Disputes concerning domain names, linked to cybersquatting, fraud, counterfeiting, and other forms of intellectual property infringement, are a regrettably common feature of modern business life. One important challenge when faced with a dispute of this nature is identifying who the registrant of a domain name is, particularly following the introduction by the European Union of the General Data Protection Regulations (‘GDPR’) in May 2018.
The rules governing civil litigation in the UK and elsewhere, and domain name dispute procedures operated by bodies such as Nominet and the World Intellectual Property Office, encourage parties to try and resolve issues between themselves before commencing formal proceedings. It is typically both less expensive and time consuming. This does, however, mean you need to be able to contact the other side. In addition, if it does become necessary to commence formal legal proceedings in relation to a domain name, you need to be able to identify who to serve them on.
The EU introduced the GDPR in 2018 to enhance the protection given to individuals’ personal data. Although the UK has now left the EU, the provisions of the GDPR were introduced directly into UK law as part of the exit process, in the form of the UK General Data Protection Regulation.
Pre-GDPR
Before the GDPR came into force, the name and contact details for the registrant of a domain name were generally accessible to the public via WHOIS searches that can be conducted via ICANN (the Internet Corporation for Assigned Names and Numbers), domain name registries such as Nominet and EURid (who are responsible for the administration of .uk and .eu domain names respectively), and other search sites.
It was possible for the ultimate controller of a domain name to hide behind a third party, and various businesses provided (and still do) “privacy services” to mask their identity. It was, nonetheless, a valuable starting point if the operator of a website’s contact details were not otherwise easily available.
Post-GDPR
Following the introduction of the GDPR, however, the name and contact details of domain name registrants are no longer made publicly available via WHOIS searches as a matter of course. The information is often withheld, even if, in many cases, it is not actually subject to the GDPR or similar data protection legislation.
Practice in this regard does vary. In relation to .eu domain names, the registrant is required to provide a contact email address that is published in the results of WHOIS searches carried out via EURid’s website and, if the registrant is a legal entity, its name is published and the country in which it is incorporated. In relation to .com and .co.uk domain names, however, it is not standard practice to reveal the name of the registrant even if it is a legal entity and contact details for the registrant are not provided as a matter of course.
In response to the GDPR, ICANN issued a temporary specification regarding the data concerning domain name registrants of generic top level domains (“gTLDs”), such as .com domain names, that should, and should not, be published by domain name registrars. The temporary specification also includes an obligation on domain name registrars of gTLDs to provide reasonable access to otherwise withheld personal data concerning a domain name registrant to a third party, on the basis of a legitimate interest pursued by the third party, except where such interest is overridden by the interests or fundamental rights and freedoms of the registrant pursuant to the GDPR. Read more about gTLDs in our blog The Trademark Registry Exchange - protecting trade marks against Generic Top-Level Domains cybersquatting.
Some domain name registrars provide online forms via which requests for the release of withheld data can be submitted. Others just provide a contact email address, with little or no information on what information is required to support the request.
Nominet and EURid will both release the data they hold regarding a registrant if a data release request form is submitted by someone with a legitimate interest. An example given by Nominet of such an interest is the ownership of a registered trade mark that has been used in a domain name, so that the registrant can be included in a dispute resolution complaint. It is possible to make a request on other grounds, including ownership of other intellectual property rights, but having a relevant trade mark registration makes the position much simpler.
If a domain name registry or registrar does not release the data requested, then alternative options have to be considered. Some businesses retain historic WHOIS information regarding domain names, including the registrant’s details, which can be accessed for a fee. However, these cannot assist with domain names that have been registered following the introduction of the GDPR and will be increasingly out of date. In some cases, it may be possible to file a complaint with ICANN concerning a registrar’s refusal to disclose data. In others, however, it may be necessary to commence court proceedings against the registrar in the country in which they are based to compel them to disclosure the data they hold regarding the registrant. As with any legal proceedings, this can be a costly, and lengthy, process.
The issue of the disclosure of registrants’ details is one that is still under consideration by ICANN and other bodies responsible for the administration of domain names. Until any new arrangements are introduced, the task of identifying a registrant who wants to remain hidden will remain a difficult one. Businesses can, however, put themselves in a stronger position by securing registrations for their trade marks, to assist in proving their legitimate interest in the data if an issue arises.
