We’ve all read dozens of articles, blog posts, and tweets about how GDPR is coming. Unlike Game of Thrones’ much-promised winter, GDPR arrived relatively quickly.
With all this lead up, the message has essentially been that the General Data Protection Regulation (the long and rarely used origin of the term GDPR): (a) originates from the European Union (EU), but essentially applies everywhere; (b) will be dealt with by many websites outside the EU by simply blocking EU IP addresses to avoid compliance (this has already happened, including by sites such as The Chicago Tribune and LA Times); and (c) is designed to help EU citizens understand how their data is being used, and provide a mechanism for objecting.
What we haven’t seen in the press is much coverage on the negative impacts to intellectual property attorneys and their clients.
When children ask me what I do, I tell them I fight crime on the internet. That is the easiest way to explain all of the complexities of my job. I remove trademarks and copyrighted content from websites, I recover domain names on behalf of brand owners, I stop phishing websites from stealing currency and data information, and I take dangerous counterfeit goods off websites to prevent them from harming consumers and brand owners. Nearly all of our clients have internet issues, whether they are an internet-based business, or a tangible goods manufacturer. While I don’t wear a cape to work, I wear a metaphorical one that our clients thank me for on a regular basis.
My magical, crime-fighting powers have just met their kryptonite: the GDPR. Specifically, the GDPR’s negative impact on WHOIS databases around the world.
WHOIS is not an acronym—it stems from the question, “who is responsible for a domain name or IP address?” Domain registrars and other vendors worldwide operate WHOIS databases so that third-parties can find out more about those behind domain names and websites. Privacy services have been in place for years as a means of masking the true registrant details, if privacy was required. This system has worked quite well since 1982 (dating back to ARPANET days).
I use WHOIS nearly every day. If a domain is problematic, I use WHOIS to find out who registered the domain so I can send him/her/it a demand letter, and/or initiate a UDRP proceeding to recover the domain. Since winning a UDRP proceeding requires showing evidence of bad faith registration and use, the WHOIS details are often critical to discover when a domain was registered by a particular registrant, whether the registrant is a serial cybersquatter, whether the registrant owns other domains that feature our client’s mark(s), and whether the registrant has a direct relationship with the owner of the brand at issue (this is a friendly reminder to address domain ownership in all vendor, employee, and independent contractor agreements). Since it typically costs extra to pay for privacy services, many cybersquatters don’t bother. Until last week, the existing system protected information for individuals with true privacy needs (like celebrities), but permitted IP attorneys to research bad actors (like cybersquatters).
Because of the GDPR, WHOIS is no longer very helpful. WHOIS database providers worldwide are afraid of GDPR repercussions and have scaled back the information that is available to a point where it is no longer helpful. This means that direct information about individual domain registrants is often not available at all. Historical WHOIS details are being scrubbed as well, so it is not generally possible to see historical owners of a specific domain.
I conducted a search on May 25, 2018—#GDPRday. The WHOIS database I tried told me the date the website was created, the date it is due to expire if a renewal isn’t filed, who the registrar is, and other basic details. The registrant’s name, address, email address, phone number, and fax number—all fields that were previously available—are no longer present.
The net result (no pun intended) is that the GDPR is protecting infringers and cybersquatters, and hurting brand owners. Sure, I can still file a UDRP proceeding, but I will have no idea who the domain registrant is, when that particular registrant registered the domain, or how many other domains that registrant owns—even if those domains also feature our client’s brand. If the UDRP administrators, such as WIPO and FORUM, provide the registrant’s details to me as part of the UDRP proceeding, it will be difficult, if not impossible, to challenge several domains simultaneously, which historically offered significant cost savings to clients, as well as additional bad faith registration and use evidence.
The changes enacted by WHOIS database operators in response to the GDPR will facilitate more criminal activity, without measurably increasing individual privacy rights. Time will tell if ICANN, WIPO, FORUM, domain registries, domain registrars, and other major players in the administration of the internet will be able to return to a more balanced system that allows brand owners and their attorneys to track down infringers while still providing systems for anonymous registration when warranted. In the interim, the infringers may be able to get away with more bad activity, which will be bad for brand owners everywhere.