict the information available on domain holders in the WHOIS directory and make enforcement more difficult.
Identification of domain holders
Online infringements (e.g. of Intellectual Property rights through the unauthorized use of trademarks or copyrighted works such as texts and images) are often difficult to prosecute and eliminate. In order to issue a notice or hold the responsible person accountable before state authorities, right holders must first identify, e.g., the website operator. In many cases, the domain holder is also the operator of the website. If there are no contact details given on the website, the information in the WHOIS databases can provide the necessary information about the holder of the domain name. For generic top-level domains (gTLD) such as .com or.org, the WHOIS directory of the Internet Corporation for Assigned Names and Numbers (ICANN) is relevant. For country-code top-level domains (cTLD), the respective local organizations are responsible as registries. For.ch and .li domains, SWITCH is currently in charge. The registries list the identification and contact information of the domain holder (registrant) and registration service provider (registrar) in their WHOIS register. Ideally, this information enables rights holders to identify the person responsible for the website and to locate the necessary contact details, such as e-mail and postal address.
Proxy instead of holder data
In recent years, more and more domain holders have been using so-called "proxy" services. These services allow the registration of domain names via third parties. The WHOIS database shows the contact information of the proxy provider, instead of the actual domain holder. As an advantage of this model, domain holders are no longer flooded with SPAM due to the published contact details. Unfortunately, however, the concealment of identity is also attractive for dubious providers and deliberately infringing persons. Reputable proxy service providers reserve the right to publish the owner data in cases of abuse. Although the proxy model has made it difficult to identify the domain holder, the WHOIS directories remain an important source of information for rights holders.
Less personal data in WHOIS
The WHOIS registers contain personal data (e.g. names, addresses) of domain holders. The EU General Data Protection Regulation (GDPR), which will take effect on 25 May 2018, influences the publication of personal data in the WHOIS register. The registrars will continue to request comprehensive information from the domain holder, as they usually need this to process their own contractual relationship with the customer. However, registrars will only provide WHOIS operators, e.g. ICANN, with limited information about domain holders. Registrars want to avoid accusations of transmitting personal data to third parties without sufficient prior information and, if necessary, the consent of the data subject.
ICANN is currently working with the relevant EU authorities to find a solution for the continuation of the WHOIS directory. As international registrars do not want to use different forms etc. for customers inside and outside the EU, ICANN has published a proposal for a transitional model (Interim Compliance Model) of the WHOIS database. The Interim Compliance Model only provides for the publication of the name of the respective organization (e.g. company), the (federal) state and the country of residence of the domain holder as well as an anonymous contact e-mail address. The publicly available version of the WHOIS register would contain neither the name of the natural person of the domain holder nor his/her complete address. ICANN also proposes a multi-step publication model where accredited governmental organizations and private parties (e.g. rights holders and lawyers) would have access to more detailed information.
Discussions between ICANN and the EU bodies are still ongoing. With the proposed Interim Compliance Model, right holders face an additional obstacle to identify the person responsible for infringing content. Rights holders will be able to send cease and desist letters/notices to the anonymized e-mail address. Intentionally infringing parties, however, will be able to conceal their identity through the new WHOIS design. Some registries in the EU already restrict WHOIS queries and require, for example, information on the purpose of the query and the interest of the party accessing the information (e.g. DENIC for .de domains). In Switzerland, the WHOIS directory remains unchanged for the time being (see SWITCH's position).
Developments in data protection law make it even more difficult to identify the persons responsible for online infringements. The rapid removal of infringing content is therefore a regular priority for rights holders. Our next article in the series "Online Enforcement" is dedicated to the role of hosting providers.