The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018, and it will see the implementation of tighter controls on the collection, processing, storage and making available of personal data. This will impact the ability of intellectual property rights holders to identify the individuals behind websites undertaking infringing activities.
Currently, information regarding domain names, such as the name and contact information of the registrant - so-called 'whois' information - is freely available. The whois details for a domain name set out who is responsible for a domain name, and who to contact in the event of concerns about the domain name itself, or the content of websites associated with the domain name.
Since whois information is public, it includes personal data about individuals - their name, address and often an email address and telephone number. To comply with GDPR, in order to publish personal data such as this, registrars would need to have obtained specific opt-in consent from the individual concerned. This has not routinely been obtained. For some time, individuals have been able to opt-out of publication of whois details by opting for a private registration, but typically this has been at additional cost.
As we draw nearer to the 25 May effective date, domain industry bodies have already begun making changes so that they do not fall foul of the new regulations. In one form or another, registrant details will be masked, so it will be much more difficult to obtain the identity and contact details of registrants of domain names. Whilst primarily directed at the details of registrants who are individuals, some registries look likely to apply changes uniformly, to include registrants which are organisations.
An example of the type and extent of the proposed changes being made by domain registries can be seen in the recent announcement made by Nominet, which is responsible for .uk domain names. Nominet has proposed that from 25 May, it will no longer display the registrant's name, contact details or address, unless explicit consent has been given by the registrant through a new consent mechanism. Nominet has committed to continue to provide such personal data to UK law enforcement agencies and to any third party seeking disclosure for what Nominet considers to be 'legitimate interests' in accordance with its data release policy, however it is far from clear that, for example, alleged IP infringement will be sufficient to trigger data release. Nominet has opened up a comment period for the proposed changes until 4 April 2018, which can be accessed here.
The Austrian Country Code Top-Level Domain (ccTLD) operator 'nic.at' has a more developed proposal. It will cease to publish any personal data of natural person registrants, but will not allow companies to have their email addresses and phone numbers hidden. Contact details may be made available to parties with 'legitimate reasons', including lawyers, but proof of infringement may be required.
Latvian ccTLD operator 'nic.lv' already does not publish the names, personal identity numbers and postal addresses of natural person registrants. For natural persons, public whois data is currently limited to email addresses and telephone numbers only. Even this limited information will cease to be made available. Instead, nic.lv will provide an electronic form allowing third parties to contact the relevant registrant whilst retaining registrant anonymity.
ICANN, which has a higher level of responsibility (particularly concerning top level domains such as .com), has proposed an interim solution which will apply from 25 May, in which registrant names and contact information will be masked unless the registrant opted-in to publication. The whois record will provide a method of contacting the registrant, but this will be anonymised. Further details of ICANN's interim model are available here. ICANN has been consulting on a more permanent solution, including making data (at least registrant email addresses) available to accredited users such as IP lawyers, but a solution such as that is unlikely to be implemented in the near future.
Effect of the changes
These proposed changes will be of concern to rights holders as they look likely to prevent or significantly slow down the process of identifying registrants which own potentially infringing or malicious domains. It will make it more difficult to contact registrants to encourage compliance, and more likely that formal legal action such as domain name complaints will be necessary. Also, it will become difficult to obtain information regarding other domain names owned by a rogue registrant (by so-called 'reverse whois' lookups), which is often a useful tool when bringing complaints. Registrants may now succeed in keeping other similar domain names up their sleeves, whereas currently a single action is enough to curtail use of several domain names.
The changes also mean that it will be much harder to conduct due diligence in business transactions. Whois details are used to check that a seller owns the domain names that it is purporting to sell. Frequently, pre-deal due diligence checking of the whois registers reveals that domain names are actually recorded in the name of a group company, an employee, or an IT company. This due diligence allows the position to be remedied before the transaction completes. A lack of public whois data will make effective due diligence much harder.
Given the effect of the changes, we encourage anyone concerned by the proposed changes to participate in the consultations. Whilst it seems very likely that whois will be largely locked-down in the near term, raising concerns at this point will hopefully result in information being made more available in the longer term.