There are over 330 million domain names supporting over 1.8 billion websites having a unique hostname on the internet right now. But who owns each of these? There are many reasons one may want to identify the owner or operator of a particular domain or website. In addition to law enforcement and cyber security, owners of IP need to be able to enforce their rights against illegal use of their IP or bad faith domain name registration and use. For example, if your trademark is being infringed by its use on a particular website, you would want to be able to identify the owner, send a cease and desist, and/or sue. Somewhat similar to registering a home or motor vehicle, domains or websites are typically registered and information useful to identifying the individual responsible for the domain or website has, historically, been publically available.
WHOIS is a system established in the 1980s, as the modern internet was emerging. It is used to look up domain registrations in databases that store the registered users or assignees of, e.g., a domain name or IP address. Currently, the name, mailing address, phone number, and administrative and technical contacts of those owning or administering a domain name must be made publicly available through WHOIS, pursuant to the Internet Corporation for Assigned Names and Numbers, or ICANN. WHOIS is not an independent database, but rather relies on third-party accredited entities to manage data and registration. According to ICANN, it is “committed to implementing measures to maintain timely, unrestricted and public access to accurate and complete WHOIS information, subject to applicable laws.” Id.
Enter the General Data Protection Regulation, or GDPR, which is a European Union data protection regulation that will apply to any company that transacts with EU citizens, regardless of the location of the business. The GDPR requires any business that collects any personal data to request explicit permission from the subject before using that data. Personal data is defined as any information that can be used to directly or indirectly identify that person, e.g., a name, photo, email, computer IP address, etc. Under the GDPR, enterprises must limit access to personal data to only authorized individuals that specifically require access to that data. The penalties for violations are significant – up to 20 million Euros or more – and there are no exceptions for enterprise size or scope. Id. The GDPR goes into effect May 25, 2018.
ICANN has been struggling to identify a proposal that bridges the gap between the requirements of the GDPR and the access to WHOIS information. The proposals, thus far, do not do enough to assuage the fears of the third party entities that manage WHOIS data that their actions of publishing information to WHOIS are sufficient and justifiable. On the other hand, brand owners and other WHOIS users are concerned that the proposal takes an unjustifiably conservative approach. Thus, ICANN expects a WHOIS blackout period starting May 25, 2018. Going forward, there may be significantly less publicly available information to conduct enforcement investigations, send cease and desist letters, or prepare and file suit.
Online brand enforcement is about to become much more difficult if not, in some cases, nearly impossible.