Knock-knock. WHOIS there? WHO knows! – Domain name dramas in the aftermath of the GDPR
Websites. They touch every aspect of your life - whether it is to help you do your banking or to order food to your doorstep. Today, an entire business can function online without the need for a physical presence.
But how do you identify the brains behind a website? Perhaps you are buying a business and you want to ensure the domain name that the website is attached to (often a very valuable asset) is transferred to you at settlement. Or maybe someone has set up a website and is ‘passing off’ their business as your own, and you want to identify the copycat so that you can force them to take down their website, or transfer the domain name to you. What do you do?
Never fear, WHOIS is here!
Prior to 25 May 2018, if you wanted to identify the owner of a domain name you could do a free ‘WHOIS’ search, enabled by the Internet Corporation for Assigned Names and Numbers (ICANN). ICANN requires domain name registrars to collate the name and contact details of the registered owners of domain names. The WHOIS Lookup search allowed databases containing this information to be freely and instantly searched by the public.
However, as of 25 May 2018 these searches cannot be conducted as freely and instantly as before, due to recent changes in privacy laws in the European Union (EU).
GDPR - privacy law gone too far?
In April 2016, the EU Parliament introduced the General Data Protection Regulation (GDPR) to protect the privacy of individuals in the EU. The GDPR came into effect on 25 May 2018 and applies to all organisations (including organisations outside of the EU) which process the personal data of individuals in the EU.
The GDPR places tougher requirements on organisations (like domain name registrars) who wish to disclose the personal data of individuals via public registers (like the WHOIS databases).
There are penalties for breaching the GDPR, including a fine of up to 4% of annual global turnover or €20 million, whichever is greater.
ICANN? More like, I CAN’T
The impact of the GDPR means that if domain name registrars continue to make information about the registered owners of domain names available (as they have done in the past), they will be in breach of the GDPR where the registered owners are located in the EU.
Commencing 25 May 2018, ICANN has adopted an interim model to assist domain name registries and registrars with complying with the GDPR. Under the interim model, a third party cannot access personal data through a WHOIS search unless:
Consent – the 'registrant' (being the registered owner) has given their clear consent to the disclosure. However, we note any registrant who uses their domain name to infringe intellectual property rights or to commit cybercrimes, is unlikely to give such consent.
Legitimate purpose – the third party requesting access to the personal data has established a legitimate purpose for making the request. Under the GDPR, personal data can be processed lawfully if the processing is necessary for the legitimate interests of the controller of the data, or a third party. Legitimate purposes include where access is needed to address consumer protection issues, to investigate cybercrime and to protect intellectual property.
Direct contact with registrant – Alternatively, users can request the personal data from the domain name registrant directly, by contacting them through an anonymised email address or web form.
ICANN is still finalising its compliance policy. In the meantime, the interim policy applies broadly to protect the personal data of all individuals regardless of whether they are located in the EU. It remains to be seen whether domain name registrars will apply the interim policy in such a broad manner or only in respect of the personal data of individuals and companies in the EU.
What does this mean?
From 25 May 2018, ICANN’s interim policy applies and in many instances you will no longer be able to independently verify the identity of the registered owner of a domain name.
However, there are other ways to mitigate the risks in transactions where you need to know the identity of the registered owner.
For example, when conducting due diligence on a business, purchasers will be required to rely on information supplied by the seller as being accurate and up to date. If the domain name is an asset which you expect to acquire at completion, you should ask for a warranty from the seller that they are the registered owner of that domain name. If it later turns out that the seller is not the registered domain name owner and the warranty has been breached, you have the ability to bring a claim for damages.
Also, in relation to trade mark and passing off disputes, if you want to pursue a potential claim and need to determine the identity and contact information of the infringer, you have the following options available:
contact the registrant through an anonymised email address or online form – although they may not respond if they intend on continuing the infringing conduct.
request this information from the registry or registrar and show that you have a legitimate purpose for requesting this information.
if your request is denied by the registry/registrar, make an application for preliminary discovery against the registry or registrar. Under preliminary discovery, you may seek documents from a third party (generally the alleged infringer) to allow you to ascertain the alleged infringer’s identity and whereabouts, and to review the documents in their possession to determine whether there is a cause of action and whether there are sufficient prospects of success.
Alternatively, you could complain to search engines such as Google, Yahoo and Bing, through which the infringing websites are often disseminated. The search engines may generally be reluctant to omit the website from their search results without an order from the Court.
In our view, it is important to be able to identify the registered owner of a domain name for legitimate purposes. The impact that the GDPR has had on WHOIS searches is an example of how far-reaching new privacy laws can be. It will be interesting to see if any other jurisdictions will follow suit with similarly broad reaching privacy laws.
If you are buying a business or someone is passing off your business as their own or infringing your intellectual property rights, and you require assistance, please contact us.
Authors: Michael Cossetto, Adam Cutri and Priti Joshi