16 Jan
2018

A critical test for ICANN: ensuring GDPR compliance while preserving access to WHOIS

  • GDPR’s impact on WHOIS could “seriously hamper” enforcement efforts
  • ICANN publishes three proposed interim models for public comment
  • Brand owners urged to engage with ICANN to maintain WHOIS access

On World Trademark Review we have previously reported on the General Data Protection Regulation (GDPR) and its potential impact on rights holders’ access to accurate and reliable WHOIS data. Restricted access could significantly impact trademark policing and enforcement efforts, making it an issue brand owners need to be alive to. In this guest blog, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, expands on the potential threat and possible ways forward.

The issue is a fast moving one and, with the GDPR becoming enforceable on May 25 2018, late last week ICANN published three community-proposed interim models for compliance. Each has slightly different parameters with respect to the status of registrants and the geographic location of the registrant, registry, registrar and/or the data processor, but in general terms the proposals are as follows. Model 1 would allow for the display of thick registration data, with the exception of the registrant's phone number and email address, and the name and postal address of the technical and administrative contacts. To gain access to this information, third parties would be required to self-certify their legitimate interests for accessing the data. The second model would allow the display of thin registration data, as well as the technical and administrative contacts' email addresses. Registries and registrars would be required to provide access to non-public information only for a defined set of third-party requestors certified under a formal accreditation/certification program. The third approach would allow for the display of thin registration data and any other non-personal registration data. To access non-public information, a requestor would provide a subpoena or other order from a court or other judicial tribunal of competent jurisdiction.

Below, Winterfeldt provides analysis on the GDPR and why it is an issue rights holders need to engage with. It's a critical read for those who rely on WHOIS information as part of their enforcement efforts.

Guest analysis:

There is growing concern about how ICANN will comply with the GDPR, whose enforcement sanctions come into force in May. A key question for trademark owners is ‘how will ICANN comply with GDRP without unduly restricting global Internet users’ access to the public WHOIS database?’ For nearly the past 20 years, Internet users, businesses, law enforcement and consumer protection agencies have relied on WHOIS as a necessary resource. However, if it restricts access to such data, the GDPR could seriously hamper the ability of brand owners to enforce their rights and protect consumers from infringement and online fraud.

Why this matters to rights holders

Historically, a variety of parties have relied upon public WHOIS data for a variety of purposes. Law enforcement agencies regularly use WHOIS to investigate online criminal activity. WHOIS is a key tool for consumer protection agencies to investigate and enforce against online fraud, phishing attacks and deceptive schemes. Cyber-security teams regularly use WHOIS to assess urgent threats to the safety and security of the Internet and combat online attacks. Every day consumers also check the WHOIS database to ensure that the party behind a particular website is legitimate and not affiliated with a scam.

Accurate and accessible WHOIS data is equally vital to trademark and copyright owners to identify alleged infringers and protect the public from counterfeits and illegal content, which can contain malware. Trademark owners, for example, use WHOIS data to identify cybersquatters who register domain names that are identical to or are common misspellings of trademarks. In order to prove bad faith under the US Anti-Cybersquatting Consumer Protection Act or to bring a UDRP or URS action, trademark owners must rely on WHOIS data to investigate the identity of the registrant, the registrant’s country and location of origin, and their email and physical address. WHOIS is also used as a tool to show a pattern of bad faith infringements, including to establish that the defendant has unlawfully “warehoused” a variety of domain names targeting well-known trademarks. 

These are just some examples of the many legitimate uses by global stakeholders relying on access to WHOIS today. These uses play an important public interest and consumer protection function. It is important to keep in mind that checking the WHOIS database is often just the necessary first step users take before pursuing any further action. Stripping away access to that critical first step would create a domino effect of negative consequences for all stakeholders. Online fraud, serious crimes and security risks will continue to proliferate. But law enforcement and consumer protection agencies will no longer have the self-help tools they need to effectively protect the public. IP owners will no longer be able to investigate infringements and will need to presume that every domain name referencing a trademark or directing to copyrighted material is a potential infringement.

Brand owners frequently go to the WHOIS database to identify the registrant of a potentially infringing domain (and confirm they are not a licensee or other authorized party), determine the registrant’s country of origin to confirm whether the brand owner has rights in the jurisdiction, and deliver cease and desist letters using the registrant’s email or physical address. Preparing UDRP and URS complaints also relies on the WHOIS data to identify and serve the appropriate party responsible for the domain. Serving millions of subpoenas on ICANN, registrars and registries and incentivizing lawsuits is not in anyone’s interest.

How is the GDPR relevant to ICANN?

The EU General Data Protection Regulation (GDPR) is a broad framework designed to protect EU citizens’ privacy. Because most providers of goods or services collect data of some type, the GDRP contains strict requirements for those who control data (data controllers) and those who actually process or publish the data (data processers). The GDRP has potentially severe sanctions and applies not only to those based in the EU that control or process data, but to any party located anywhere who offers its goods and services to data subjects who are located within the EU.

Currently, ICANN requires domain name registrars and registry operators to collect and publish domain name registration information in the publicly accessible WHOIS database. The information in WHOIS currently includes:

  • the registered domain name;
  • the names of the primary and secondary name servers for the domain name;
  • the identity of registrar;
  • the original creation and expiration date of the registration;
  • the name and postal address of the registrant;
  • the email address of the registrant;
  • the name, postal address, e-mail address, voice telephone number, and (where available) fax number of the technical contact and administrative contact for the registered domain name.

The data is published in the WHOIS directory and has been available since the inception of the domain name system. Domain name registrants do have the ability to use a privacy or proxy service to obscure some or all of their WHOIS data. For example, someone who registers ‘brand.com’ through the GoDaddy registrar may pay for a privacy or proxy registration, which would publicly list the domain name owner as ‘DomainsByProxy’ (GoDaddy’s affiliated proxy service provider). But even in the case of privacy and proxy services, domain name registrars and registries still collect and retain the registrant’s complete registration data per ICANN requirements.

What are the purposes for which data can be processed under the GDRP?

Like most laws and regulations, it is important to understand definitions in the GDPR. The GDPR only applies to personal data, which is linked only to information relating to an identified or identifiable natural person. In contrast, the regulation does not apply to ‘legal persons’ such as businesses or corporate entities. Some domain name registrations are registered by natural persons and others by legal persons. Even WHOIS data that relates to ‘legal persons’ might still contain a few information fields (such as the name and address of a natural person to contact at the company), which might still be considered personal data.

Under GDPR, personal data may only be processed for certain legitimate and specified purposes. The data controller (the party who determines the purposes and means of a given data processing activity) is responsible for explaining the purpose behind its processing, and must inform the “data subjects” of how it is being used before processing. Any use of the data must also be limited to what is necessary in relation to its purpose (a concept known as “data minimization”). Data processing must be based on one of the specific legal grounds set forth in GDPR. As applied to domain registration data the three separate purposes under which processing would be permissible are: (1) consent of the data subject; (2) the need to process such data for the performance of a contract; and (3) for a legitimate interest

Under GDPR, valid consent must be:

  1. Specific and unambiguous;
  2. Presented in a manner which is clearly distinguishable;
  3. In an intelligible and easily accessible form, using clear and plain language;
  4. Based on informed consent of the data subject;
  5. Voluntary and freely; and
  6. Can be withdrawn by the data subject at any time.

In terms of ‘performance of a contract’ under the GDPR, data processing is also lawful when necessary for the performance of a contract to which the data subject is party or about to become a party. In the case of the WHOIS database, the user signs a registration agreement with a registrar. Registrars need to process the registrant’s personal data for a variety of reasons, such as to contact the registrants for invoicing, customer support and other administrative activities.

Turning to the third purpose, under GDPR, data processing is also lawful when necessary for “legitimate interests” of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject.

In the case of WHOIS, the following purposes would likely constitute a “legitimate interest” under Article 6.1(f) GDPR:

  1. The use of WHOIS data by registrars and network operators, for invoicing, support and other administration actions in relation to registered domain names.
  2. The use of WHOIS data for safeguarding the rights of registrants, including retention of the data in escrow, for recovery in the event of a distressed registrar or registry failure.
  3. The use of WHOIS data by law enforcement agencies to investigate and counter serious crime, terrorism, fraud, consumer deception, intellectual property violations or other violations of law.
  4. The use of WHOIS data by intellectual property rights holders to investigate intellectual property rights infringements.
  5. The use of WHOIS data to verify the identity of a provider of goods or services on the Internet, including for consumer protection purposes.
  6. The use of WHOIS data to identify the owner of a domain for business purposes, for instance in relation to a purchase of the domain name or other transactions.

Under the GDPR, the legitimate interest of third parties must outweigh the fundamental rights and freedoms of the data subject. It remains to be seen how the EU will interpret the balance between legitimate interest needs and the fundamental rights and freedoms of data subjects.

What should brand owners do?

ICANN recently published three proposed models about how to comply with GDPR, for community input. Many within the community will be commenting on ICANN’s proposed compliance models in the coming days. It will be important for brand owners to engage at ICANN to ensure that GDPR compliance does not become an excuse to shut off access to WHOIS data.

It is critical that ICANN comply with the GDPR in a manner that preserves as much of the current WHOIS system as possible. Brand owners, and other legitimate users of WHOIS data, must have a fast and easy mechanism for enforcing intellectual property rights and performing other consumer protection and public interest functions.

The three compliance models have been posted for public comment and the organization is now seeking community input on their viability by 29 January 2018. Further details and information on how to submit comments is available here

Trevor Little

Author | Editor

tlittle@GlobeBMG.com

Trevor Little