{"id":7091,"date":"2018-11-07T09:44:33","date_gmt":"2018-11-07T14:44:33","guid":{"rendered":"https:\/\/www.cscdigitalbrand.services\/blog\/?p=7091"},"modified":"2018-11-08T07:32:56","modified_gmt":"2018-11-08T12:32:56","slug":"domain-name-enforcement-in-a-post-gdpr-era","status":"publish","type":"post","link":"https:\/\/www.cscdbs.com\/blog\/domain-name-enforcement-in-a-post-gdpr-era\/","title":{"rendered":"Domain Name Enforcement in a Post-GDPR Era"},"content":{"rendered":"

\"Domain<\/a><\/p>\n

By Natalie Leroy<\/em><\/p>\n

Since the General Data Protection Regulation (GDPR) came into effect on May 25, 2018, anyone employed in trademark enforcement has had to contend with a new, sizeable roadblock when investigating infringing domain names. Pre-GDPR, it was fairly simple to find out if the domain name registrant owned other domain names[1]<\/sup><\/a>, provided they weren\u2019t using a privacy service. One registrant\u2019s list of domain names could reveal more infringements, helping establish a pattern of bad faith registration\u2014 potentially giving enforcement professionals the possibility of submitting a single complaint[2]<\/sup><\/a> to recover several domains.<\/p>\n

Post-GDPR, consent or lawful basis is required before an enforcement professionals can investigate. All organizations serving EU consumers must now provide an opt-out option for consumers when the data will not be used for a core service.<\/p>\n

GDPR is a European Union (EU) law introduced to harmonize data privacy laws across Europe and member states to protect the individual data of EU residents, with specific requirements as to how data is collected, used, and stored. This legislation affects any global organization that collects, uses, or stores EU consumer data.<\/p>\n

GDPR ensures that organizations only collect the data they need (no need for mothers\u2019 maiden names to enroll for tennis lessons), only use the data for a specified purpose (not for a secret data project to predict people\u2019s behavior), and that it\u2019s stored securely (no USB keys lying around). Failure to comply can result in fines up to \u20ac20,000,000 or 4 % of the total worldwide annual turnover\u2014whichever is higher.<\/p>\n

How this applies to WHOIS information<\/strong><\/p>\n

The Internet Corporation for Assigned Names and Numbers (ICANN) requires registrars to publish accurate WHOIS details\u2013 however this requirement applied to EU individuals is in breach of GDPR. Most registrars therefore have opted to hide all contact information. GoDaddy\u00ae<\/sup> redacts all WHOIS information, whether a registrant is EU based or not.[3]<\/sup><\/a> Others still publish the company name, but hide everything else, such as contact person, email and postal address, and phone number. This makes it very difficult to contact the registrant and notify them of existing rights prior to filing a Uniform Domain-Name Dispute-Resolution Policy. Needless to say, there is no consistency in how registrars are dealing with the legislations.<\/p>\n

Although the ICANN\u2019s Temporary Specification for Generic Top-level Domain (gTLD) Registration Data[4]<\/sup><\/a><\/em> states that \u201cusers with a legitimate and proportionate purpose for accessing the non-public personal data will be able to request such access through registrars and registry operators,\u201d this is not widely known or publicized; it\u2019s not even consistently applied.<\/p>\n

Law enforcement can request all contact information from GoDaddy[5]<\/sup><\/a> and Tucows[6]<\/sup><\/a> for instance, but it is not clear who qualifies as law enforcement, what constitutes a legitimate request, or if they will reveal information for non-EU registrants. Meanwhile,most European registries of country-code top-level domains[7]<\/sup><\/a> allow trademark owners to submit data release requests<\/strong>\u2014ironically the very registries that are most concerned by GDPR. Considering that .COM and .NET combined account for 44% of all domain name registrations,[8]<\/sup><\/a> a streamlined process to uncover registrant information would be welcome.<\/p>\n

Anyone who has dealt with GDPR so far agrees that there is uncertainty as to what qualifies as legitimate interest. Until there is some definitive case law or until ICANN comes up with a permanent specification, it may be that registries and registrars alike will continue to proceed with caution and restrict access to personally identifiable information (PII), making it difficult for brand owners to research infringing domain names.<\/p>\n

More challenging, but not impossible<\/strong><\/p>\n

It\u2019s still possible to enforce against an infringing domain name when the WHOIS data is hidden, however it has become a more challenging and lengthy process.<\/p>\n