It would be fair to say that the implementation of GDRP last year caused a number of headaches for businesses that handle personal data. However, one of the lesser publicised implications of GDPR was the redaction of all WHOIS information for registered domain names.
Suddenly, information about the registrant of a domain name, i.e. WHOIS data, was redacted by most domain name registrars. This information was previously freely accessible, provided that the registrant hadn’t opted to privacy shield their data, and was a useful tool to trade mark owners in enforcing their rights, particularly in complaints about domain names before the World Intellectual Property Office (WIPO) under its Uniform Dispute Resolution Policy (UDRP).
The UDRP requires that 1) the complainant have rights in a mark identical or confusingly similar to the domain name, 2) the registrant has no legitimate interest in the domain name, and 3) that the domain name was registered and is being used in bad faith. Both the second and third of these elements have been affected by the WHOIS blackout.
Lack of legitimate interest
Typical arguments that the registrant lacks a legitimate interest in the domain name include: the registrant is not an authorised licensee or reseller of the complainant; the registrant would have been aware of the complaint and its rights due to the registrant’s location and the reputation of the complainant’s mark; and that the domain name is not being used in connection with a bona fide offering of goods and services.
However, if the identity of the registrant is blocked, it is not possible for the complainant to know or confirm any of these details. It is also not able to point to the geographical location of the registrant and claim with certainty that it would have been aware of the complainant’s reputable trade mark rights in a particular territory when registering the domain name.
In terms of the third element, common arguments for bad faith include: the domain was registered for the purpose of selling the domain to the trade mark owner at an excessive cost; the domain was registered to prevent the trade mark holder reflecting its name in a corresponding domain name, and there is a pattern of such conduct; the domain was registered to disrupt the complainant’s business; or that the domain is being used in a commercial capacity to confuse consumers.
Given the absence of registrant details, it is now harder for trade mark owners to contact registrants before filing a complaint. So, trade mark owners potentially lose the opportunity to obtain useful evidence indicating the bad faith intentions of a registrant in pre-complaint correspondence, such as an offer to transfer the domain for an excessive sum. Reverse WHOIS searches can also no longer be conducted if the registrant is unknown. Plus, given the unknown identity and location of the registrant, trade mark owners can less convincingly argue that the registrant would have known about their trade mark rights, therefore have registered the domain name with the intention of disrupting its business or confusing its consumers.
So, the lack of WHOIS information following GDPR has put trade mark owners on the back foot when seeking to enforce their trade mark rights via the WIPO UDRP. There has been some discussion within the Internet Corporation for Assigned Names and Numbers (ICANN) regarding an ‘accreditation model’ which would allow certain parties access to WHOIS information, for example trade mark owners and their legal representatives. However, as yet, no such system has been established.