On May 25, 2018, the European Union’s General Data Protection Regulation (GDPR), which regulates data protection and privacy for all European Union citizens, took effect.  The regulation has wide reaching impact, applying to companies processing and storing data of any individual in the European Union, regardless of location.  (Article 3(2) GDPR.)

Among the many implications, the ability of brand owners to enforce their trademarks is likely to be affected.  One of the first actions taken by companies who wish to enforce their trademarks against online infringers or counterfeiters is searching the WHOIS database to obtain information about the domain in order to conduct investigations and send cease and desist communications.  In addition to providing technical information about the date of creation and expiration of a domain, this free database provides contact information for the registrant of a website, including name, physical address, email address, and phone numbers.  The WHOIS database is regulated by the Internet Corporation for Assigned Names and Numbers (ICANN), which has agreements with domain registrars worldwide to maintain the WHOIS data.

In an effort to comply with the GDPR and given the difficultly of determining which domain owners are EU subjects, many registrars removed data for all domains, listing only the state/province and country of the registrant contact, and an anonymous email address directed to the registrar (for example, in the case of the domain owned by a French company and the registrar is Gandi SAS, the email address would comprise a long string of numbers/letters followed by @contact.gandi.net.)  Other registrars, such as WHOIS.com, appear to have selectively redacted the information for registrants providing an EU contact address.  In light of this WHOIS blackout, the GDPR has effectively made it easier for counterfeiters and infringers to evade detection.

One domain registrar, the German-based EPAG Domainservices GmbH, announced that it will stop collecting the administrative contact and technical contact information of a registrant, because it believes that mere collection of this data would violate the GDPR.  On the same day the GDPR took effect, ICANN filed a legal action in Germany for injunctive relieve against EPAG, seeking a determination that the GDPR permits the collection of information and merely prevents the public display of such information.  ICANN argued in its motion that the collection and preservation of information is required for the “stable and secure operation of the domain name system, as well as a way to identify those customers that may be causing technical problems and legal issues with the domain names and/or their content.”  On May 30, 2018, the Regional Court of Bonn rejected the motion for preliminary injunction, stating that the collection and storage of the administrative and technical contact information of the registrant violates the GDPR.  The Court also stated that the extra contact details, namely the administrative and technical contact, are not necessary for a domain to be registered, and indeed, many registrants list the same information provided for the registrant contact as the administrative and technical contact.

There are also implications for enforcement beyond the investigative stage.  Trademark rights holders can institute a Uniform Dispute Resolution Policy (UDRP) action to obtain cancellation or transfer of a domain.  Current UDRP rules require the Complainant’s complaint to provide the name of the respondent (the domain name registrant) and the respondent’s contact information.  However, complying with this requirement will be difficult in light of the WHOIS blackout.  In response to this concern, ICANN has adopted a Temporary Specification that allows the dispute resolution provider to accept a UDRP case in the absence of contact information for the respondent and requires the registrar to provide the dispute resolution provider with the full registration data of the registrant.  This is an interim resolution, which may be in effect for no more than one year, so it remains to be seen what the final ICANN policy will be.