The General Data Protection Regulation, or GDPR, took effect May 25, 2018. As predicted, the GDPR has complicated access to WHOIS information (commonly used to look up the contact information for website domains for, among other things, stopping others from infringing IP rights) and given ICANN (the corporation that manages WHOIS data) a headache.
ICANN (Internet Corporation for Assigned Names and Numbers) continues to struggle to identify a proposal that bridges the gap between the requirements of the GDPR and access to WHOIS information. On the day the GDPR took effect, ICANN passed a Temporary Specification, which attempted to facilitate GDPR compliance while also preserving parts of the WHOIS system of domain name registration data. This temporary guideline states the registrar and registry operator must provide reasonable access to personal registration data to third parties for: (1) legitimate interests, except where those interests are overridden by the interests or fundamental rights and freedoms of the registrants or (2) when the specified request is deemed lawful by the European Data Protection Board (EDPB), a court having jurisdiction, or applicable legislation or regulation.
First, these temporary specifications have not prevented the brand enforcement problems I previously discussed. For example, some European domain name service registrars have decided to no longer collect WHOIS information. Furthermore, Brian Winterfeldt has reported that a California-based registrar has declined a data access request related to a specific enforcement effort of intellectual property rights and that other registrars are responding to such requests on a “case-by-case basis with no transparent or predictable criteria.” More alarming is the report that at least one global company has estimated its ability to enforce trademark rights against infringing domains may drop 24%.
Second, the EDPB still has problems with ICANN’s proposal. On July 5, 2018, the EDPB urged ICANN to develop new legal justifications for why it asks for the data that makes up the WHOIS database and provided further guidance in developing a GDPR-compliant WHOIS model. ICANN appears to be taking the EDPB’s guidance to heart and is hopeful they can create a GDPR-compliant-model that satisfies their purpose of providing WHOIS data to those who need it.
Unfortunately, only time will tell if a GDPR-compliant WHOIS database will emerge. In the meantime, it has become more difficult to determine who is in charge of websites infringing on intellectual property rights making brand enforcement more challenging.