The European Union’s General Data Protection Regulation (GDPR), aimed at protecting against privacy and data breaches, went into effect on May 25. The territorial reach of the new regulation is extensive. The GDPR applies to companies processing and storing data of any individual in the European Union (EU), regardless of company location and even where that data is publicly available or voluntarily submitted by the individual.
Among the many implications, the ability of brand owners to enforce their trademarks against domain name squatters and infringers is likely to be affected post-GDPR because the law shields valuable identifying information. Compliance with the GDPR prevents public disclosure of information previously made available in WHOIS records for domain name registrations (i.e., name, physical address, email address and phone numbers). For IP rights holders, the free WHOIS database is a vital tool for enforcing unlawful or bad faith domain name registration and use. It provides parties with the ability to investigate and address infringements, reach out to unauthorized parties directly, and file a complaint to recover or disable an infringing domain name. Without access to WHOIS data, it will not be possible, in many cases, to identify the domain registrant of an offending domain name.
For now, brand owners will still be able to pursue domain disputes under the Uniform Domain Name Dispute Resolution Policy (UDRP). On May 17, ICANN adopted the temporary specification for gTLD registration data to provisionally provide a framework for handling domain registration data. Specifically, the temporary specification allows UDRP providers (i.e., WIPO or the forum) “to accept complaints … even if the complainant does not have the contact information for the respondent.” Historically, the UDRP rules required a complainant to serve the complaint upon the domain name registrant at the contact information provided through the WHOIS service. Under the temporary specification, the complainant “may file a ‘Doe’ complaint and the provider shall provide the relevant contact details of the registered name holder after being presented with a ‘Doe’ complaint.” The ICANN-compliant domain registrar will be required to provide the full registration data for the registrant to the UDRP provider after receiving notification that the complaint has been filed.
Nonetheless, challenges with the GDPR and online enforcement under the UDRP remain. Under the UDRP, a complainant must prove the following three elements: the domain name is identical or confusingly similar to a trademark or service mark in which the complainant has rights; the registrant has no rights or legitimate interest in the domain name; and the domain name has been registered and used in bad faith. The reduced amount of WHOIS data available negatively impacts on the ability of brand owners to properly assess rights or legitimate interests in a domain name or bad faith registration and use. For example, without full access to certain WHOIS data, a trademark owner cannot easily determine if the registrant is commonly known by the domain name, whether the domain name was registered primarily to disrupt the business of a competitor, or whether the registrant engaged in a pattern of bad faith or abusive registrations. The GDPR also creates procedural challenges in identifying other commonly owned domains (associated with a particular registrant), often consolidated into one complaint. Similarly, evidence that a registrant is considered a “sophisticated domainer” is often relevant in a UDRP proceeding. Brand owners will need creative solutions to combat online infringement and the new set of challenges introduced by the GDPR.
Enforcement strategies in the wake of the GDPR are continuing to evolve. As the name suggests, the solution offered by the temporary specification is only temporary: the resolution is renewable by ICANN at 90-day intervals for up to a year. Brand owners should consult a qualified and experienced trademark attorney for guidance on the latest domain name enforcement strategies.
Jaime Rich Vining is a founding partner at Friedland Vining in Miami. She is Florida bar-certified in intellectual property. Contact her at email@example.com.