August 20, 2019 Articles

Trademark Owners in the World of the GDPR

The GDPR has made it more difficult for trademark owners to enforce their trademark rights.

By Dan Feng Mei and Delphine Knight Brown

The General Data Protection Regulation, commonly referred to as the GDPR, was adopted by the European Union (EU) on April 14, 2016, and went into effect on May 25, 2018. The GDPR is a legal and regulatory framework that is intended to provide enhanced protections for personal data. The GDPR applies to EU member states and to entities outside the EU that offer goods or services to individuals living in the EU and/or monitor the behavior of such individuals within the EU. The penalties for noncompliance with the GDPR’s regime can be as much as 4 percent of an entity’s total worldwide annual sales or €20 million, whichever is greater.

In the year since it has gone into effect, the GDPR has had unintended but nonetheless significant implications for trademark enforcement. It is important for intellectual property lawyers to familiarize themselves with the changes in the trademark enforcement process resulting from the application of the GDPR and to focus on new strategic considerations for trademark enforcement. 

WHOIS Shield

In order to enforce a trademark owner’s trademark rights, a trademark owner must identify the infringing entity by collecting and analyzing the infringer’s personal data. The trademark owner may be able to collect relevant information from third parties, such as internet service providers. But not all of the necessary information is publicly available since the GDPR went into effect.

The Internet Corporation for Assigned Names and Numbers (ICANN) is a system responsible for allocating IP addresses and managing the domain name system. ICANN contracts with domain name registries and registrars. When an entity registers a domain name, the entity must provide identifying contact information, including name, address, email, telephone number, and the names of administrative and technical contacts. This information is referred to as “WHOIS data” and is managed by registries and registrars.

In response to the GDPR and its requirements for the protection of personal data, ICANN proposed its Temporary Specification for gTLD Registration Data (Temporary Specification), which provides temporary modifications to the existing specifications regarding how registrars collect and display registrant information in the WHOIS database. Under the Temporary Specification, the registrar must redact the registrant’s name, telephone number, physical address, and email address. A trademark owner, however, can request a registrant’s personal data from the registrar if the trademark owner can demonstrate that it has a legitimate interest in the information and that the interest (1) is not outweighed by the fundamental rights of the data subjects and (2) is consistent with the GDPR. If the trademark owner cannot make this showing and the request is denied, the trademark owner may file an action in court and serve a subpoena on the registries and registrars to obtain the necessary information to enforce its trademark. The Temporary Specification was most recently approved on May 17, 2018.

The ICANN Board also adopted the Interim Registration Data Policy for gTLDs (Interim Policy), which provides that registrars must continue to implement data-privacy measures consistent with the Temporary Specification. The Interim Policy became effective on May 20, 2019. For the immediate future, therefore, the guidelines provided by the Temporary Specification will govern how registrars collect and display registrant information.

Trademark Enforcement Complications

The GDPR has made it more difficult for trademark owners to enforce their trademark rights. The GDPR has made it easier for counterfeiters and infringers to evade detection because of the increased difficulty in identifying them. In response to the GDPR, the International Trademark Association (INTA), a global association of brand owners and professionals dedicated to protecting trademarks, issued a toolkit for intellectual property lawyers consisting of tips to assist with the investigation of infringement and enforcement of trademark rights. Those tips include using data sources outside of WHOIS, such as manually searching websites for contact information and using IP addresses to provide more detail on the website host’s identity and location.

Pre-GDPR, one of the first things that companies did to address trademark infringement by online infringers or counterfeiters was to search WHOIS to obtain information about the domain registrant in order to send cease-and-desist letters. Since enactment of the GDPR, with limited information available from WHOIS, trademark owners have to devote more time and resources to locate information about the domain registrant. Trademark owners now have to be creative in coming up with ways to investigate instances of trademark infringement, such as analyzing website content, consulting associated websites, and demanding information from online intermediaries that control the identifying information of the potential infringer. Trademark owners could use the anonymous email address provided by the registrar, if available, to try to obtain necessary identifying information about registrants. However, the registrar may not timely or adequately respond. Another possible strategy for trademark owners is to report infringing conduct to the registrar’s abuse point of contact, after which the registrar is required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.” ICANN, Registrar Accreditation Agreement 21 (June 27, 2013).

A more formal option that trademark owners can pursue to stop infringement and enforce their trademarks is to institute a Uniform Dispute Resolution Policy (UDRP) proceeding to cancel or transfer a domain. This approach is similarly complicated by the fact that in order to commence a UDRP proceeding, the complaint must provide the name of the domain registrant and the registrant’s contact information. Although this information is difficult to find in the new world of the GDPR, under ICANN’s Temporary Specification, the dispute resolution provider is permitted to accept a UDRP case in the absence of the registrant’s contact information. When a UDRP complaint is filed, it triggers ICANN’s obligation to provide the contact information for the registrant of the domain name, even if that registrant has opted in to the registrar’s privacy shield option. Instituting a UDRP proceeding can eliminate the costs, hurdles, and delay involved with seeking to obtain the registrant’s contact information under ICANN’s Temporary Specification.

Trademark Enforcement Strategies

Since enactment of the GDPR, it has become more difficult for trademark owners to enforce their trademark rights against domain name registrants. This has led to a concern that the added time and expenses required to conduct a presuit investigation may discourage brand companies and trademark owners from pursuing infringing domain name registrants.

Because of registrants’ bad faith in registering and using the domain names and the challenges associated with investigating those registrants since the GDPR’s enactment, trademark owners have to be more strategic in figuring out how to get an infringing registrant’s information. Some possible strategies include the following:

  • Trademark owners can obtain information by other means, such as by filling out disclosure demands with online intermediaries controlling the registrant’s contact information.
  • Trademark owners can use the anonymous email address provided by the registrar, if available, to contact or obtain information about the registrant.
  • Trademark owners can report abusive conduct on websites, such as websites that allegedly contain infringing materials or websites that engage in illegal activity or unfair trade practices, to the registrar’s abuse point of contact. In response to such reports, registrars are required to “take reasonable and prompt steps” to investigate the alleged abuse and respond appropriately, which can benefit the trademark owner.
  • Trademark owners can file a UDRP complaint, which triggers registries’ obligation to provide the trademark owner with the registrant’s contact information. While some trademark owners may be hesitant to take this route because of the filing fees, which start at $1,500, this may be a cost-effective alternative to spending the time and resources necessary to track down the contact information for a domain name registrant and sending out demand letters prior to commencing enforcement proceedings.

Dan Feng Mei is an associate and Delphine Knight Brown is a partner at Axinn, Veltrop & Harkrider LLP in New York, New York.


Copyright © 2019, American Bar Association. All rights reserved. This information or any portion thereof may not be copied or disseminated in any form or by any means or downloaded or stored in an electronic database or retrieval system without the express written consent of the American Bar Association. The views expressed in this article are those of the author(s) and do not necessarily reflect the positions or policies of the American Bar Association, the Section of Litigation, this committee, or the employer(s) of the author(s).