Trademark policing in a GDPR world: the state of play with WHOIS and China’s trademark office to drastically cut filing times
The EU General Data Protection Regulation (GDPR) came into force on 25 May 2018 – the same day that ICANN’s Temporary Specification for gTLD Registration Data became effective.
This temporary solution was the result of efforts to ensure that the publication and availability of WHOIS data is compliant with GDPR and is an effort to buy time to formulate a longer-term solution. Specifically, the model – which ICANN’s contracted parties are required to apply when processing personal data linked to the European Economic Area – restricts access to personal data to those with a “legitimate purpose”, meaning that such users can request access to data through registrars and registry operators.
ICANN has previously argued that IP enforcement represents a legitimate interest. However, until a formal unified access model is in place, registries and registrars will have to determine which requests are permissible under the law. Alternatively, rights holders can contact either the registrant or listed administrative and technical contacts through an anonymised email or web form available via the registered name’s registrar.
The immediate impact of GDPR enforcement has been a disparity in the way that different registries and registrars treat WHOIS data, meaning that rights holders have been left to navigate a patchwork of approaches. In reaction, Brian J Winterfeldt, principal of the Winterfeldt IP Group and president of ICANN’s Intellectual Property Constituency, and Phil Marano, senior associate at the Winterfeldt IP Group, have identified the following five tools, which remain available to rights holders beyond merely asking registration authorities to reveal non-public WHOIS data:
- reporting infringement or abuse with the web host abuse point of contact;
- sourcing functional contact information on the web or domain parking page itself, which may be available in cases of innocent infringement;
- utilising archived WHOIS data;
- asking the registration authority abuse point of contact to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse”; and
- using domain dispute mechanisms (eg, the UDRP and lower-cost URS) as an alternative way to reveal underlying domain name registration data.
The temporary specification adopted by the board is effective for a 90-day period beginning 25 May and can be reaffirmed by the board every 90 days for up to a year. Therefore, the ICANN community has 12 months in which to formulate a permanent solution.
Counsel comment
Numerous regulatory, legislative, legal and policy initiatives remain underway to help obtain ready access to full WHOIS data for legitimate purposes such as IP enforcement. To help fuel those efforts for change, it is crucial that IP rights holders fully document and leverage the harm that they have felt due to the disappearance of publicly accessible WHOIS data. Demonstrated harm can be as simple as an anecdote about a domain name registrar that refused to disclose WHOIS data shy of a subpoena or court order. And it can also be as complex as asking your brand protection vendors to perform a comparative study to document any recent decreases in effectiveness rates in your online enforcement programmes. In all cases, documented harms should be reported to the ICANN contractual compliance department via email to [email protected].
Brian Winterfeldt, The Winterfeldt IP Group