A recent case from the World Intellectual Property Organization (“WIPO”) illustrates new challenges brand owners face in domain name disputes through the Uniform Domain-Name Dispute-Resolution Policy (“UDRP”) as the result of Europe’s General Data Protection Regulation (“GDRP”).

The UDRP complainants were a collective of four French DJs (the “DJs”) who as early as 2011 had registered trademark rights in the United States, Europe, and elsewhere for PARDON MY FRENCH. The DJs filed a UDRP complaint to recover the <pardonmyfrench.com> domain name, which was registered through Contact Privacy Inc., a privacy-protection service for domain registrations.

To prevail in a UDRP action, a complainant must establish each of the following:

(1) the disputed domain is identical or confusingly similar to the complainant’s trademark or service mark; (2) the respondent has no rights or legitimate interests in the domain; and (3) the domain has been registered and is being used in bad faith.

The UDRP panel had no trouble finding for the DJs on the first two requirements. The domain was identical to the DJs’ registered trademarks, and nothing in the record indicated that the registrant had any rights to the phrase “Pardon My French,” or that any demonstrable steps had been taken to start using it for any legitimate or fair-use purpose.

However, the DJs failed on the third requirement. The panel first observed that the UDRP is written in the conjunctive, requiring both bad-faith registration and use. Here, the domain was created in 2002—years before the DJs acquired rights in PARDON MY FRENCH. Because the DJs’ brand did not exist in 2002, the domain could not have been registered with the intention of targeting the DJs’ brand.

An exception to this rule exists, however, where a complainant can establish that the current domain owner acquired the domain at some point after the domain’s creation date. Here, the DJs submitted evidence that the website had changed several times over the course of the domain’s life, which suggested the current registrant was not the original registrant. Also, the domain’s WHOIS record showed it had been updated as recently as August 2018.

The panel noted, however, that the nature of WHOIS update was not disclosed; moreover, it did not appear to coincide with any change in the domain’s website. This made it impossible to prove when or whether the domain had ever changed hands. Accordingly, the panel determined that it could not find that the domain had been registered in bad faith, and the complaint failed.

Notably, the panelist found: “It is not clear why the Registrar cannot provide information about the date the Respondent first became the registrant. It is, to say the least, highly regrettable in this case. One might expect that information is part of rudimentary customer relations and good data management practice, if nothing else.” In fact, DJs would have had difficulty learning this information for several reasons.

The first is that Europe’s GDPR, which protects against privacy breaches and data thefts, has had an enormous impact on the registrant data contained in public WHOIS records. The GDPR went into effect in May 2018, and different domain name registrars have taken different approaches to compliance: some selectively redact WHOIS data for EU residents only, while many have removed data for all domains save for an anonymous email address directed to the registrar.

Tucows, the domain registrar here, redacts registration data for all domains from the public WHOIS and has implemented a “gated WHOIS” system. As Tucows states, this system allows it to provide full WHOIS data only to “legitimate and accredited third-parties, such as law enforcement, members of the security community, and intellectual property lawyers.” If a domain is privacy-protected, however, and a complainant attempts to learn the underlying registrant’s contact information by contacting the registrar, Tucows will reveal only that the domain registrant is privacy-protected.

Further, privacy-protection services do not always reveal the underlying registrant contact information in response to a legal request. Contact Privacy, the registrant’s privacy service used here, provides an online portal that it claims allows users to send a message to the domain registrant. The domain registrant, however, is under no obligation to respond, and Contact Privacy does not reveal the domain registrant through this portal. Moreover, Contact Privacy’s Terms of Service provides the abuse@contactprivacy.com email address that purportedly allows users to report domain name abuse. Emails sent to this email address are, however, often returned as undeliverable or met with a direction to submit any complaints through Contact Privacy’s online portal.

In short, if the DJs could not obtain the identity of the domain registrant from the registrar or privacy service, obtaining more specific information, such as the date the registrant acquired the domain name, was even less likely.

Overall, however, the DJs may have been lucky. As required by WIPO’s UDRP Rules, upon initiation of the complaint, WIPO sent Tucows an email requesting registrar verification of the domain name. In response, Tucows revealed that the underlying domain name registrant was Bradley Merchant. Because the DJs had filed their initial complaint against Contact Privacy, WIPO gave the DJs a chance to amend the complaint, which they did. What the DJs failed to do is research Bradley Merchant further. Had they done so and searched the domain’s WHOIS history, they would have found that a Brad or Bradley Marchant had owned the domain name since at least as early as 2007—four years before the DJs had established trademark rights. If this fact had come out during the proceeding, the panel could well have found reverse domain name hijacking.

Key takeaways for UDRP complainants facing similar fact scenarios:

  • thoroughly research and analyze the domain name’s WHOIS history, as well as the Internet Archive to determine if asserting a change in ownership is possible, and to present the best evidence supporting your claim;
  • send demand letters to the registrar and privacy service to establish that all efforts were made to learn the current registrant’s identity; and
  • if the underlying registrant is ultimately revealed after filing an initial UDRP complaint, research further; if the current registrant clearly owned the domain before your trademark rights accrued, consider other options.

The case is William Samy Etienne Grigahcine v. Contact Privacy Inc. Customer 0144192186 / Bradley Merchant, Case No. D2019-0114 (WIPO Mar. 15, 2019).