The Fate of WHOIS Under the GDPR: Privacy and Safety on the Internet

As of May 25, 2018, a new EU regulation will make the collection of data and tracking of online selling activity illegal – potentially shielding would-be counterfeiters and trademark infringers from detection in the purchase and sale of counterfeit goods.

By Anne Aikman-Scalese

Privacy advocates hail the new EU General Data Protection Regulation (GDPR) as a big step forward in the protection of personal data against misuse and abuse by commercial interests. The regulation confirms, they assert, that each natural person interacting on the worldwide web has “the right to be forgotten.” But how does our increasingly global internet-based society deal with bad actors, including criminals, in the face of these new privacy protections?

Both global and US-based businesses have been advised by their EU counsel that as of May 25, 2018, the EU General Data Protection Regulation (679/2016) will apply to all online offers of goods or services to EU-based natural persons. The law will make the collection of data and tracking of online activity illegal, except where express consent is obtained and where such consent is not “tied” to the receipt of goods or services (i.e., a ‘check the box’ form of consent is not expected to be usable). Exceptions to protect “legitimate interests” under the statute have yet to be defined and the statute applies to every website that offers goods or services into the EU.

While offers to corporate persons are exempt from this privacy regulation, businesses can expect would-be counterfeiters and trademark infringers to take advantage of the new regulation in order to avoid detection in the purchase and sale of counterfeit goods online. Moreover, domain name registrars maintain that it is impractical to implement systems that distinguish between legal and natural persons.

Present WHOIS System

The establishment of WHOIS is similar to the reasoning behind statutes that require business entities to designate an agent for service of process – that is, consumers and others should be able to know how to find the entities with which they are doing business.

Under the present Domain Name System (DNS), registries (i.e., operators of top-level domains such as ‘.com’, ‘.net’, and ‘.biz’) and registrars (i.e., sellers of domain name registrations) are obliged by their contracts with the Internet Corporation for Assigned Names and Numbers (ICANN) to maintain WHOIS information on every person or entity registering a domain name. Because of the WHOIS system, trademark holders with complaints against infringing activity occurring at a particular website have been able to contact the responsible party directly and file a UDRP or URS action, which can ultimately result in disclosure of the registrant and the transfer of an infringing domain, even if the registration itself is privacy protected.

Evolution to a New System: Registration Directory Services (RDS)

Although relied on by trademark holders both large and small, the requirements of the WHOIS system have been under scrutiny – as it has long been considered by registries and registrars to be anachronistic. Even proponents of the system have acknowledged that WHOIS information is easily forged and that as much as 40 percent of WHOIS data may be fraudulent or inaccurate. ICANN established an expert working group to study ways to protect privacy interests and preserve freedom of speech on the Internet, balancing the need for consumer protection and the public interest in promoting trust, confidence and competition. Their recommendations pointed towards a ‘need to know’ system, designed to replace the general public availability of WHOIS information. When it comes to setting new consensus policy, the new General Data Protection Regulation, appears to trump the bulk of RDS policymaking efforts thus far. Some registrars have even claimed that once the regulation goes into effect in May 2018, it will be illegal for them to collect registrant information when registering domain names, and thus illegal to perform a specific obligation set forth in their contracts with ICANN.

Effect on WHOIS: Legal Opinions

The RDS working group commissioned a legal opinion on the effect of the General Data Protection Regulation on its work. ICANN corporate management also sought outside legal counsel as to the effect of the regulation on its operations and contracts with registries and registrars. These opinions are consistent in advising that ICANN, as well as the registries and registrars, are at least ‘joint data controllers’ or ‘data processors’ under the new regulation. Thus, these entities are currently working through various models which will permit them to comply with the regulation by May 2018. Some have opined that these efforts have come too late to avoid a crisis in the security and stability of the Internet. Others maintain that interim solutions are available, as long as all the players work together towards a resolution that satisfies the competing interests.

In the interim, ICANN’s compliance department has announced the following suspension of enforcement of the contractual obligation:

“*During this period of uncertainty… ICANN Contractual Compliance will defer taking action against any registry or registrar for noncompliance with contractual obligations related to the handling of registration data.*” ICANN’s Business and IP Constituencies objected to the broad scope of the compliance statement and the modification of WHOIS policy without involving the ICANN community. Their positions underlined the fact that ICANN already has a policy regarding the procedure for handling WHOIS conflicts with privacy law.

Government Advisory Committee Views

The ICANN Government Advisory Committee (GAC) formally advised the ICANN board at the Autumn 2017 meeting in Abu Dhabi that the maintenance of an information system which enables the enforcement of IP rights and consumer protection mechanisms is critical to the stable and secure operation of the DNS. The GAC advised the board to take immediate and transparent steps with the European Commission in order to come into compliance with the regulation while meeting the public policy goals of consumer protection and IP enforcement.

Article 40 Code of Conduct: a Possible Way Forward

As a possible solution, various trade associations are working with the European Commission to develop data models and codes of conduct pursuant to Article 40 of the General Data Protection Regulation.

ICANN received further legal advice regarding the WHOIS system and the new GDPR affirming the notion that enforcement of IP rights may be a “legitimate interest” for collecting data under the GDPR. Though there are various models being put forward for a revised system, no one is certain as to whether any of these models will be compliant with the new GDPR.

There is general agreement that the present WHOIS system does not comply with the privacy law of certain EU member states and certainly will not comply regarding natural persons when the General Data Protection Regulation comes into effect. It is clear that if no resolution to the issues is found in time for the May 25, 2018 effective date, the entire WHOIS system – as well as rights-enforcement mechanisms such as the UDRP and URS – could enter a dark period where registrant e-mails become unavailable for purposes of enforcing IP rights. Accordingly, trademark holders experiencing infringement of their marks on the Internet should consult expert IP counsel regarding alternative options for enforcement.

For more information, contact Anne Aikman-Scalese at