Domain Name Enforcement in a Post-GDPR Era

Domain Name Enforcement Post GDPR

By Natalie Leroy

Since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, anyone employed in trademark enforcement has had to contend with a new, sizeable roadblock when investigating infringing domain names. Pre-GDPR, it was fairly simple to find out if the domain name registrant owned other domain names[1], provided they weren’t using a privacy service. One registrant’s list of domain names could reveal more infringements, helping establish a pattern of bad faith registration— potentially giving enforcement professionals the possibility of submitting a single complaint[2] to recover several domains.

Post-GDPR, consent or lawful basis is required before an enforcement professionals can investigate. All organizations serving EU consumers must now provide an opt-out option for consumers when the data will not be used for a core service.

GDPR is a European Union (EU) law introduced to harmonize data privacy laws across Europe and member states to protect the individual data of EU residents, with specific requirements as to how data is collected, used, and stored. This legislation affects any global organization that collects, uses, or stores EU consumer data.

GDPR ensures that organizations only collect the data they need (no need for mothers’ maiden names to enroll for tennis lessons), only use the data for a specified purpose (not for a secret data project to predict people’s behavior), and that it’s stored securely (no USB keys lying around). Failure to comply can result in fines up to €20,000,000 or 4 % of the total worldwide annual turnover—whichever is higher.

How this applies to WHOIS information

The Internet Corporation for Assigned Names and Numbers (ICANN) requires registrars to publish accurate WHOIS details– however this requirement applied to EU individuals is in breach of GDPR. Most registrars therefore have opted to hide all contact information. GoDaddy® redacts all WHOIS information, whether a registrant is EU based or not.[3] Others still publish the company name, but hide everything else, such as contact person, email and postal address, and phone number. This makes it very difficult to contact the registrant and notify them of existing rights prior to filing a Uniform Domain-Name Dispute-Resolution Policy. Needless to say, there is no consistency in how registrars are dealing with the legislations.

Although the ICANN’s Temporary Specification for Generic Top-level Domain (gTLD) Registration Data[4] states that “users with a legitimate and proportionate purpose for accessing the non-public personal data will be able to request such access through registrars and registry operators,” this is not widely known or publicized; it’s not even consistently applied.

Law enforcement can request all contact information from GoDaddy[5] and Tucows[6] for instance, but it is not clear who qualifies as law enforcement, what constitutes a legitimate request, or if they will reveal information for non-EU registrants. Meanwhile,most European registries of country-code top-level domains[7] allow trademark owners to submit data release requests—ironically the very registries that are most concerned by GDPR. Considering that .COM and .NET combined account for 44% of all domain name registrations,[8] a streamlined process to uncover registrant information would be welcome.

Anyone who has dealt with GDPR so far agrees that there is uncertainty as to what qualifies as legitimate interest. Until there is some definitive case law or until ICANN comes up with a permanent specification, it may be that registries and registrars alike will continue to proceed with caution and restrict access to personally identifiable information (PII), making it difficult for brand owners to research infringing domain names.

More challenging, but not impossible

It’s still possible to enforce against an infringing domain name when the WHOIS data is hidden, however it has become a more challenging and lengthy process.

  • Post-GDPR, companies need to request the PII from either the registry or registrar and justify their rights on the domain name in question.
  • They can also ask the registrar to send rights notification to a registrant, however, that doesn’t come with any guarantee that the notification is received.
  • It’s also possible to file complaints without definitive information on the registrant through an arbitrator that requests the identity of the registrant from the registrar, amending the complaint afterwards.

By far the biggest loss is the inability to check whether a registrant owns several infringing domain names. It’s sometimes possible to make assumptions through other factors such as registration dates, domain name system hosts, and IP addresses, however the names must already be known to the enforcer to make these correlations—they won’t be able to make new discoveries.

ICANN must publish a final version of the Specification for gTLD Registration Data by May 2019. Until then, we recommend companies work with a trusted partner who is able to request PII from registries and registrars to accomplish their brand protection needs.

To request a consultation, contact us.


[1]By running a reverse WHOIS.

[2]The Uniform Dispute Resolution Policy allows several names to be submitted in a single complaint, however that is not the case with all arbitration procedure, many ccTLD policies for instance.

[3]In so doing, they are probably taking a massive financial hit since this has made their privacy WHOIS service redundant.

[4]This temporary specification aims to reconcile ICANN contractual requirements and the GDPR policies so registries and registrars may comply with both.

[5]Request for Disclosure of Registrant Information for Law Enforcement Agencies.

[6]Legitimate Interest Request for Tiered Access (OpenSRS).

[7]For example, AFNIC (.fr), Nominet (.uk), SIDNL (.nl), DENIC (.de), EUrid (.eu).