What do you do when you want to look up the owner of a domain name? You probably perform a “WHOIS search” to find out the owner’s name and contact information. The WHOIS system, which makes certain domain registration data publicly available, is an invaluable research tool for trademark owners and their lawyers. But the system as we know it is about to change forever. Because of personal data privacy regulations passed by the European Union (EU), the Internet Corporation for Assigned Names and Numbers (ICANN) is racing to finalize an interim model that allows domain name registrars to comply with privacy obligations while still preserving as much WHOIS data as possible. If ICANN cannot finalize a replacement model soon, the WHOIS system will undergo a months-long “blackout” period during which critical domain registration information will no longer be publicly available.
What is the GDPR?
In April 2016, the EU Parliament adopted the General Data Protection Regulation (GDPR) with one main goal in mind: to protect the personal privacy and data of EU citizens. Among other things, the measure prohibits companies that collect data on EU citizens in EU member states – including giant corporations like Facebook and Google, and domain registrars like GoDaddy – from publishing information that identifies individuals. When the GDPR goes into effect on May 25, 2018, companies that are not in compliance with the higher privacy restrictions could be forced to pay very steep fines (organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million!).
WHOIS and ICANN
ICANN has agreements with thousands of domain operators and registrars that require them to provide free public access to data on registered domain names, or “WHOIS data.” There are a number of free WHOIS search tools that provide access to WHOIS data, including information such as domain name expiration and creation dates and registrants’ contact information. WHOIS services are a valuable resource for trademark owners and lawyers, allowing them to identify domain holders and enforce rights against illegal website content or bad faith domain name registration and use.
Uncertain future for WHOIS data
The conflict between the GDPR’s newly-imposed privacy obligations and ICANN’s longstanding mission to provide accessible and accurate WHOIS data has proved difficult to reconcile. While ICANN currently requires domain registrars to disclose registrants’ personal data, the imminent GDPR prohibits them from doing so. Ever since the GDPR was adopted, ICANN has been trying to propose an interim model that allows registrars to comply simultaneously with their obligations to ICANN and under the GDPR.
Last month, ICANN community members met in San Juan, Puerto Rico at ICANN 61, and the primary discussion topic was ICANN’s recently-proposed interim GDPR compliance model. The model, which essentially allows registrars to retract personal information about a domain name registrant such as that person’s name, email, or phone number from public WHOIS data until ICANN can finalize plans for a replacement of the WHOIS system, has sparked criticism from both contracting parties (such as registrars) and concerned brand owners. Certain contracting parties believe that requirements in the new model – such as the proposed publication of registrant organization information – may still run afoul of the GDPR because that information could possibly contain personal data. On the other hand, government, cybersecurity, and intellectual property owner representatives have expressed concern that publication of a registrant’s name or email should still be required because it is essential for transparency, enforcement, and security purposes that outweigh the registrant’s privacy interest.
ICANN plans to settle on a final model by the GDPR enforcement date of May 25, at which point it will likely place all of the currently available WHOIS data behind a wall where it will no longer be accessible by the public. This “WHOIS blackout” period will last at least six months until ICANN likely implements its accreditation mechanism to allow third parties to access this “walled” data. This blackout period may have significant ramifications for trademark enforcement, as the data that so many trademark owners have depended on to identify and enforce against infringers and squatters may no longer be accessible for the entire second half of this year. Trademark owners are encouraged to contact ICANN committee members and others with an interest in preserving the WHOIS system to ensure a mechanism is in place to preserve and access any non-public data before it becomes “walled.”
The WHOIS system as we know it will never be the same and, in fact, we may not have access to any WHOIS data from May 25 through the end of this year as ICANN scrambles to implement a workable data-compliant model. Any trademark owner can submit comments to ICANN to express concerns with the proposed interim model, especially the lack of inclusion of a public registrant name or email address, which can greatly affect the ability of brand owners and their lawyers to enforce trademark rights.