The European General Data Protection Regulation (GDPR) will become enforceable on 25 May 2018. Among others, it will have an impact on domain name registrations and even domain name related enforcement of IP rights. The most significant aspect of these changes is the limitation of publicly available WHOIS data.
Due to the global nature of domain name registrations, all registrars worldwide will be required to follow the new data protection regulation as they may handle personal data about data subjects who are in the EU. The Internet Corporation for Assigned Names and Numbers (ICANN), after continuous discussions with different stakeholders and experts, has developed an interim plan in order to secure the compliance with the GDPR requirements after 25 May. This plan specifies the legal purposes of processing personal data during domain name registrations and the scope of data registrars and registries can collect and process. They can collect full Thick WHOIS data, but this cannot be fully published anymore. They can however share the full WHOIS data with each other and escrow agents according to the new GDPR requirements.
The most discussed question related to this topic is the future of the public WHOIS system. It was created at the dawn of the Internet age and served as an essential resource for e.g. law enforcement and intellectual property issues. ICANN has obliged Registrars to publish registrant data in WHOIS. Registrants have not been asked to give explicit consent, although in some cases they could buy extra privacy services to hide their details in WHOIS. Neither the lack of request for consent nor the privacy services complies with the new GDPR requirements. ICANN therefore has to find a balance between e.g. the need for security, protection of intellectual property rights and the new European data protection rules. Nevertheless, the WHOIS system will be drastically changed. As of 25 May, according to ICANN temporary specifications, only “thin” technical data will be publicly available (Registrar, date and status of registration, expiration date). The registrant can be contacted through technical contact details (anonymized email).
During the ongoing discussions different ways of accredited (layered/tiered) access to non-public WHOIS data were proposed. It is still uncertain how it will be used by registrars across the world.
The limited nature of the publicly available WHOIS data will most certainly affect brand owners in different ways. Enforcement of intellectual property rights will become more difficult: identifying the registrant of an infringing domain name, consolidation during UDRP, investigation whether the registrant has any prior rights or legitimate interests in the name, exploring further evidence of bad faith etc. All these difficulties will have an influence on the efficiency, duration and cost of the preparation for enforcement procedures. Specialized services such as domain name monitoring, which includes registrant data, will also be impacted by the change.