The General Data Protection Regulation (GDPR), due to apply from 25 May, is set to cripple vital databases that brand owners rely on to identify and stop rogue operators online.
Brand owners could be left unable to identify the registrants of websites that host infringing content or sell counterfeit goods as a result of the reforms, as the GDPR is prompting changes to the existing 'WHOIS' system used for recording and searching the names and contact details of domain name owners throughout the world.
The WHOIS system
The WHOIS system is a network of databases and directories the internet’s global domain name organisation, the Internet Corporation for Assigned Names and Numbers (ICANN) requires to be maintained. Typically, ICANN’s agreements with domain name registrars around the world, such as GoDaddy, Namecheap and Hover, oblige the registrars to collect certain information whenever a domain name is registered, including names, contact email addresses and telephone numbers of registrants, and record that information in a publicly-searchable WHOIS database.
Although some country-code registries already exclude personal WHOIS data by default, other registrants can sometimes opt to hide their WHOIS data from public searches. However, such services often attract additional fees and are not available from all registrars – privacy options are not ‘baked-in’ to the WHOIS system as mandated by the GDPR.
The WHOIS system is therefore a critical resource for researchers, journalists, law enforcement professionals and brand owners, who use WHOIS services to prevent malware attacks, track down the owners of offending domain name registrations, and take action against websites offering infringing content or goods.
Conducting a thorough WHOIS search is the first step for brand owners or their legal representatives after identifying infringing goods, services or content, and the information obtained is usually used for preparing and issuing letters of claim, challenges under the Uniform Domain-Name Dispute-Resolution Policy (UDRP), or otherwise communicating with troublesome registrants.
However, the current WHOIS system is not universally adored or accepted. Its public nature means that WHOIS data may also be used by spammers, hackers and marketing companies, who ‘scrape’ WHOIS databases for contact details and subsequently sell that information or use it to carry out malicious activities online. Local registrars tend to attract the ire of registrants who feel their details have been improperly divulged, and are also obliged to bear the cost of operating and maintaining their respective WHOIS database.
Issues for brand owners
It is clear that in its current form the WHOIS system conflicts with the objectives of the GDPR and its lawful bases for processing personal data. In view of this conflict, the ICANN community is working on updating the WHOIS model such that it will preserve access to certain WHOIS data and yet remain compliant with the GDPR.
The updated model is likely to be based around 'gating' most of the data attached to a domain name, allowing access only after a person or organisation has identified themselves and their purpose for using it. It is unclear how rigorous or formal the modified WHOIS system will be – self certification, formal approval and accreditation, and legal warrant/subpoena schemes have all been proposed as options for implementation.
However, ICANN has yet to finalise the preferred model and determine its territorial scope – i.e. whether it applies globally or just Europe-wide. In the interim, it has begun allowing EU-based registrars to redact personal information about domain name registrants, provided the registrar explains how it intends to comply with its GDPR obligations.
Of more concern is the fact that if a sensible and workable solution cannot be reached, registrars may use the GDPR as an excuse to shed the burden of operating and maintaining a WHOIS database at all.
One of the largest registrars, GoDaddy.com, began redacting WHOIS contact details for its 17 million customers in early 2018 in a move it said was driven by the need to restrict spammers from accessing registrant data, rather than for GDPR compliance. Other registrars may follow suit, arguing that under the GDPR the ICANN provisions obliging them to collect and maintain WHOIS data are void and unenforceable.
Brand owners should make their voice heard
Whichever model is ultimately implemented, the WHOIS system will no longer be the open, relatively accessible system operating at present. A GDPR-compliant WHOIS system will severely undermine the ability of brand owners to obtain relevant information about registrants and enforce their rights online. In a post-GDPR world, accessing registrant contact details is likely to be costly and administratively burdensome, at least in the short term.
Brand owners should therefore seek to become actively involved in the ICANN consultation process. They should, for example, communicate concerns to ICANN, comment on the proposed interim model and/or support the proposed long-term model, whether it be a formal accreditation system or otherwise.
European-based brand owners might also consider contacting their national data protection authorities (DPAs), such as the Information Commissioner's Office (ICO) in the UK, to seek guidance about what information might be published through WHOIS in the wake of the GDPR.
Iain Connor and James Robb are intellectual property law experts at Pinsent Masons, the law firm behind Out-Law.com.