With the General Data Protection Regulation (GDPR) having taken effect across the EU on 25 May 2018, this has meant a big change to the availability of WHOIS data (ie data recording – among other things – the persons who own domain names). See an earlier DLA Piper article published last month on this topic here.
Temporary arrangements are now in place so that the WHOIS system is still (in a much restricted form) available. This is as a result of the Temporary Specification for gTLD Registration Data (“Temporary Specification”) which came into effect on 25 May 2018 and applies to operators of gTLD registries and ICANN-accredited Registrars such as the likes of GoDaddy. However, as can be seen from the information below, the critical information for those bringing domain name disputes, namely registrant contact information, is no longer publicly available and as things stand currently there is no uniform way of obtaining access to it.
In addition, last week:
- WIPO published a Q&A to help clarify the impact of the GDPR on the Uniform Domain Name Resolution Policy (UDRP- the dispute resolution policy for gTLD domain names such as .com domain names) (see here).
- ICANN has published a model for access to full WHOIS data (see here), with requests for input on the proposal.
Set out below is a short summary of questions and answers to help explain these latest developments.
- Is the WHOIS system still available for gTLDs?
Yes – as a result of The Temporary Specification for gTLD Registration Data (“Temporary Specification” – available here; also see here for the detailed advisory statement), which came into effect on 25 May 2018. This means that you can still obtain “thin” WHOIS data (i.e. technical data about the sponsoring Registrar, status of the registration, creation date and expiration date of the domain), but the public data no longer contains personal data such as registrant contact details i.e. “thick” WHOIS data unless consent has been provided by the registrant.
Note – the Temporary Specification does not require a different approach to data relating to legal and natural persons. This means the data which has been rendered inaccessible goes beyond personal data falling within the scope of GDPR. However, differentiating between the two has been flagged as one of the “Important Issues for Further Community Action” (see para. 5 of the Annex to the Temporary Specification – “Important Issues Annex“).
- How do I get access to registrant contact info i.e. “thick” WHOIS data?
Rights holders who bring domain name disputes (or take other action in relation to online infringement of their IP) should be able to argue they are third parties with a legitimate and proportionate interest in the non-public data; the Temporary Specification states that for such parties “there are still ways for you to access that data” (see ICANN’s advisory statement on the Temporary Specification here).
It suggests contacting the sponsoring Registrar, who is “obligated to respond to you in a reasonable time.” (Details of the sponsoring Registrar can be obtained by running a WHOIS search and considering the thin WHOIS data.) ICANN advises that if you do not get a response, ICANN will have a complaint mechanism available (it is not entirely clear but we suggest trying email@example.com and/or https://survey.clicktools.com/app/survey/response.jsp) and if individual parties are not complying with their obligations under the Temporary Specification or their agreements with ICANN, a complaint can be filed to ICANN’s Contractual Compliance Department. (Here is a link to the webpage: http://www.icann.org/compliance, and their email address is firstname.lastname@example.org.)
- Is there a way for me to contact registrants without accessing “thick” data?
Yes – it is not as easy as before, because contact information is no longer publicly available. However, Registrars are required to provide an anonymised email address or web-based contact form to enable you to contact registrants. Requests can also be made to registrars for registrant information (see 2 above).
- Can I still file a UDRP complaint without knowing who the registrant is?
Yes: UDRP complaints will be accepted without the registrant details – they should just include all publicly available information that is available in the WHOIS database, even if this is just “name redacted”, for example.
See Appendix E of the Temporary Specification and WIPO’s latest informal Q&A guidance – on the GDPR as it relates to the UDRP.
- Will UDRP Complainants get access to registrant data once a complaint has been submitted? What impact might this have?
Yes, under the Temporary Specification (Appendix E), Registrars must provide this information to the UDRP provider once notified of a complaint.
WIPO can enable Complainants to amend their case, as was already the case where privacy services are used to hide registrant details by registrants. It is possible that if the matter settles once the registrant’s details are known (eg because the complainant then realises the registration was not abusive after all) the WIPO panel fee can be avoided because it is only payable once a panel is appointed (see the WIPO Q&A). However, the costs of preparing what may turn out to be an unnecessary complaint will still have been incurred.
- Can prospective Complainants seek registrant contact information from WIPO?
Not currently, but the Temporary Specification raises the prospect of this information being provided to prospective complainants. (See paragraph 3 of Important Issues Annex).
- Does the Temporary Specification apply to all gTLD personal data even if the data is not covered by the GDPR?
The Temporary Specification provides for flexibility where it is “not technically feasible to limit application of the requirements to data governed by the GDPR” i.e. it may mean the data being restricted is more than what is needed to comply with the GDPR and include data of those residing/ operating outside of the EU and/or of organisations that do not offer goods or services to individuals in the EU.
- Is there a plan to provide third parties who have a legitimate interest in obtaining the data with access to full WHOIS data?
Yes – see a copy of the proposal here which was published on 18 June 2018 (“Framework Elements for Unified Access Model for Continued Access to Full WHOIS Data – For discussion”).
The proposal is for a uniform method of giving access to full “thick” WHOIS data to a defined set of user groups i.e. “authenticated users with a legitimate interest”, rather than needing to request data from registries or registrars on an individual request basis.
The categories of eligible users are still up for discussion, but these appear to fall into two groups: (1) public law enforcement/other governmental authorities; and (2) defined categories of private third parties that are bound by codes of conduct to protect personal data.
In terms of process for these user groups to gain access, options included in the current proposal include being given a token or credential from a “credential provider” or “authenticating body”.
In terms of the amount of data that would be available, options being considered include “query-based access to full WHOIS data” and query-based access to a level of data “consistent with the identified legitimate purpose”.
There is a possibility of a fee applying, but further study is said to be required.
A comparison of this draft unified access model with models submitted by ICANN’s Community is available here (more information about the Community is available here and about the Community Proposed models is available here). However, given that this is a working draft and much of it is to be determined, including in particular who falls within the defined user groups that will be granted access, at this stage, it is very much wait and see.
If you do want to have your say, ICANN is requesting feedback on the proposal (see here), which can be provided via email to email@example.com. ICANN is also encouraging people to visit its Data Protection/Privacy page for updates that it plans to publish regularly.