Since the European Union’s General Data Protection Regulation (GDPR) went into effect in late May, its impact continues to be felt by cybersecurity researchers, investigators, law enforcement officials and – perhaps less obviously – anyone who relies on the information provided by the Internet Corporation for Assigned Names and Numbers’ (ICANN) WHOIS service. This includes lawyers, like us, who routinely check WHOIS to ascertain the identity of a domain name registrant.
ICANN requires domain name registrars to collect information, such as basic contact information, from domain name registrants. Previously, absent a paid privacy shield service adopted by the registrant, the information collected was made publicly available by the registrar through the WHOIS database. Now, in an effort to avoid liability under the sweeping GDPR, registrars are refraining from publishing this information. Instead, per a temporary specification developed by ICANN, many are providing a randomized email address or web-based contact only, which can be used to contact the registrant anonymously.
The temporary specification also requires each registrar to determine, on a case-by-case basis, whether the party requesting the personal information has a legitimate interest in the information and whether it outweighs the privacy interests of the registrant. It remains to be seen how this balancing test will play out in practice; one wishing to override a registrar’s decision in that respect may need to seek a subpoena or other legal means of obtaining the information.
The qualified good news is that despite these changes, brand owners are still able to file complaints under the Uniform Domain Name Dispute Resolution Policy (UDRP) – albeit with more effort. What was once a single-step process may now require two or three steps: filing an action without including the registrant details, and then amending the complaint to later include that information, once the forum receives that information from the registrar.
One final note: ICANN’s temporary specification expires in May 2019, and it’s likely we’ll see further changes then. But unless drastic changes occur – which we do not anticipate – brand owners should expect to wear their “investigation” hats more often when enforcing rights against cybersquatters!