ICANN 59, the most recent public meeting of the Internet Corporation for Assigned Names and Numbers (ICANN), took place in Johannesburg, South Africa, from June 25-29, 2017. In examining the proceedings, our Internet team has identified three key takeaways, covering a range of topics of interest to brand owners and other business stakeholders, future applicants for generic top-level domains (gTLDs) and registry operators alike. 1. Rights Protection Mechanism Review Moves Slowly into Substantive Talks on Sunrise and Trademark Claims Services The Rights Protection Mechanism (RPM) Review Working Group (WG) has been tasked with reviewing all RPMs in all gTLDs, including legacy and new gTLD RPMs. The RPM WG has already concluded preliminary discussions regarding the Trademark Post-Delegation Dispute Resolution Procedure (PDDRP), a mechanism designed to address registry operator complicity in widespread trademark infringement in its TLD. No changes to the PDDRP are envisaged with the exception of a few minor adjustments that might permit multiple trademark owners to file a joint complaint against a single registry operator as well as provide the option to pursue voluntary mediation between the parties. The WG also has already reached several preliminary conclusions regarding the Trademark Clearinghouse (TMCH), although it will return to a number of other TMCH-related questions later, pending the outcome of discussions on the two RPMs that it supports, namely the Sunrise and Trademark Claims. Thus, the RPM WG meeting during ICANN 59 focused on the Sunrise and Trademark Claims services. In particular, the RPM WG sought to wrap up refinements to Sunrise and Trademark Claims-related questions contained in the WG Charter so that the WG could begin substantive discussion on these issues. Some of the proposals and questions on the table include whether: • Identical matching should be preserved for purposes of Sunrise registration (or whether it should be expanded to include non-exact matches); • The WG should examine registry pricing practices around Sunrise in light of evidence that pricing impacts the ability of brand owners to participate in Sunrise periods; • ICANN should create a mechanism for brand owners to challenge a registry operator’s designation of names as “premium names”; • The WG should review and address registry practices around reserved names that effectively circumvent Sunrise; • It would be beneficial for registries to notify relevant brand owners if they plan to release a reserved name that matches a TMCHrecorded mark (with a right of first refusal by the brand owner); • Sunrise periods should remain a minimum of 60 days; 2 Mayer Brown | Three Key Takeaways from ICANN 59 in Johannesburg • Registry operators should continue to be permitted to voluntarily extend Sunrise; • Sunrise periods should continue to be mandatory for all open new gTLDs; and • The scope of Sunrise registration should be in any way limited based on the categories of goods or services for which the TMCHrecorded mark is registered. Some of the proposals and issues with respect to the Trademark Claims questions include whether: • The language of the Trademark Claims Notice (Notice) to domain name applicants could be improved to make its meaning more clear to unsophisticated prospective domain name registrants (the Notice does appear to be having some deterrent effect on bad faith and other infringing registrations); • The Claims period should remain mandatory for all open new gTLDs for a minimum of 90 days; • Registry operators should continue to be permitted to voluntarily extend the Claims period; • The Claims period should be eliminated for closed .Brand TLDs (such TLDs already are exempt from providing Sunrise periods); • Matching criteria for Trademark Claims should be expanded beyond identical matches, e.g., including “marks contained,” “mark+keyword” and typographical variations; and • Notices should continue to be delivered to domain name applicants as part of the registration process (prior to completion of a registration) rather than post-registration, in order to maintain their intended deterrent effect. Ultimately, we anticipate contentious debate regarding the majority of these issues. Brand owners must remain vigilant and energized to defend these positions from contracted party, civil society and domain investor representatives who will likely align in opposition to any changes that would strengthen the RPMs. 2. Discord Ensues from Geographic Names “Strawperson” Proposal The use of geographic names as and in new gTLDs continues to be a much-discussed topic across the ICANN community, and it was a major focus during ICANN 59 with several cross-community sessions dedicated to the topic. The focal point of discussion in Johannesburg was a “strawperson” proposal unveiled by the co-chairs of the New gTLD Subsequent Procedures Working Group (Sub Pro WG). The strawperson proposal suggests the creation of a searchable advisory repository of geographical names (RGN) created and maintained by ICANN. Any government can add any term to the RGN provided there is a basis to protect the term under applicable law. In seeking to place a term into the RGN, the government must list: • The term; • The name of the country seeking to protect the term; • The contact authorized in the country to discuss the term; • Who has the authority to grant permission to use the term if appropriate; • Whether the term is protected by national law or if the country desires to protect it for cultural or other stated reasons; • The context in which the country seeks protection for the term; and • The date the term was entered (all terms must be reviewed every five years). Every potential future new gTLD applicant would be required to consult the RGN before submitting an application. If the potential applicant finds an exact match to its prospective applied-for term in the RGN and the proposed 3 Mayer Brown | Three Key Takeaways from ICANN 59 in Johannesburg TLD use is in the term’s geographic sense, the applicant must reach out to the authorized contact(s) of the impacted country(ies) for a letter of consent or non-objection. If the proposed use by the potential applicant is in a context that does not imply any association with the geographic meaning, the potential applicant can get a letter of consent or non-objection from the relevant government(s) or execute a “Geographical Public Interest Commitment” (“GeoPIC”) that is a provision in its registry agreement stating that the applicant will not use the TLD in a manner that falsely suggests to the public that a connection exists between the TLD or its operator and the geographic term. As envisaged, ICANN Compliance would enforce the GeoPIC, just as it enforces other PICs and general contractual provisions in the registry agreement. The New gTLD Sub Pro WG co-chairs made very clear from the start that the strawperson proposal is intended to spark discussion among all stakeholders and not to reflect a specific position on the issue or set forth an actual policy proposal. Indeed, it represents essentially an attempted compromise amalgamation of the community’s proposals regarding the release of geographic names at the top level. While many Governmental Advisory Committee (GAC) members support the creation of the RGN and providing a greater ability for governments to restrict the use of names with geographic significance, a minority of other GAC members, including the US government, oppose such an approach as overstepping the bounds of international and national law. Brand owners generally oppose the approach as well, as it is inconsistent with generally accepted principles of trademark law, consumer protection and freedom of expression, wherein national governments lack any legal basis to assert priority for geographic names over private entities. In addition to substantive disagreements on the issue, stakeholders also disagree on the appropriate procedural mechanism for developing consensus policies around the use of geographic names at the top level. Many GAC members and country-code TLD (ccTLD) managers would prefer to pursue policy development in this area through the countrycode Names Supporting Organization (ccNSO), which again disproportionately favors maintaining the status quo moratorium on the use of geographic terms as new gTLDs without prior governmental approval or non-objection. On the other hand, the vast majority of other stakeholders would prefer to pursue policy development through a Generic Names Supporting Organization (GNSO) policy development process given that the historical remit of the ccNSO has been solely twocharacter TLDs while this topic would be significantly broader. Another possible compromise would be to pursue a crosscommunity working group, chartered by all relevant supporting organizations and advisory committees. However, a cross-community working group has never been used within ICANN to actually develop formal gTLD policy and may run afoul of the ICANN Bylaws. Regardless, a WG within the GNSO already appears to be creating a new work track dedicated to the use of geographic names as new gTLDs. It has invited all stakeholders to participate and is making every effort to establish cross-community leadership and membership of this particular work track given the breadth of interest across the community. In addition, the work track may seek independent legal analysis regarding the state of the law concerning rights in geographic names to guide further policy development. Further, any policy development effort must take into account the overarching principle of pursuing policy that is in the best interest of the global Internet community. 4 Mayer Brown | Three Key Takeaways from ICANN 59 in Johannesburg 3. Community Discussions Heat Up regarding Possible Impact of EU General Data Protection Regulation on Registration Directory Services A number of work streams concerning the Whois system and a possible new domain name registration directory service (RDS) system to replace Whois are already underway within ICANN, but the EU General Data Privacy Regulation (GDPR), which enters into force in May 2018, has obliged the entire ICANN community to take a second look. The GDPR sets out the general data protection framework in the European Union, replacing the Data Protection Directive that has been in effect since 1998. GDPR presents a single set of personal data protection rules that must be adopted in all EU member states, subject to a single EU-wide interpretation to enhance consistency. The GDPR applies to all “personal data,” which it defined as “any information relating to an identified or identifiable natural person.” According to the GDPR, the processing of personal data must be “fair, transparent and lawful,” meaning on the basis of consent that is unconditioned and freely given, barring some exception such as a legal obligation to process data or processing that is necessary to provide the service to data subjects. A specific “purpose limitation” must also be present, and there can be no downstream uses of personal data that are inconsistent with that purpose. The GDPR also adheres to “data minimization,” meaning controllers and processors may use only as much data as necessary for that purpose. Many in the ICANN community, particularly privacy advocates, have heralded the implementation of GDPR as the end of publicly accessible domain name registration data. However, this is likely a vast overstatement, particularly as policy development in this area is in the relatively early stages and the ICANN community continues to grapple with the legal and policy implications of the GDPR. For their part, domain name registration authorities are contractually obligated to ICANN to collect and process over 60 different data elements—all of which are personal data—as well as retain, escrow and publish subsets of those data elements. Data elements range from technical nameserver data to domain name registrant contact information to background information about the registration authority’s officers, directors and shareholders. Some of this information is currently published in the Whois database, including the creation and expiration dates of the domain, the registrar and nameservers as well as the name, street address, phone number and email address of the registrant. Of course, users may avail themselves of privacy and proxy services to obscure their personal information in the database. ICANN has established a task force for community members to provide input on ICANN’s organizational due diligence around the possible impact of GDPR on its own operations, including on the possible impact on current Whois policy and the development of the next-generation RDS to replace Whois. With respect to the latter, the RDS WG recently agreed on a “minimum public data set” that would include the following elements: the domain name, the Whois server, the referral URL, the sponsoring registrar, the registrar’s IANA number, the nameservers, the DNSSEC status, and the domain name update, creation and expiry dates. According to the RDS WG, each of these elements has a legitimate purpose for collection and publication in the RDS, including inter alia domain name control, technical issue resolution, the purchase or sale of domains, academic research, criminal investigations, abuse mitigation and legal actions. The RDS WG has also reached initial consensus that access to the minimum public data should not be restricted in any way, subject to reasonable operational controls such as rate limiting or CAPTCHA. 5 Mayer Brown | Three Key Takeaways from ICANN 59 in Johannesburg The RDS WG has also begun to deliberate on possible RDS elements beyond the proposed minimum public data set, including “thick” data such as the domain name registrant identity and contact information as well as administrative and technical contact data. These additional data—particularly the registrant identity and certain contact information (primarily the country in which the registrant resides and the registrant email address)—are critical for intellectual property owners to be able to investigate possible cybersquatting and other IP infringement by the registrant and then to contact the registrant regarding such activity. These data are also much more likely to fall into the category of “personally identifiable information” subject to the requirements of the GDPR (for registrants who are “natural persons”). Ultimately, again, brand owners and other business stakeholders who rely on Whois and will rely on any future iteration of the RDS system must remain heavily engaged in this work to ensure key information about domain names and their registrants remain accessible for a variety of legitimate purposes, including intellectual property enforcement efforts, domain portfolio management and acquisition, and other due diligence related activities. For more information about this topic, please contact any of the following authors. Brian J. Winterfeldt +1 202 263 3284 firstname.lastname@example.org Sarah B. Deutsch +1 202 263 3765 email@example.com Phillip V. Marano +1 202 263 3286 firstname.lastname@example.org Griffin M. Barnett +1 202 263 3289 email@example.com Mayer Brown is a global legal services organization advising clients across the Americas, Asia, Europe and the Middle East. Our presence in the world’s leading markets enables us to offer clients access to local market knowledge combined with global reach. We are noted for our commitment to client service and our ability to assist clients with their most complex and demanding legal and business challenges worldwide. We serve many of the world’s largest companies, including a significant proportion of the Fortune 100, FTSE 100, CAC 40, DAX, Hang Seng and Nikkei index companies and more than half of the world’s largest banks. We provide legal services in areas such as banking and finance; corporate and securities; litigation and dispute resolution; antitrust and competition; US Supreme Court and appellate matters; employment and benefits; environmental; financial services regulatory and enforcement; government and global trade; intellectual property; real estate; tax; restructuring, bankruptcy and insolvency; and wealth management. Please visit www.mayerbrown.com for comprehensive contact information for all Mayer Brown offices. Any tax advice expressed above by Mayer Brown LLP was not intended or written to be used, and cannot be used, by any taxpayer to avoid U.S. federal tax penalties. If such advice was written or used to support the promotion or marketing of the matter addressed above, then each offeree should seek advice from an independent tax advisor. Mayer Brown comprises legal practices that are separate entities (the “Mayer Brown Practices”). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe-Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown Mexico, S.C., a sociedad civil formed under the laws of the State of Durango, Mexico; Mayer Brown JSM, a Hong Kong partnership and its associated legal practices in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. Mayer Brown Consulting (Singapore) Pte. Ltd and its subsidiary, which are affiliated with Mayer Brown, provide customs and trade advisory and consultancy services, not legal services. “Mayer Brown” and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions. This publication provides information and comments on legal issues and developments of interest to our clients and friends. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek legal advice before taking any action with respect to the matters discussed herein. © 2017 The Mayer Brown Practices. All rights reserved.