When the General Data Protection Regulation (GDPR) takes effect across the EU on 25 May 2018, large amounts of WHOIS data will no longer be publicly available. WHOIS has to date been a public register of contact information about people controlling domain names (and websites hosted at them), and so has been an important source of information about those who both own and infringe IP. Whether you own a domain name portfolio or copyright content, or are a user of domain name dispute resolution procedures, we suggest you act now to get your domain name records in order and to prioritise getting WHOIS searches done on any potential IP infringement cases on your radar.
Below is a summary of the current position, some suggestions of what to do prior to 25 May 2018 by which time the majority of WHOIS data will cease to be available and some practical tips of what to do once the GDPR is in force. (Note – it is possible that the data could cease to be available a few days before 25 May 2018 (for example, Nominet is removing the data from 22 May 2018, so don’t leave it too late to prepare!)).
Following legal advice and consultation with the EU’s Article 29 Working Party (“WP29”- the EU body responsible for providing guidance on the GDPR), ICANN (the body responsible for overseeing the domain name system) has decided that it cannot continue to allow the majority of WHOIS data to be publicly available (because of the personal data it contains) once GDPR comes into force, without consent of individuals.
ICANN and the US government have asked for a moratorium on enforcing the GDPR in relation to WHOIS (see letter of 12 April 2018), but as things stand it looks likely that most WHOIS data for ICANN-administered domains will simply be inaccessible for some weeks or months from 25 May 2018 or potentially a couple of days earlier (the exact date is unclear).
ICANN’s proposed new model:
- All registrant/admin contact/tech contact data will be deleted from the publicly available WHOIS register from 23 May 2018, save where registrants actively consent to publication (likely to be a small minority of cases).
- A new accreditation program will (at some stage) be implemented for entities that wish to have continued access to WHOIS records. However, ICANN has estimated this might not be operational until December 2018. Application would require proof of ownership of IP rights or of membership of an appropriate legal trade body (e.g. law society, the International Trade Mark Association, “INTA”), and agreement to terms regarding use of the data.
- From 23 May 2018, the public WHOIS pages should include an anonymised email address or web form from which messages can be forwarded to the registrant email address, so that even non-accredited users can contact registrants.
The response so far
WP29 has expressed concerns on various aspects of the model (and the accreditation program in particular) in a letter sent on 11 April 2018, including suggestions that access by accredited entities might need to be limited to single specific queries, which may need to be individually justified, and that reverse WHOIS searches might not be allowed.
INTA has been liaising with national privacy regulators, governments, the European Commission, and industry and is pushing for, amongst other things, a “day one” interim solution for accessing detailed WHOIS data. They want (i) WHOIS to include details for legal persons (as opposed to natural persons – currently ICANN’s proposal is to redact both); (ii) to limit the deletion of data to registrants/contracting parties with an EU Nexus (currently ICANN’s proposal is not to discriminate); and (iii) a compliance remedy against registries who fail to comply with compliant disclosure requests from accredited parties.
Country Code TLDs
Country code top level domain (“cctld”) registries (eg Nominet which operates .uk) appear likely to adopt different models from the one proposed by ICANN (ICANN’s model would apply directly only to generic top level domains such as .com). This fragmentation means it will be harder to work out the process for a cctld domain, but also that some cctld registries will be operating schemes that are more useful than the ICANN model.
It appears that for Nominet’s WHOIS, registrant data will be redacted but law enforcement will be given free access. Other interested parties will be able to request access to data via Nominet’s data disclosure policy on a one working day turnaround.
It looks as though IP lawyers/ owners will need to submit individual access requests including an indication of a legitimate interest. It seems possible that Nominet will charge for this (by way of comparison, another cctld operator has said it will charge $3 per request). Nominet has also said they may consider an accreditation scheme to grant access to their WHOIS for non-law enforcement authorities (presumably bulk as opposed to single one day turnaround request).
What to do before 25 May 2018
We recommend that IP owners consider the following as a matter of urgency:
- Conduct searches now and retain copies in order to create records of registrant details for all your own domains if you don’t have them already (businesses often find when they look that domains are held in the name of individual staff or defunct entities).
- Prioritise getting WHOIS searches done on any potential IP infringement cases on your radar well before 25 May 2018 and retain records.
- Consider seeking to lobby national governments/ EU national IP regulators and/or the European Commission, either alone or through bodies such as the UK’s ACG and INTA, to push for a day one solution so that your business is not unduly affected by the loss of access to WHOIS data.
Options to consider after 25 May 2018
In terms of obtaining further contact details once the GDPR is in force, there are still options:
- The intention is that a redacted registrant contact email will be provided so that you can still contact registrants using this address.
- In terms of identifying who is behind the registration in particular with a view to understanding their basis for the registration:
- The WHOIS results will still include the name of the “registrant organisation” entity (if that has been entered), so searches on company registers/at trade mark registries etc may assist.
- The registrant’s state/province will be published together with date of registration and some of the other technical data (e.g. name servers) which may be of assistance, for example, in helping to form a picture of a common registrant behind multiple domains.
- There are also alternative routes to tracking down the person behind a domain (e.g. reviewing any current and archived website content, using contact details on any website).
- You could ask the registrar or (if identifiable) host for contact details, but you will need to justify your request and they may not accept it.
- Looking at IP addresses may enable you to identify where a website is hosted, where they are accessing the net from, trying to see if the IP address is black listed etc.
- Consider enlisting the help of other intermediaries e.g. payment services providers.