The practical effect of the GDPR in connection with domain name enforcement can leave (and should leave) even the staunchest supporters of data privacy rights scratching their heads.
The implementation of the General Data Privacy Regulation (GDPR) in May of 2018 had an immediate impact on trademark enforcement in the domain name arena. While the GDPR applies to entities or persons that have customers in the European Union (EU) or collect data on EU citizens, the actual reach of the GDPR has extended beyond the EU borders in connection with domain name enforcement and has had an immediate and tangible impact on trademark owners that have been left with no choice but to dig deeper into their legal spend to combat domain name infringement issues.
Due to the implementation of the GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN) adopted a resolution calling for the redaction of all contact information for a domain name registrant contained within the publicly accessible databases known as “WHOIS” through which a user can input a domain name and, within a few clicks, receive information regarding the domain name registrar, domain name registrant, domain name registrant organization (if applicable), the state or province of the domain name registrant, and the country within which the domain name registrant resides. This information, readily available pre-GDPR, provided trademark owners with the information necessary to engage in informal enforcement tactics, such as email communications with the domain name registrant, prior to engaging formal legal remedies. The use of such informal enforcement tactics is obviously more cost effective for a trademark owner and often results in an informal resolution, such as the case with a domain name registrant agreeing to hand-over the domain name in question.
Where are we now?
With the redaction of contact information for most domain names in the WHOIS databases, regardless of where the domain name registrant is actually located, trademark owners must now either look to alternative options or immediately engage the respective and/or applicable formal dispute resolution policy, such as the Uniform Domain Name Dispute Resolution Policy (UDRP) or the Uniform Rapid Suspension System (URS).
Alternative options are inherently limited. For example, pursuant to Section 4.1 of ICANN’s Temporary Specification for gTLD Registration Data, Annex A, “registrar and registry operators must provide reasonable access to personal data in registration data to third parties on the basis of a legitimate interest pursued by the third party” and such requests should include the concerned domain name, the name of the trademark owner requesting the information, the name and contact details for the trademark owner’s representative, the information being sought, a statement outlining a specific legitimate reason why the information is being sought, information on the concerned trademark, and a certification that the non-public registrant data will be retained/used to pursue a legitimate purpose within the permissible scope of the GDPR. While this appears hopeful on its face (and the legal departments of the registrars in receipt of such a request will typically provide the information requested), the author of this article has to date found the information provided to show that the registrant of the domain name in question had “opted-in” to the registrar’s privacy shield option. Thus, ICANN’s interpretation of the GDPR in this regard has arguably provided an extra “privacy shield” at no cost for the domain name infringer, arguably placing the trademark owner back at square one as a domain name registrant using a privacy shield option will seldom reply to any communications couched in terms of a “dispute” (and the trademark owner was unable to include this in its initial assessment of how to handle the case).
This prompts one to ask the question: should a trademark owner proceed immediately with a formal complaint filed under either the UDRP or URS? For many the answer has been a resounding yes, perhaps evidenced by the World Intellectual Property Organization’s (WIPO) recent revelation that it received a 12% increase in UDRP complaints in 2018 for a record 3,447 cases in one year. The reason for this appears to be clear: once a UDRP (or URS) complaint is filed, it triggers ICANN’s obligation to provide the true contact information for the registrant of a domain name in a formal dispute, even is that registrant has “opted-in” to the registrar’s privacy shield option. Thus, moving forward with a UDRP as a first-step eliminates the costs and runaround involved with seeking to obtain the contact information under Section 4.1 of ICANN’s Temporary Specification for gTLD Registration Data, Annex A.
Of course, to determine whether a UDRP or URS complaint should be filed, trademark owners will need to consider the type of top-level domain (TLD) involved, the desired outcome, and budget restraints. For example, while the URS filing fees are under $500, a URS complaint can only be used on new gTLDs (e.g., .app, .club, .design, etc.) and can only suspend the domain name for the balance of the registration period and one additional year, provided that the trademark owner pays the annual registration rate set by the domain name registrar. On the other hand, UDRP complaints can be filed against any gTLD, and is the jumping off point from which many trademark owners find themselves. The filing fees for a UDRP complaint start at $1,500 but may provide a viable alternative to spending the time and resources necessary to track down the contact information for a domain name registrant and sending out demand letters into the ether world. This is especially the case if a trademark owner is able to resolve the dispute prior to a panelist being appointed in the UDRP action, as the trademark owner can have a substantial portion of that filing fee refunded.
What can we expect?
While WIPO reported a 12% increase in UDRP complaints in 2018, we can expect that number will increase for a multitude of reasons. First, if for no other reason than the fact that the GDPR was not in effect for the entirety of 2018. Second, trademark owners will likely become frustrated with ICANN’s reliance upon Section 4.1 of ICANN’s Temporary Specification for gTLD Registration Data, Annex A as an appeasement to trademark owners. Third, serial domain name infringers will likely feel emboldened by the impact of the GDPR on a trademark owner’s ability to learn the identity of the domain name registrant. Indeed, with the hundreds of new gTLDs in existence and the new prohibitions on the type of information that can be made publicly available in WHOIS databases due to ICANN’s interpretation of the effect of the GDPR, we have a very ripe scenario for domain name infringement to increase exponentially. As a result, trademark owners should expect enforcement efforts to include more UDRP and URS complaint filings and a corresponding increase in trademark enforcement costs.
If you would like to learn more about domain name enforcement issues or the new gTLD era generally, or if you have a specific question about implementing a domain name enforcement program that takes into account the impact of the GDPR, please contact Samantha M. Quimby or any attorney in our Intellectual Property Law and Litigation or Privacy and Data Security Law teams.
 A “registrant” = the domain name holder; a “registrar” = the entity from which the registrant registered the domain name (e.g., GoDaddy); a “registry” = the entity that runs the top-level-domain, such as Verisign that runs .com.
 For more information on the new TLD-era, please see the following legal updates: https://www.frostbrowntodd.com/resources-1597.html; https://www.frostbrowntodd.com/resources-1708.html; and https://www.frostbrowntodd.com/resources-the-new-tld-era-status-update-what-have-we-seen-and-what-should-we-expect.html;