GDPR and WHOIS – An update post 25 May

Posted on 22 June 2018

GDPR and WHOIS – An update post 25 May

One month after GDPR took effect across the EU, brand owners are coming to terms with the new reality of the limited data available when conducting WHOIS searches. In a last minute attempt to prevent WHOIS 'going dark' on 25 May 2018 (see our May bulletin for more details), ICANN issued a Temporary Specification for gTLD registration data (which will last up to one year, and must be reaffirmed every 90 days in that period). This governs how registries and registrars that are established in the EEA or offer their registration services to EEA registrants should deal with registrant data, although registries/registrars that do not fall within these categories can also decide to apply the Temporary Specification on a global basis. 

The main points to note about the Temporary Specification are:

  • Robust collection of registration data will continue, but certain information must be redacted from the publicly available WHOIS records (including the registrant's name, whether they are an individual or, for example, a company), unless they have consented. However, ICANN believes that registrars for at least 5-10% of gTLD names will stop collecting the full set of registration data because of GDPR compliance concerns. It has already brought proceedings in Germany against such a registrar, and has appealed the German court's decision refusing to grant it an injunction (it has also indicated that it will seek a reference to the CJEU).
  • An anonymised email address or web form must be provided to facilitate communication by, for example, an IP owner with the relevant contact, but this must not identify the contact email address or the contact itself. It is not clear how this will be monitored in terms of whether it has been received by the registrant.
  • "Reasonable access" to personal data must be given to, for example, an IP owner on the "basis of a legitimate interest pursued by [that] third party, except where such rights are overridden by the interest of fundamental rights and freedoms of the registered name holder or data subject".
  • Where there is a complaint under the Uniform Dispute Resolution Policy (UDRP), registries/registrars must provide the relevant UDRP provider with the full registration data.  Complainants can file a 'Doe' complaint if the contact information is not publicly available or otherwise known to them, but this will of course make formulating the complaint more complex.

Whilst it is still early days, whether a rights owner will obtain the relevant 'reasonable' access to registration data will depend upon how the individual registry/registrar interprets the rights owner's request and its reliance on the requisite legitimate interest. It will also depend on whether they apply the Temporary Specification on a global basis and do not differentiate between natural and legal persons.

As for Nominet and '.uk' domain names, rights owners are able to request access to all registry data, including contact data, via Nominet's data disclosure policy (by completing this form) which requires information to be given about the legitimate interest relied upon (so there will be some additional time and expense incurred by rights holders in substantiating the request). Nominet gives as examples of a legitimate interest: a trade mark holder wanting to identify the registrant to include them in a Dispute Resolution service complaint; solicitors acting for a party trying to enforce their IP rights; or a law enforcement agency requesting the data on a domain name. It appears that Nominet is currently keeping to its one day turnaround for data release.

Finally, ICANN continues to consider how to reconcile GDPR and WHOIS, and has issued a call for comments on proposals in relation to a new Unified Access Model, which it requires gTLD registries and registrar to be in a position to implement by December 2018. This aims to allow continued access to full WHOIS data for authenticated users with a legitimate interest consistent with GDPR, with authentication of those users possibly being provided by, for example, WIPO or the Trademark Clearing House. This could include defined categories of private third parties who agree to be bound to abide by codes of conducts but other third parties could still seek access on the basis of a legitimate interest where this is not overridden by the fundamental rights and freedoms of the registrant or a data subject. Issues to be resolved include fees (for both accessing WHOIS information and also to be accredited) and confidentiality.

This topic promises to be one that is hotly contested for some time yet, with EU data protection authorities, the European Data Protection Board and the EU Commission all keeping a watchful eye on the progress that ICANN, as the 'guardian' of the domain name system, is able to make.

How can we help you?

How can we help you?

Subscribe: I'd like to keep in touch

If your enquiry is urgent please call +44 20 3321 7000

I'm a client

Please enter your first name
Please enter your last name
Please enter your enquiry
Please enter a value

I'm looking for advice

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select a department
Please select a contact method

Something else

Please enter your first name
Please enter your last name
Please enter your enquiry
Please select your contact method of choice