The coming into force last May of the European General Data Protection Regulation (“GDPR”) raised many questions concerning the Unified Domain-Name Dispute-Resolution Policy (“UDRP”) and some of the main requirements for successfully obtaining ownership of a disputed domain name. The UDRP is today the instrument most often used by IPR owners for gaining control over disputed domains without resorting to lawsuits or giving in to payment requests from abusive registrants. Relying on the registration data provided by the WHOIS service has so far made it possible to connect different domains abusing a particular intellectual property right, allowing them to be addressed with a single complaint. Trademark owners and their representatives have relied heavily on the directory bulk access to registrants’ data for collecting information about registrants and cybersquatters abusing the DNS. The limits imposed by the GDPR on accessing registrants’ data might force trademark owners to resort to new criteria to demonstrate the absence of a legitimate interest, or the presence of bad faith, on behalf of their UDRPs respondents. While the conditions for filing a UDRP remain unchanged, the ability of complainants to satisfy the decisional criteria of the administrative panels might be significantly impaired in the aftermath of the GDPR. In an effort to clarify the GDPR’s effects on the UDRP for the parties involved, WIPO has recently addressed the most relevant issues in an informal Q&A on the matter. 

While publicly available WHOIS data may no longer include domain registrant identifiers (such as the registrant’s name and the domain’s administrative, billing, and technical contacts), according to WIPO it would still be possible for trademark owners to file a UDRP against the respondent for the disputed domain by indicating as the details of the registrant the data set results provided in publicly accessible WHOIS, e.g., PRIVACY REDACTED. This is no different from what was previously required in cases where the registrant’s data was be protected by proxy and privacy services.[1] The approach as to application is yet to be harmonized: some registrars might, in fact, apply restricted access also in connection to the “organization” data field, taking into consideration the possible issue of sole proprietorships, i.e. commercial operations bearing the name of an individual. Similarly, registrars having no establishment in the European Union will not necessarily apply redaction to WHOIS data for all their registrations.[2] Instead, those registrars might redact WHOIS data only in connection with natural persons located in the EU.

Accessing registrants’ information after filing a UDRP

As is the case where the defendant’s identity is protected by privacy services, once the UDRP complaint is filed, ICANN accredited registrars are theoretically required to provide full registration data to the interested UDRP provider. In accordance with several commentaries on the GDPR, data disclosure on behalf of the registrar would in this context be legitimized both by Article 6.1(f), (legitimate interest), and by Article 6.1(b), (the performance of a contract). When a UDRP Provider receives the defendant’s information from the registrar, it would then transmit it to the complainant, thus allowing the amendment of the original complaint with the newly received information about the defendant. However, due to the current inadequacies in ICANN’s Registrar Accreditation Agreement (RAA) with respect to the GDPR, there is a particular risk that registrars could refuse to provide the required data set to the UDRP provider, or ask for further information regarding the case in question before agreeing to the data disclosure. From a legal perspective, proving the absence of legitimate interest on behalf of the defendant can be significantly challenging per se for the trademark owner.[3]Such a burden of proof could hardly be met without knowledge of the registrant’s identity. In these cases, WIPO does not provide a general answer, but advocates finding solutions on a case-by-case basis, together with the possibility of resorting to ICANN for assistance in ensuring the registrar compliance with the RAA. However, the latter solution does not guarantee success, as is suggested by the decisions recently taken by the German courts in ICANN v. EPAG Domainservices, GmbH (preliminary reference pending before the ECJ).

Requesting data disclosure directly from the registrar 

Alternatively, in the absence of a centralized clearing-house, and awaiting ICANN’s implementation of its compliance model,[4] [5]trademark owners might contact domain name registrars directly to request partial disclosure of the registration data of the subjects infringing their intellectual property. Data disclosure by the registrar can in this context be legitimized under Article 6.1(f) of the GDPR only by conducting the appropriate balancing exercise between the complainant’s legitimate interest in obtaining the registration data on the one hand, and the fundamental right and interest of the data subject to have his personal data protected on the other. Only when the latter do not override the legitimate interests of the complainant would the registrar be entitled to grant disclosure of the data. To qualify as legitimate, the complainant’s interest must necessarily be lawful, represent a defined and present interest and be sufficiently specific and articulated to enable its effective balancing against the data subject’s right to data protection.[6] The elements to be taken into consideration by the individual registrar when conducting the assessment are not harmonized, but WIPO indicates that trademark owners or their representatives should be able to provide (indicatively): the concerned domain name; details of the trademark owner; the requested information (i.e. the registrant name); a statement describing the claimed legitimate interest in accessing the information  (in this case the enforcement of an intellectual property right); information on the concerned trademark; a certification that the requested personal data would be retained and used for the claimed legitimate interest only within the permissible scope of the GDPR.[7] The ad hoc processes necessary for conducting the balancing exercise, together with the required level of expertise and the amount of queries they might be subjected to, has already led several registrars to requiring the payment of a fee when applying for the disclosure of registrants’ data. The legitimacy of such an economic burden in accessing registration information could certainly also be questioned in light of the aims of the GDPR, since it significantly impedes the free movement of personal data within the Union.[8]

Costs of the procedure and possible refunds 

Filing a UDRP against a defendant whose privacy is protected under the GDPR can present additional costs for the trademark owner already in the preliminary phase of the dispute. As mentioned, filing a UDRP against an unknown defendant would significantly limit the complainant’s ability to assess and demonstrating the absence of the respondent’s right or legitimate interest in respect of the disputed domain name, in accordance to what is mandated by paragraph 4(a) of the UDRP. For cases where the information provided by an RAA compliant registrar would lead to the withdrawal of the UDRP complaint (e.g., when the registrant would turn out to be the trademark owner’s authorized licensee), WIPO (and no other UDRP Provider) provides the possibility for a refund of a 1.000 USD. The current cost for filing a UDRP before a single-member panel is 1.400 USD (that is the case for transfer requests of 1 to 4 domains), and 4.000 USD for cases requiring the assessment of a three-member panel.

With regard to consolidation, WIPO has been suggesting that in the absence of the registrant’s information, the administrative panels might increasingly focus on other indicators of common control. The absence of the registrant’s data has made the identification of other unambiguous identifiers, such as the use of similar naming patterns, templates, and text, a fundamental requirement for trademark owners to demonstrate common control over multiple abusive domains

The publication of names of parties to disputes after WIPO panel decisions

In the same way, the inaccessibility of the identity of the registrant for the disputed domain could also undermine the complainant’s possibilities of demonstrating the respondent’s bad faith pursuant to paragraph 4(a) of the UDRP.[9] In accordance with paragraph 4(b) of the UDRP, which contains a non-exhaustive list of conditions that could demonstrate bad faith in the registration or use of domain names, a pattern of abusive domain names registrations on behalf of the respondent constitutes evidence of bad faith. In its “Jurisprudential Overview 3.0” of 2017, WIPO highlighted how UDRP administrative panels have established that a minimum of two previous abusive domains registrations by a respondent constitutes “a pattern of conduct of preventing a trademark holder from reflecting its mark in a domain name.” The implementation of the GDPR, and the consequent removal of domain name registrants’ data from the data set displayed in response to WHOIS queries, no longer allows trademark owners to verify abusive patterns of behaviors through name-based searches of administrative panels’ archives before filing a UDRP when the registrar would not agree to such preventive disclosure, but only for possible amendments to their original complaints once the relevant registrar agrees to provide the registrant’s data to the UDRP provider. On its side, WIPO has ensured the publication of dispute party names following paragraph 4(J) of the UDRP, as necessary for the overall functioning of the UDRP procedures (and therefore for the performance of the RAA contract, thus in accordance with Article 6.1(b) GDPR). Nonetheless, it would still be possible for any of the parties involved in a UDRP procedure to submit a motivated request for having their personal information redacted, thus potentially countering WIPO’s efforts in ensuring the operability of the system. The criteria set out by the GDPR and in the guidelines of the Article 29 Working Party on the matter of personal data deletion,[10] most of all the criterion of relevance to the public, hardly support such deletions, especially where registrants are found to have conducted abusive registrations.

Attending ICANN meetings both in our capacity as members of the Intellectual Property Constituency at ICANN and otherwise, Thomsen Trampedach actively follows the development of the ongoing discussion on the GDPR implementation process for the WHOIS service directory in all its aspects, including its effects on UDRP procedures, registrar liability and the effective investigation and enforcement of online IPR infringement.

[1] See e.g. Tencent Technology (Shenzhen) Co.Ltd v. Super Privacy Service c/o Dynadot
Wipo Case No. D2018-0391, available at http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2018-0391

[2] See Article 3.1, Regulation (EU) 2016/679, ”GDPR”

[3] See Do The Hustle, LLC v Tropic Web, WIPO Case D2000-0624, 21 August 2000

[4] See ICANN Draft WHOIS Accreditation and Access Model for Non-Public WHOIS Data, Version 1.7, 23 July 2018, available at https://www.icann.org/resources/files/1217103-2018-07-23-en

[5] See ICANN Temporary Specification for gTLD Registration Data, available at https://www.icann.org/resources/pages/gtld-registration-data-specs-en

[6] See Article 29 Data Protection Working Party, Opinion 06/2014 on The Notion of Legitimate Interests of the Data Controller under Article 7 of Directive 95/46/EC, April 2014, pp. 23-24

[7] See WIPO Center, Informal Q&A concerning the GDPR as it relates to the UDRP, available at http://www.wipo.int/amc/en/domains/gdpr/?utm_source=WIPO+Newsletters&utm…

[8] See Article 1.3, Regulation (EU) 2016/679, ”GDPR”

[9] See e.g. Carlsberg A/S v. Xu Guo Xing, WIPO Case No. D2017-0301, available at http://www.wipo.int/amc/en/domains/search/text.jsp?case=D2017-0301

[10] See Guidelines on the Implementation of the Court of Justice of the European Union Judgment on “Google Spain and INC V. Agencia Española De Protección De Datos (AEPD) and Mario Costeja Gonzalez” C-131/12 – Article 29 Data Protection Working Party