• ICANN presents EPDP report, offering recommendations for domain data access
  • Envisions central system that routes registration information requests to registrars
  • Industry expert welcomes move but notes “there is still much to be done”

ICANN has opened a public comment on the Initial Report of the Phase 2 Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data Team. The report contains recommendations related to future access to domain registration data, with one industry expert welcoming the development, but warning that “there is still much to be done”.

The WHOIS blackout continues to pose challenges for those engaged in online brand protection efforts. This phase of the EPDP has focused on the creation of a policy for a system of standardised access/disclosure (SSAD) of non-public registration data by third parties with a legitimate interest in obtaining it. The system envisioned is one in which requests are made through a system run by ICANN (or a party it contracts), with the request then going to the contracted party (eg, a registrar) responsible for making the decisionwhether to pass over the data or not.

The EPDP team therefore recommends that a policy for accreditation of SSAD users is established, with both legal persons and/or individuals eligible for accreditation. This would be achieved via a single Accreditation Authority, managed by ICANN, which would verify the identity of a requestor. This authority which therefore would need to create validation and credential management procedures, create a dispute resolution and complaints service, regularly report on the number of accreditation requests and complaints received, and have a process for accredited user revocation where is it is deemed that a user is abusing the system.

The decision on whether to authorise disclosure of registration data would then reside with the registrar, registry or the central gateway manager (a role performed by or overseen by ICANN, being responsible for routing of SSAD requests that require manual review to the responsible contracted parties), as applicable.

So, what would the proposed system mean for rights owners requiring domain registration information for enforcement purposes?

With respect to third party requests, the report states that they may be submitted for purposes including criminal law enforcement, national or public security, non-law enforcement investigations and civil claims (including intellectual property infringement and UDRP and URS claims, and consumer protection, abuse prevention, digital service provider (DSP) and network security). However, assertion of one of these purposes does not guarantee access in all cases – it all comes down to an evaluation of the merits of the specific request, compliance with all applicable policy requirements, and the legal basis for the requests.

As to the type of requests, the EPDP Team recommends that each SSAD request must include all information necessary for a disclosure decision, including the following information:

  • The domain name pertaining to the request for access/disclosure;
  • Identification of and information about the requestor (including accreditation status, if applicable, the nature/type of business entity or individual, power of attorney statements, etc);
  • Information about the legal rights of the requestor specific to the request and the specific rationale and/or justification for the request;
  • Affirmation that the request is being made in good faith and that data received (if any) will be processed lawfully;
  • A list of data elements requested by the requestor, and why these are adequate, relevant and limited to what is necessary.

Having acknowledged receipt of a request, the contracted party to which the disclosure request has been routed is required to review it on its merits. While disclosure cannot be refused solely for lack of, for example, a court order, subpoena, pending UDRP or URS proceeding (or, positively, because the request is founded on alleged intellectual property infringement in content on a website associated with the domain name), the contracted party has to determine whether the legitimate interest of the requestor is not outweighed by the interests or fundamental rights and freedoms of the data subject.

Susan Payne, head of policy at Valideus, reflects: “The decision on whether to disclose the data will rest with and be made by the individual contracted party (generally the registrar). This seems an inevitabibility, given the response from the data protection authority about where the liability rests, and lies at the heart of contracted party determination that if they will be on the hook as the controller for a wrongful disclosure they should also be the ones making the decision. Whilst understandable, this does mean that even with the efforts to bring standardisation to requests, the format of responses, and the factors to be taken into account in making the balancing assessment whether to disclose, there will inevitably not be the hoped-for predictable outcome for the requesting party.”

Two questions that arise from the creation of a new accreditation and request system relate to costs and responsiveness. On the former, the EPDP Team recommends that the costs for developing, deploying and operationalising the SSAD system will initially be borne by ICANN, contracted parties and other parties that may be involved. The subsequent running of the system is then expected to happen on a cost recovery basis: “For example, if the SSAD includes an accreditation framework under which users of the SSAD could become accredited, the costs associated with becoming accredited would be borne by those seeking accreditation. Similarly, some of the cost of running the SSAD may be offset by charging fees to the users of the SSAD.”

Given that, as the report notes, governments may be subject to certain payment restrictions, it could create a situation where rights holders pay more for their requests (on top of payment for periodic renewals of the accreditation status). The worry would be possible profiteering but, positively, the EPDP team recommends that the SSAD not be considered a profit-generating platform for ICANN or the contracted parties – something rights holders will be keen to support. A situation in which the system is used as a revenue generator at the expense of trademark department budgets, or where cost is used as a way to deter requests, would be an unpalatable one for rights holders.

As to the timeframes associated with requests, one focus has been on automating where possible, for instance in the receipt, authentication and transmission of SSAD requests. Payne comments: “There are some efforts to fully automate some categories of request that is, both the validation of the incoming requests for disclosure and the disclosure decision itself. There is good news for brand owners in that requests from URS/UDRP service providers are envisaged to be fully automated from the outset, along with requests from local enforcement authorities within an applicable jurisdiction, but this is nevertheless still very narrow. The Initial Report notes that the EPDP will be considering this further, and members of the working group have proposed various other possible request-types that might be considered for fully automated disclosure, including a scenario involving ‘clear-cut’ trademark claims. It remains to be seen, however, whether any of these will be adopted from the outset, or at all.” 

As part of that determination, public comments will be weighed up (with the window for submissions open until 23 March) prior to the creation of a final report. It is a comment window that rights holders should engage in. As Payne concludes: “The report represents an important and welcome step towards standardised and predictable access to registrant data, but there is still much to be done.”

 This article first appeared in World Trademark Review. For further information please visit https://www.worldtrademarkreview.com/corporate/subscribe