Counterfeiting and data privacy: achieving the right balance in consumer protection

Recent developments in data protection regulation make it more difficult for law enforcement, the private sector and cybersecurity researchers to share information to help protect individuals and organisations from the dangers of counterfeiting. The important goal of protecting consumer privacy in one area may, in fact, harm them in others. An excellent example of this conflict is the Internet Corporation for Assigned Names and Numbers’ (ICANN) recent implementation of its temporary specification regarding the WHOIS system of registrant directory services. Access to critical WHOIS information for top-level domain names was effectively cut off on 25 May 2018 as a result of ICANN’s interpretation of the EU General Data Protection Regulation (GDPR). While registrant data is masked to protect personally identifiable information for all registrants of top-level domain names, it is effectively cutting off information that is needed to prevent harm to individuals who are the victims of counterfeiting, online fraud and abuse. This chapter analyses the current state of global counterfeiting and the effect of ICANN’s GDPR implementation on trademark enforcement and anti-counterfeiting efforts.

Current state of counterfeiting

Counterfeiting can affect all members of society and have a harmful, lasting effect on our everyday lives. The tales of poisonous, ineffective or lethal counterfeit products that penetrate the market are horrifying. Additionally, profits from counterfeits are known to fund criminal activity above and beyond the actual counterfeiting. In February 2017 the International Trademark Association (INTA), along with the International Chamber of Commerce – Business Action to Stop Counterfeiting and Piracy, released a report from Frontier Economics entitled “The Economic Impacts of Counterfeiting and Piracy”, quantifying the economic and social costs of counterfeiting and piracy. This report was unique, as it looked back at the global and domestic state of counterfeiting and piracy in 2013 and projected out to 2022. The report confirms that counterfeiting is growing globally and has a huge impact on the economy and society.

In 2013 the estimated value of international and domestic trade in counterfeit and pirated goods was $1.13 trillion. In 2022 the total estimated value of counterfeit and pirated goods, including digital piracy, is projected to reach $1.90 to $2.81 trillion. The number of legitimate jobs lost as a result of counterfeiting and piracy is estimated to reach 5.4 million by 2022. The global anti-counterfeiting trade is growing; stakeholders must work together collaboratively to combat it.

Sharing information in the fight against counterfeiting

With so many players involved in anti-counterfeiting efforts, sharing information is crucial. As counterfeiters become more sophisticated, trademark owners and enforcement officials must work closely together to help identify counterfeits in order to protect consumers from the harmful effects of these substandard goods. Incidental to enforcement work by various government authorities in counterfeiting cases, information is generated that can be useful for investigating the identity and role of other parties, including suppliers of goods and accessories. Due to resource limitations, government enforcers are not always able to use such documents and information in the course of their own investigations following an initial seizure of goods, documents or other evidence. However, trademark owners can use such documents and information in the course of private investigations.

To ensure that trademark owners have prompt access to information regarding counterfeits and counterfeiters, INTA recommends that governments revise their rules and procedures to provide prompt and reasonable access by trademark owners to relevant documents and information on counterfeiters for the trademark owners’ use in conducting private investigations or the filing of complaints to the courts or other government agencies. To this end, INTA asks all enforcement agencies to share information about counterfeiters with the private sector, so that both sides may work together to tackle the sophisticated criminal networks profiting from consumers buying sub-standard and often dangerous products.

The same request applies to online transactions. The 1.5 billion websites on the Internet provide counterfeiters with the ability to anonymously reach billions of consumers online. Additionally, counterfeiters create a multitude of social media accounts to sell directly to the public.

With the dark web, even counterfeiters’ internet protocol addresses can be hidden, making it difficult for brand owners to determine who is counterfeiting their goods. The Internet gives counterfeiters the reach to sell to consumers globally and, sometimes, outside the national limits of law enforcement. This international reach forces brand owners to prosecute cases outside of their local jurisdictions. Counterfeiters can display genuine goods on their site and ship counterfeit goods to the consumer. This makes it difficult for brand owners to determine whether a site is selling counterfeits without first making costly purchases from the site. When one site is shut down, another can be quickly opened, making it a struggle for brand owners to effectively stop a counterfeiter.

Criminal networks are involved with counterfeiting, which leads to hundreds of sites selling the same products on various servers. It has become an arduous task for brand owners to stop them without working with authorities to take down the counterfeit rings. The only way to combat the proliferation of counterfeiters on the Internet is to work together.

INTA’s guide “Best Practices for Addressing the Sale of Counterfeits on the Internet” promotes the need for all stakeholders to share as many data points as possible to protect consumers from the harms of online counterfeiting. The recommendations include these sorts of practices for search engines, trading platforms, payment service providers, social media sites, registrars and registries.

Conflicts in data privacy objectives

Protecting consumers with one hand and harming them with the other

The 25 May 2018 implementation of ICANN’s temporary specification for WHOIS data restricted access to an essential enforcement tool. WHOIS is the system of registrant directory services that contains contact and technical information related to the ownership of domain names. WHOIS information (including a website registrant’s name, email address and postal address) enables third parties to access and cross-reference information to facilitate IP enforcement online. Anti-counterfeiting efforts rely heavily on WHOIS data. ICANN manages the WHOIS ecosystem. WHOIS policies are embedded in ICANN’s contracts with registrars and registries, which collect the data at the point of domain name registration. The temporary specification mandates the masking of certain WHOIS data elements (including a registrant’s email, which is the lynchpin of most enforcement actions) for names registered at the top level. These are names ending in extensions like ‘.org’ and ‘.info’. A permanent solution to the temporary specification is being developed by an expedited policy development process coordinated by ICANN’s Generic Names Supporting Organisation. The working group has decided that access will not be addressed until certain gating questions are first resolved.

Members of the community have varying views about what constitutes appropriate GDPR compliance, as GDPR explicitly provides for the lawful processing and disclosure of registrant email to further legitimate purposes in the public interest (Article 6). The GDPR recitals also explicitly note that privacy is not an absolute right and must be balanced with other interests (eg, security, consumer protection, IP rights and law enforcement). INTA has submitted a series of comments to ICANN stating that restricting public access to certain elements, such as registrant email, is over-compliant with the law and against public interest. For example, ICANN’s policy does not distinguish between commercial and non-commercial entities and is not limited in geographic scope as provided for in GDPR.

INTA members, mostly through participation in IP and business constituencies, have been working on developing an accreditation and access programme for non-public WHOIS data, which, ideally, would have been implemented at the same time as the temporary specification, thereby facilitating continued access to non-public data by rights holders, law enforcement and other parties with legitimate interests. This is a complicated process and procedure, and must consider a number of factors, including providing access only to trustworthy requestors, providing access only to data elements that serve a legitimate purpose per the limitations of GDPR, validation of these purposes and ensuring appropriate data safeguards.

Because an accreditation and access programme for non-public WHOIS data was not developed and implemented by 25 May 2018, the day that GDPR became enforceable, WHOIS ‘went dark’ for third parties that rely on the information, including brand owners. With very limited WHOIS information, brand owners, IP enforcement agencies and anyone who relies on website ownership data to identify and address counterfeiting issues have not been able to access that information. ICANN’s temporary specification calls for registrars and registries to provide “reasonable access” to requests for data. However, there is no definition of ‘reasonable’ and in many instances requests for information have either gone ignored or the requestor was forced to seek a subpoena.

In Summer 2018 INTA launched [email protected], a dedicated address for reporting problems arising after 25 May 2018 with obtaining WHOIS information. Respondents report that registrars’ approaches to compliance with the temporary specification have been inconsistent at best. They further report that analysis of their own domain portfolios has been hindered by the inability to search for owner information across the WHOIS system. The results of INTA’s inquiry are consistent with other industry studies, including the joint survey conducted by the Anti-phishing Working Group and the Messaging, Malware and Mobile Anti-abuse Working Group and the survey conducted by the WHOIS/RDS2 Review Team of law enforcement agencies worldwide, the results of which were presented by ICANN’s Public Safety Working Group at ICANN63 on 23 October 2018.

The good news is that ICANN has recognised the need for access to this information for legitimate purposes and has called for input on a Universal Access Model. ICANN has also convened a technical working group to discuss solutions to access. However, the absence of even a temporary solution to access leaves us where we are today – with work-arounds and a continuing lack of information. As a service to members and non-members alike, INTA offers the WHOIS Toolkit to help brand owners navigate this new environment.

Balancing interests

Lawsuits in the dark

Enforcement against unknown infringers can present a significant challenge for brand owners. One effective mechanism is filing a John Doe lawsuit, in which the respondent’s identity is unknown and may be revealed through a discovery process.

For domain name disputes, providers for the Uniform Dispute Resolution Process and the Uniform Rapid Suspension proceedings allow John Doe suits under the temporary specification. However, this work-around does not necessarily solve the problem for trademark owners, because of unknowns before the suit is filed. Trademark owners may unknowingly file against authorised users. Or, even worse, a non-governmental organisation could unwittingly file against friendly donors or supporters of their cause. The ability to investigate and possibly resolve the issue before a complaint is filed is substantially hindered. This has a chilling effect on enforcement.

Many domain names are registered under privacy or proxy agreements. ICANN has a board approved privacy/proxy policy that it is refusing to implement. Its reasoning is that the policy must be analysed in view of the GDPR and expedited policy process for WHOIS. The IP community’s response is that the privacy/proxy policy was fully vetted while EU privacy laws were in effect. Data protection is not a new issue.

In the United States, John Doe complaints are permissible. Personal jurisdiction is established over the defendant if it operates an interactive website that offers infringing products for sale in the United States. If the defendant is located in the United States, its identity can typically be learned through the discovery process, including subpoenas on third-party internet intermediaries. Once the defendant is identified, service can be accomplished using traditional means. If the defendant resides in another country, a plaintiff is permitted to serve by any means not prohibited by international agreement. In many cases, service is accomplished via email and electronic publication. US law also permits a plaintiff to seek injunctive relief against unknown John Doe defendants. As such, injunctions have been used to disable services provided by internet intermediaries such as domain name registrars, website hosts and payment processors. Plaintiffs can also obtain statutory damages against unknown defendants, even if the defendant fails to appear and/or provide any sales records.

The availability of John Doe lawsuits against unknown defendants varies by country. Canada, Australia and the United Kingdom, for example, allow proceedings against an unknown defendant. However, such proceedings may not be practical against online infringers due to the limited remedies available. Some European countries (eg, the Netherlands) do not recognise John Doe lawsuits. However, in certain situations, the rights holder can request disclosure of the defendant from an internet intermediary or take action against an intermediary to shut down an internet store. Russia and Ukraine permit a similar method of proceeding where the domain registrar takes on the role of the defendant if the defendant is unknown.

However, some countries do not allow proceedings against unknown persons and entities. China is one jurisdiction where this is not applicable. This is highly problematic, since a significant number of infringing and counterfeit internet shopfronts operate out of China. Online counterfeiters also often use elaborate schemes to move proceeds from counterfeit sales back to China. South Korea also does not permit lawsuits against unknown persons.

Finally, the law remains unsettled in many countries. In Mexico, for example, civil offences are rarely pursued due to complexities and difficulties with the Mexican legal system. Similarly, while the United Arab Emirates has no express legislation on prosecuting John Doe defendants for online trademark infringement issues, the existing UAE Trademark Laws and the UAE Cybercrime Law 5/2012 are typically used to take action against online infringers. In India, courts can block websites through the intervention of the Department of Telecommunication, which issues directions to internet service providers.

Even in those jurisdictions that have John Doe laws, this route is a costly remedy for brand owners and cannot be used in every counterfeit case. The high cost of these trials makes this remedy a poor solution to protect consumers from counterfeiters.

The implementation of GDPR and the fallout of the WHOIS temporary specification have left private sector entities demanding harmonisation of privacy laws and asking governments to recognise the importance of information-sharing functions that exist between law enforcement and the private sector. A GDPR carve-out for the WHOIS database would have been a good solution to the problem, but obtaining one after the fact is unlikely. In general, the public interest carve-outs in data protection laws are aimed at government agencies such as land offices or trademark registers. ICANN’s position as a private entity that manages a public resource creates some of the issues that we are facing with information sharing. As we move forward, it is important that the global community learns these lessons and fashions regulations and policies that do not create the same dilemma that has evolved with the WHOIS system.