Published in Landslide Vol. 11 No. 4, ©2019 by the American Bar Association. Reproduced with permission. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.
The European Union (EU) transformed the global landscape of data protection and privacy when it passed the General Data Protection Regulation (GDRP) in 2016. The GDPR entered into force on May 25, 2018. Ever since, businesses around the globe have been scrambling to understand this far-reaching legislation, and what they may need to do to comply with it—in the face of incredibly stiff penalties of up to 4 percent of global revenues. Ironically, while the GDPR is intended to protect consumers from misuses of their personally identifiable information, the GDPR has also caused a number of practical hurdles for companies trying to protect consumers through brand enforcement efforts against online bad actors preying on Internet users.
Landslide Webinar Series
April 16, 2019
In particular, efforts to comply with the GDPR have led to the substantial redaction of historically public information about who owns and operates any given website through the online domain name registration database known as “WHOIS.” Brand owners have traditionally relied on this information as a starting point for enforcement efforts; but under current changes in WHOIS rules, much of the relevant information is no longer publicly available, presenting huge challenges to online enforcement efforts. Meanwhile, bad actors continue to proliferate under the new privacy rules, harming the very consumers the GDPR was intended to protect, including through the sale of online counterfeit goods, phishing, and other fraudulent schemes that leverage intellectual property assets to dupe Internet users. With traditional self-help tools like WHOIS no longer sufficient to facilitate online enforcement efforts, brand owners have had to get more creative in order to address online abuse—often adding substantial delay and cost.
This article will provide an overview of the GDPR and its effects on the WHOIS system of domain name registration data, the resulting challenges for online intellectual property enforcement, lessons learned since the GDPR took effect and public information in WHOIS was significantly reduced, and best practices and strategies for intellectual property owners to employ as part of their online enforcement programs in the post-GDPR world.
The European Union General Data Protection Regulation
The EU GDPR, passed in 2016, replaces the EU Data Protection Directive 95/46/EC, and EU member state legislation based on the Data Protection Directive. The GDPR is a broad framework designed to protect EU citizens’ privacy, and to level the playing field for businesses by harmonizing data protection and privacy rules across the EU. Because most providers of goods or services collect data of some type, the GDRP contains strict requirements for those who control personal data (data controllers) and those who actually process or publish the data (data processers).1 The GDRP has potentially severe sanctions for GDPR violations: up to 20 million euros or 4 percent of the total annual revenue of the sanctioned entity.2 Importantly, the GDPR applies not only to those established within the EU that control or process data, but also to any party located anywhere who offers goods and services to data subjects located within the EU or who monitor the behavior of data subjects located within the EU.3
Under the GDPR, personal data may only be processed for certain legitimate and specified purposes. The data controller is responsible for explaining the purpose behind its data processing, and must inform the data subjects of such purpose before processing.4 The GDPR provides that personal data processing must be limited to what is necessary in relation to the purposes for which they are processed (a concept known as “data minimization”). Data processing must also be based on one of the specific legal grounds set forth in the GDPR. As applied to domain registration data, the three separate purposes under which processing would be permissible are: (1) consent of the data subject,5 (2) for the performance of a contract,6 and (3) for a legitimate interest of the data controller or a third party.7
The WHOIS System of Domain Name Registration Data
The Internet Corporation for Assigned Names and Numbers (ICANN) is the organization that accredits domain name registry operators and registrars,8 and through its contracts with these entities, sets forth the rules and requirements for the provision of domain name registrations to members of the public. Under existing accreditation contracts, ICANN requires domain name registrars and registry operators to collect and publish certain specified domain name registration information in a publicly accessible online database known as the WHOIS database (because, at least historically, it tells you “who is” the registrant of a particular domain name).
Historically, WHOIS provided transparency and facilitated a number of key activities to protect Internet users from harm and ensure the security, stability, and resiliency of the Internet, which is the foundation of ICANN’s mandate. WHOIS facilitated the proper resolution of domain names through their corresponding IP addresses, and in the early days of the Internet was heavily relied on by technical administrators of the Domain Name System (DNS) to address any technical resolution or security issues. Importantly, WHOIS has been an essential tool to help identify parties responsible for domain name registrations and associated online resources such as website content or e-mail addresses who are engaging in abusive or malicious conduct online, including infringement, sales of counterfeit goods, phishing, distribution of malware, and fraud. Much like the articles of incorporation for a traditional business, the WHOIS system ensured that all sites have at least one “designated agent” to ensure proper “chain of title” or to name and contact the appropriate party in a dispute or legal proceeding regarding a domain name.
In response to the GDRP, ICANN imposed drastic changes to the WHOIS system on an emergency temporary basis to ensure adequate legal compliance with respect to data processing, but at the expense of continued transparency and accountability. Under these hastily imposed new rules (in the form of a “Temporary Specification”9 to ICANN’s contracts with registry operators and registrars), critical registration data including registrant names, street addresses, and e-mail addresses have gone dark in an attempt to enable ICANN, registry operators, and registrars to comply with the GDPR. The only remaining public information about domain name registrants is their organizational affiliation (if any), state/province, and country. In addition to significantly reducing public information, the new rules make access to nonpublic data (which must still be collected by registrars, but not published) unpredictable and fragmented. A side-by-side comparison of a WHOIS record prior to implementation of the Temporary Specification and after is presented as figure 1.
The Temporary Specification requires that registrars provide “reasonable access” to nonpublic data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registrant. However, no further guidance or criteria set out what constitutes “reasonable access” or a “legitimate interest,” nor how or in what manner the balancing test should be applied and requests for access granted or denied (and subject to what level of scrutiny and issuance of any rationale for any such decision).
These substantial changes to the WHOIS system have inevitably led to significant obstacles to online trademark enforcement. The only way now to identify the registrant is through the voluntary registrant organization field, which is merely optional and therefore often unavailable. While state and country remain available, mailing and e-mail addresses as well as fax and phone numbers are not. Although the new ICANN rules require registrars to provide either a web form or anonymized e-mail address, these alternative means of e-mail contact do not provide the same level of certainty that e-mail communications actually reach the registrant (for instance, they may not provide an automated delivery failure response). The lack of a registrant name or e-mail address also effectively prevents trademark owners from performing a “reverse WHOIS” search to identify the full portfolio of domain names owned by the same registrant to establish patterns of bad faith conduct.
Many registrars are not even complying with the continuing mandatory minimum information requirements of ICANN. Instead, many have redacted every single WHOIS data field relating to registrant contact information as the default. And the lack of any parameters around “reasonable access” to nonpublic data has led to disjointed approaches and no reliable recourse mechanism for denials of even well-founded disclosure requests.
Since ICANN adopted the Temporary Specification, the ICANN community launched an Expedited Policy Development Process (EPDP) to create a permanent consensus policy on domain name registration data that is compliant with the GDPR and, presumably by extension, other applicable data protection and privacy law. The EPDP’s work is intended to be completed before the May 25, 2019, date on which the Temporary Specification will expire, per ICANN rules.
Impact of WHOIS System Changes on Online Intellectual Property Enforcement
In short, stopping bad actors online has become increasingly difficult since the WHOIS blackout. The Temporary Specification and the fractured registration data environment it has created in response to the GDPR have led to many impediments across all anti-abuse efforts. Miscreants engaging in counterfeiting, piracy, phishing, fraud, and distribution of malware, among other abuses, are able to carry on longer, and are generally harder to take down at all. Large networks and other patterns of abusive domain names and websites are harder to detect or combat in a comprehensive fashion. Enforcement costs to intellectual property owners have increased, and more consumers are being harmed.
Even if there are grounds for enforcement, a brand owner has no ability to identify a proper point of contact to notify the registrant of the brand owner’s concerns and potentially resolve the issue amicably. A brand owner must now contact the registrar to disclose nonpublic information, or submit a cease and desist letter or similar communication through an online web form (which may have insufficient word limits or inability to attach supporting materials) or anonymized e-mail address (which may not actually reach the registrant). As a result, there is a greater incentive for brand owners to proceed directly to filing domain name disputes like the Uniform Domain Name Dispute Resolution Policy (UDRP) or proceed to litigation, especially where the registry operator or registrar is unresponsive or refuses to disclose the relevant contact information.
The lack of available public WHOIS data makes the domain arbitration process more difficult as well. Brand owners cannot develop a comprehensive case against a registrant—including whether the registrant has other or prior infringements or indicators of bad faith registration and use of a domain name—without knowing the registrant’s identity. In some cases, the dispute resolution provider can obtain the full registration data from the registry operator or registrar and convey it to the complainant, who can then develop an amended complaint using the full data. However, this is not always the case and adds further time and expense in preparing the amended complaint. Similarly, in litigation, plaintiffs must spend substantial time and expense seeking subpoenas to reveal the proper defendant(s) to name, and amend complaints filed against “John Doe” defendants to name the proper registrant.
Strategies and Best Practices for Online Enforcement in the Post-GDPR World
Despite the current landscape, intellectual property owners retain a number of key tools and strategies to investigate and address online infringement and other abuses involving their intellectual property assets, beyond mere registration data disclosure requests.
Archived WHOIS Data
Robust archived WHOIS data remains available from the not-so-distant past when it was still predominantly published online. However, access to archived WHOIS data usually comes commensurate with subscription fees from the service providers who originally archived it. Most practitioners will tell you that any modest price paid is well worth it when performing necessary due diligence chain of title research in an acquisition scenario, and even in certain types of infringement scenarios where historical data is relevant. Of course, such archived data cannot always be relied on to remain accurate over time.
Very few fraudsters include legitimate point of contact information within their website content; they prefer amorphous “contact us” web forms, or usually nothing at all. Moreover, many acts of online abuse do not involve a website at all (such as e-mail phishing). Nevertheless, innocent infringers sometimes do include functional contact information within their websites or on their domain name parking pages, so it remains useful to check.
“John Doe” Cease and Desist Letters
Even where a domain name registrant’s identity cannot be confirmed through available WHOIS data or on the website itself, it may still be possible to send an anonymous cease and desist letter using an available anonymized registrant e-mail address or online web form, as required under the Temporary Specification. If an anonymized registrant e-mail address or web form is not being provided by the registrar, this is a violation of the Temporary Specification and should be reported to the ICANN contractual compliance department. In many cases, registrars are simply replacing the original WHOIS data with proxy service provider information, including a proxy service e-mail address—this can also be used in a similar manner to direct a cease and desist letter toward the domain name registrant.
Notice and Takedown Letters to Web Hosts
The optimal and appropriate way to address problematic online content remains through the intermediaries who host that content. Fortunately, web hosts can still be easily identified through the Internet Protocol (IP) addresses associated with each domain name and website. Free web host lookup tools are available online, or anyone can perform an NSLOOKUP from his or her computer command prompt application. It also remains possible to correlate individual domain names within unsophisticated illegal networks of websites in the event that they all use the same web hosts (or other ISPs) and IP addresses. Once the web host has been identified, reports of infringement or abuse can be filed with its abuse point of contact or other appropriate complaint contact. If a web host itself is problematic in complying with takedown demands, it may be possible to report further up the IP address supply chain by reporting web host abuse or recalcitrance to Regional Internet Registries (RIRs), which actually coordinate the supply of IP addresses to downstream service providers. As the name implies, RIRs are responsible for allocating IP addresses to service providers according to global geographic region, and typically the appropriate RIR will be the one in the same region as the web host.
Registration Authority Abuse Points of Contact
All domain name registration authorities (including both registrars and registry operators) have a contractual obligation to publish an abuse point of contact, and registrars are required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”10 This language should be cited in any takedown demand or demand for registration authorities to reveal nonpublic WHOIS data. Despite pervasive industry recalcitrance and a laissez-faire compliance attitude with respect to this language over the past several years, this contractual provision is undoubtedly more important than ever without access to key WHOIS data.
Arbitral Domain Name Disputes
Domain name registrars also have a contractual obligation to provide dispute resolution service providers, like WIPO, with full registration data once a complaint has been filed under the Uniform Rapid Suspension System (URS), the UDRP, or various corollary country code specific proceedings. It would not be surprising to see such complaint filings increase exponentially (particularly complaints against numerous domain names in bulk) in order to reveal underlying nonpublic WHOIS data. The caveat is that a single complaint against multiple respondents is only proper where some credible evidence of co-ownership or common control exists. Nevertheless, initiation of lower cost proceedings, like the URS, could prove more useful than ever as an alternative form of revealing underlying domain name registration data, even if they cannot ultimately proceed on the merits against all named domains.
While helpful, these remaining tools simply do not, and cannot, get the job done as effectively as under the prior WHOIS regime when it comes to intellectual property enforcement online. In any event, it is critical for all intellectual property owners to document the various challenges associated with WHOIS data redaction (directly and/or in conjunction with their brand protection or corporate registrar vendors), especially to support ongoing policy development on the issue within ICANN as well as in connection with legislative efforts in the United States and EU to try and carve out WHOIS or website ownership data from privacy law requirements for transparency, accountability, cybersecurity, law enforcement, and general anti-abuse purposes in the greater global public interest.
1. More specifically, a data “controller” is a person or legal entity that determines the purposes and means of the processing of personal data. A data “processor” is a person or legal entity that processes personal data on behalf of the controller. “Processing” in this context refers to “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Commission Regulation 2016/679, art. 4, 2016 O.J. (L 119) 1 [hereinafter GDPR]. Under the GDPR, “personal data” is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data. . . . Personal data that has been rendered anonymous in such a way that the individual is not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymisation must be irreversible.” What Is Personal Data?, Eur. Commission, https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en (last visited Feb. 14, 2019).
2. GDPR, supra note 1, at art. 83.
3. Id. at art. 3.
4. Id. at art. 5.
5. Id. at art. 6.1(a).
6. Id. at art. 6.1(b).
7. Id. at art. 6.1(f).
8. A “registry operator” is the entity that enters into an agreement with ICANN to operate a top-level domain (TLD), such as .com, .net, or .london. Registry operators are akin to the wholesaler of domain names. A “registrar” is the entity that enters into an agreement with ICANN to be authorized to register domain names to members of the public. Registry operators enter into agreements with registrars to authorize the registrars to sell domain names to the public in the TLD(s) operated by the registry operator. Registrars are akin to the retailers of domain names.
9. ICANN, Temporary Specification on gTLD Registration Data (May 25, 2018), https://www.icann.org/resources/pages/gtld-registration-data-specs-en/.
10. ICANN, Registrar Accreditation Agreement § 3.18.1 (Sept. 17, 2013), https://www.icann.org/resources/pages/approved-with-specs-2013-09-17-en.