WHOIS, a protocol used to query databases for domain name ownership information, will likely be widely unavailable while the Internet Corporation for Assigned Names and Numbers (ICANN) works on adopting an interim model that will allow domain name registrars to comply with privacy obligations while still preserving as much WHOIS data as possible.
The General Data Protection Regulation (GDPR), enacted by the EU Parliament in April 2016 and scheduled to go into effect May 25, 2018, implements sweeping privacy rules that focus on the collection and processing of personal data of European Union citizens. Unlike the earlier Data Protection Directive the GDPR is intended to replace, the new privacy rules have worldwide effects, requiring entities around the world that either operate or conduct business in the EU, or monitor behavior of EU individuals, to comply with strict measures with regard to the collection, use, storage and transfer of personal data – broadly defined as “any information relating to an identified or identifiable natural person.” GDPR Art. 4.
ICANN has agreements with thousands of domain registrars around the globe, such as GoDaddy or HostGator, which oblige registrars to post domain name ownership data, such as names, emails, and phone numbers, to be made available through WHOIS (that said, domain name owners are able to “mask” their information for a fee by engaging a privacy protection service). This is in direct conflict with the GDPR, which prohibits companies from publishing information that identifies individuals. As a result, ICANN’s agreements with registrars about WHOIS data will no longer be enforceable as to EU individuals. Some registrars, such as GoDaddy, have already decided to limit the availability of their customers’ information through WHOIS, and others are expected to follow suit.
While the GDPR measures are intended to protect consumers’ data, limiting the functionality of WHOIS will likely have significant unintended consequences, as IP owners and law enforcement rely on the WHOIS directory system to identify domain holders and enforce rights against illegal website content or bad faith domain name registration and use. Moreover, the rules will likely make it even easier for counterfeiters and other intellectual property infringers to hide behind a cloak of anonymity in the name of privacy. Finally, a WHOIS blackout will likely impact the effectiveness of Uniform Domain Name Dispute Resolution Policy (UDRP) and Uniform Rapid Suspension (URS) proceedings, both of which are low-cost alternatives to federal court actions for recovering infringing domain names, as IP owner complainants are required to name the domain name registrant and provide the registrant an opportunity to respond. If there is no way for IP owners to contact the domain name registrant and notify him or her of the complaint, it is unclear whether the administrative tribunal (e.g., the National Arbitration Forum or WIPO) would allow the proceeding to move forward.
While an effort is being made by ICANN and the U.S. government to delay enforcement of the shielding of WHOIS information until a solution is reached that will allow IP owners continued access to the WHOIS directory system, it is doubtful that any delay will be granted. Accordingly, we encourage clients to prioritize any outstanding domain name enforcement issues and retain records of WHOIS data before May 25th. If need be, there are alternative routes to tracking down the individual or entity responsible for an infringing domain name (e.g., contacting the registrar, use of IP addresses). Please contact Jim Bikoff and Holly Lance of SGR’s Internet Law group with questions and for assistance.