The WHOIS system is an invaluable tool for trademark owners and yet, the system is about to change forever thanks to the introduction of GDPR.
WHOIS services, allow trademark owners and their lawyers to identify domain holders and to enforce rights against illegal website content or bad faith domain name registration and use.
Under the current system, when an individual or organisation registers a domain name, they have to provide certain information including their name and contact details. Domain operators and registrars are then required to provide free public access to that information. However, the General Data Protection Regulation (GDPR) adopted by the European Parliament in 2016, prohibits the collection and disclosure of any such personal data where it relates to EU citizens. Companies which breach the GDPR could face fines of up to €20 million or 4% of their annual global turnover. The current system could amount to such a breach.
Proposals put forward by WHOIS service providers for GDPR compliance, include the use of anonymized email addresses whereby messages would be forwarded on to domain owner's real email addresses, as well as the redaction of certain personal data from the public sphere. Full registration details including registrant's names and contact details would only be available upon registration and the payment of a fee. These proposals have received criticism from trademark owners and intellectual property lawyers on the basis that they would prove to be a severe hindrance to crime prevention. It was argued that the disclosure of domain owner's names and email addresses is necessary for enforcement purposes and without the redacted information, the WHOIS service is of little value.
It is unlikely that a fully workable, GDPR compliant model will be finalised before the Regulation comes into force next month and as a result, we face a period of at least six months where the data relied on by trademark owners to identify and enforce against infringers is no longer available; not even in redacted form.
Meanwhile, more than 317,000 organisations and individuals are set to lose their domain names altogether. Last month, the European Commission announced that UK based companies and citizens will no longer be entitled to register or renew .EU domain names, following Brexit. .EU domains held in the UK could be revoked, without any right of appeal, as early as the withdrawal date which is currently scheduled for 30 March 2019.
The decision to cancel existing domains with immediate effect, has been heavily criticised for going against the industry norms which usually permit grandfathering of domains; with many pointing out the fact that over 100,000 sites with the domain .SU are still live, despite the collapse of the Soviet Union in 1991. Even EURid, the company that runs .EU, has made it clear that that it was not consulted or even informed of the decision prior to it becoming public knowledge.
Ultimately though, the EU has the right to decide who can register a .EU domain and the 2006 rules do clearly sate that the domain is only available to individuals with EU residence and organisations that are established within the EU. As the Commission points out, the UK voted itself out of the European Union and following Brexit, it will become a "third country". It residents will therefore, have no legal rights over the .EU TLD.
So what does the change mean in practice? The Commission's decision is "subject to any transitional arrangement that may be contained in a possible withdrawal agreement". The issue will likely form part of any Brexit negotiations and it is possible that the UK will push back on certain aspects, such as the immediacy of such revocations and the lack of any legal recourse for those affected. Despite this (somewhat faint) glimmer of hope, UK based .EU domain owners should consider setting up alternative domains now, to allow themselves sufficient time to prepare new branding and marketing, as well as any necessary redirects other necessary changes.