September 15, 2019
Brian Winterfeldt, Griffin Barnett, Jennifer Gore

License to Ill: The Consequences of the GDPR on Online Due Diligence and Intellectual Property Enforcement


In 2016, the European Union passed the General Data Protection Regulation (“GDPR”), and the regulation entered into force on May 25, 2018. Although this regulation contains many of the same principles and cost. This article provides an overview of the GDPR and its impact on the WHOIS system of domain name registration data, the resulting challenges for online due diligence and intellectual property enforcement,lessons learned since GDPR took effect and public information in WHOIS was significantly reduced, and best practices and strategies for intellectual property owners to employ as part of their online due diligence and enforcement programs in the post-GDPR world.

Overview of the GDPR

The EU General Data Protection Regulation (GDPR), passed in 2016, replaces the EU Data Protection Directive 95/46/EC, and EU member state legislation based on the Data Protection Directive. The GDPR is a broad framework designed to protect EU citizens’ privacy, and to level the playing field for businesses by harmonizing data protection and privacy rules across the European Union. Because most providers of goods or services collect data of some type, the GDPR contains strict requirements for those who control personal data (“data controllers”) and those who actually process or publish the data(“data processers”).1 The GDPR has potentially severe sanctions for GDPR violations: up to 20 million euros or 4 percent of the total annual revenue of the sanctioned entity.2 Importantly, the GDPR applies not only to those established within the European Union that control or process data,but even to parties located outside of the European Union that provides goods or services to data subjects located within the European Union or who monitor the behavior of data subjects located within the European Union.3

Under GDPR, personal data may only be processed for certain legitimate and specified purposes. The data controller is responsible for explaining the purpose behind its data processing, and must inform the “data subjects” of such purpose before processing.4 GDPR provides that personal data processing must be limited to what is necessary in relation to the purposes for which they are processed (a concept known as “data minimization”). Data processing must also be based on one of the specific legal grounds set forth in GDPR. As applied to domain registration data the three separate purposes under which processing would be permissible are: (1) consent of the data subject (GDPR, art. 6.1(a)); (2) a necessity to process such data for the performance of a contract (GDPR, art. 6.1(b)); and (3) for a legitimate interest of the data controller or a third party (GDPR, art. 6.1(f)).

Registration Data Directory Service

The Internet Corporation for Assigned Names and Numbers(ICANN) accredits domain name registry operators and registrars, and through its contracts with these entities, sets forth the rules and requirements for the provision of domain name registrations to members of the public. Under existing accreditation contracts, ICANN requires domain name registrars and registry operators to collect and publish certain specified domain name registration information in a publicly accessible online database known as the“Registration Data Directory Service” (“RDDS”) (or more colloquially as the“WHOIS” database, because, at least historically, it informs users “who is” the registrant of a particular domain name).

Historically, WHOIS provided transparency and facilitated a number of key activities, including online due diligence and protecting Internet users from harm through intellectual property enforcement,cyber security, and law enforcement efforts. Importantly, WHOIS has been an essential tool to help identify parties responsible for domain name registrations and associated online resources such as website content or email addresses who are engaging in abusive or malicious conduct online, including infringement, sales of counterfeit goods, phishing, distribution of malware,and fraud. It has also historically served as an important resource to conduct due diligence, particularly in the context of preparing an intellectual property licensing deal, or more general corporate merger and acquisition research, hiring due diligence, or other types of due diligence. Much like the articles of incorporation for a traditional business, the WHOIS system ensured that all sites have at least one “designated agent” to ensure proper “chain of title” or to name and contact the appropriate party in a dispute or legal proceeding regarding a domain name or its use, or identify the ownership of an online asset or resource.

In response to the GDPR, ICANN imposed drastic changes to the WHOIS system, to ensure adequate legal compliance with respect to data processing, but at the expense of continued transparency and accountability. Under hastily-imposed new rules, critical registration data including the domain name registrant’s name, street address, city, and email address have been redacted globally in an attempt to ostensibly enable ICANN,registry operators, and registrars to comply with the GDPR. The only remaining public information about domain name registrants is their organization affiliation (if any—this field is supplied voluntarily by the registrant), state/province,and country. In addition, registrars are supposed to supply an anonymized email address or a link a web form through which the registrant can be contacted.Many registries and registrars, however, are failing to provide even the ICANN-mandated minimum data set, with minimal intervention from ICANN itself to correct this pervasive problem.

In addition to significant reductions in public information,access to non-public data (which must still be collected and stored by registrars, but not published) has become unpredictable and fragmented. Current ICANN rules merely require that registrars provide “reasonable disclosure” of nonpublic data to third parties on the basis of a legitimate interests pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registrant (tracking the “balancing test” language from GDPR Article 6.1(f)). However, there is little additional guidance or criteria for what constitutes “reasonable” disclosure or a“legitimate interest,” nor how or in what manner the balancing test should be applied and requests for access granted or denied (and subject to what level of scrutiny and issuance of any rationale for any such decision). Current ICANN policy 5 provides the following basic guidelines for disclosure requests:

Requests must provide the following information:

•         Identification of and information about the requestor (including, the nature/type of business entity or individual, Power of Attorney statements, where applicable and relevant);

•         Information about the legal rights of the requestor and specific rationale and/or justification for the request (e.g., What is the basis or reason for the request; Why is it necessary for the requestor to ask for this data?);

•         Affirmation that the request is being made in good faith;

•         A list of data elements requested by the requestor and why this data is limited to the need;

•         Agreement to process lawfully any data received in response to the request.

Registrars and registries must reasonably consider and accommodate requests for lawful disclosure subject to the following criteria:

•         Response time for acknowledging receipt of a Reasonable Request for Lawful Disclosure. Without undue delay, but not more than two (2) business days from receipt, unless shown circumstances does not make this possible.

•         Requirements for what information responses should include. Responses where disclosure of data (in whole or in part) has been denied should include: rationale sufficient for the requestor to understand the reasons for the decision, including,

for example, an analysis and explanation of how the balancing test was applied (if applicable).

•         Logs of Requests, Acknowledgements, and Responses should be maintained in accordance with standard business recordation practices so that they are available to be produced as needed including, but not limited to, for audit purposes by ICANN Compliance;

•         Response time for a response to the requestor will occur without undue delay, but within maximum of 30 days unless there are exceptional circumstances. Such circumstances may include the overall number of requests received. The contracted parties will report the number of requests received to ICANN on a regular basis so that the reasonableness can be assessed.

•         A separate timeline of [less than X business days] will be considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation].

Although efforts are underway to develop a more robust and harmonized “unified access model,” such efforts could take years to finalize and implement, meaning the current status quo will likely remain in effect for the foreseeable future.

Challenges for Due Diligence and Intellectual Property Rights Enforcement

These substantial changes to the WHOIS system have inevitably led to significant obstacles to due diligence activities and online intellectual property rights enforcement. The only way now to identify the registrant is through the voluntary registrant organization field, which is merely optional and therefore often unavailable. While state and country should remain available (despite non-compliance in many instances, as noted above),mailing and actual email addresses as well as fax and phone numbers are not.Although the new ICANN rules require registrars to provide either a web form or anonymized email address, these alternative means of email contact do not provide the same level of certainty that email communications actually reach the registrant (for instance, they may not provide an automated delivery failure response). The lack of registrant name or email address also effectively prevents parties from performing a “reverse WHOIS” search to identify the full portfolio of domain names associated with the same registrant, to establish a party’s full portfolio of domain name assets, or establish patterns of bad-faith conduct in the context of an infringement investigation.

In an IP licensing scenario, it is often useful for a prospective licensor to conduct general due diligence on the prospective licensee, including evaluating its assets including online assets such as domain names, websites, email addresses, and other aspects of the business that may help to identify key aspects of a licensing deal such as customer base,supply and distribution channels, and customer service and quality control practices. Once a license is executed, it is also useful for conducting compliance audits to ensure proper usage of any licensed material, and ensuring any licensee activity remains within the scope of the license. If at some point the license terminates, it is also often necessary to ensure that the terminated licensee has complied with the conditions of termination, which may include cancellation or transfer of domain names reflecting a licensed trademark or websites containing licensed trademarks or copyrighted content. Ina similar vein, a prospective licensee may wish to conduct similar research into a prospective licensor, to establish key facts about the licensor’s ownership and use of its IP assets, including through its websites, domain portfolio, and any other online resources. Such parties might want to conduct research into the management and employees of the other party, to clear potential concerns. For instance, is a company’s CEO operating a personal website that raises morality concerns, political views, or other issues that you may not wish to be associated with? These types of reviews would often be facilitated, at least in part, through WHOIS database research, which has been significantly hamstrung as a result of GDPR compliance efforts.

In a similar vein, stopping bad actors online has become increasingly difficult since the WHOIS blackout. The current registration data environment has led to many impediments across all anti-abuse efforts.Miscreants engaging in counterfeiting, piracy, phishing, fraud, and distribution of malware, among other abuses, are able to carry on longer, and are generally harder to take down at all. Large networks and other patterns of abusive domain names and websites are harder to detect or combat in a comprehensive fashion. Enforcement costs to intellectual property owners have increased, and more consumers are being harmed.

Even if there are grounds for enforcement, an intellectual property owner often has no ability to identify a proper point of contact to notify the registrant of the brand owner’s concerns and potentially resolve the issue amicably. A brand owner must now contact the registrar to disclose non-public information, or submit a cease-and-desist letter or similar communication through an online web form (which may have insufficient word limits or inability to attach supporting materials) or anonymized email address(which may not actually reach the registrant). As a result, there is a greater incentive for brand owners to proceed directly to filing domain name disputes like the Uniform Domain Name Dispute Resolution Policy (UDRP) or proceed to litigation, especially where the registry operator or registrar are unresponsive or refuse to disclose the relevant contact information.

The lack of available public WHOIS data has made the domain arbitration process more onerous as well. Brand owners cannot develop a comprehensive case against a registrant—including whether the registrant has other or prior infringements or indicators of bad-faith registration and use of a domain name— without knowing the registrant’s identity. In some cases, the dispute resolution provider can obtain the full registration data from the registry operator or registrar and convey it to the complainant, who can then develop an amended complaint using the full data.However, this is not always the case and even if provided, adds further time and expense in preparing the amended complaint. Similarly, in litigation,plaintiffs must spend substantial time and expense seeking subpoenas to reveal the proper defendant(s) to name, and amend complaints filed against “John Doe”defendants to name the proper registrant.

Due Diligence and IPR Enforcement

Despite the current landscape, investigators and intellectual property owners retain a number of key tools and strategies to conduct due diligence and investigate and address online infringement, beyond scattershot registration data disclosure requests.

Direct Business-to-Business Data Disclosure

In a corporate or IP licensing due diligence context, where conducting anonymous due diligence is not needed or is a lower priority, parties can still rely on direct business-to-business disclosure of potentially relevant information, along the lines of litigation discovery requests. This might include direct disclosure of all relevant domain or other online assets and their transactional histories. In such cases, parties would likely wish to enter into non-disclosure agreements to prevent any further disclosure or use of potentially sensitive or confidential information that maybe provided in the course of such direct due diligence. In an IP enforcement context, it is often worthwhile to at least request from an infringing domain name registrant formation regarding whether they own any other similar domain names or assets that should be subject to a domain name transfer agreement or other similar settlement.

Archived WHOIS Data

Robust archived WHOIS data remains available from the not-so-distant past when it was still predominantly published online. However,access to archived WHOIS data usually comes commensurate with subscription fees from the service providers who originally archived it. Most practitioners will tell you that any modest price paid is well worth it when performing necessary corporate or IP licensing due diligence, chain of title research in an acquisition scenario, and in IP infringement scenarios where historical data may be relevant (i.e., where the current registrant has remained the same as identified in historical data). Of course, such archived data cannot always be relied on to remain accurate overtime, and publication of even such historical data may ultimately be found to violate the GDPR (at least where the source of the data or the data subject has a jurisdictional nexus to the European Union).

Website Contacts

While very few fraudsters include legitimate point of contact information within their website content, it is still worth trying to identify any points of contact available on any websites under investigation. When dealing with a legitimate business in a licensing context, however, this avenue of investigation often remains useful.

“John Doe” Cease and Desist Letters

In an enforcement context, even where a domain name registrant’s identity cannot be confirmed through available WHOIS data or on the website itself, it may still be possible to send an anonymous cease and desist letter using an available anonymized registrant email address or online web form. If an anonymized registrant email or web form are not being provided by the registrar, this is a violation of ICANN requirements and should be reported to the ICANN contractual compliance department. In many cases,registrars are simply replacing the original WHOIS data with proxy service provider information, including a proxy service email address—this can also be used in a similar manner to direct a cease and desist letter toward the domain name registrant.

Notice and Take down Letters to  Web Hosts

In an enforcement context, the optimal way to address problematic online content (e.g., a website that inappropriately uses trademarks or unlicensed content) remains through the website hosting provider. Fortunately, web hosts can still be easily identified through the Internet Protocol addresses (IP addresses)associated with each domain name and website. Free web host lookup tools are available online, or can be performed via an “NSLOOKUP” from a computer’s Command Prompt application. Once the web host has been identified, reports of infringement or abuse can be filed with their abuse point of contact or other appropriate complaint contact (e.g.,if the issue relates to copyright infringement, and the web host is subject to US law, you should be able to identify a Digital Millennium Copyright Act[DMCA] contact). It also remains possible to correlate individual domain names within unsophisticated illegal networks of websites in the event that they all use the same web hosts (or other ISPs) and IP addresses.

Registration Authority Abuse Points of Contact

All domain name registration authorities (including both registrars and registry operators) have a contractual obligation to publish an abuse point of contact, and registrars are required to “take reasonable and prompt steps to investigate and respond appropriately to any reports of abuse.”This language should be cited in any take down demand or demand for registration authorities to reveal non-public WHOIS data. Despite pervasive industry recalcitrance and a laissez-faire compliance attitude with respect to this language over the past several years, this contractual provision is undoubtedly more important than ever without access to key WHOIS data. Again, this avenue primarily remains useful in an IP enforcement context.

Arbitral Domain Name Disputes

Domain name registrars also have a contractual obligation to provide dispute resolution service providers with full registration data once a complaint has been filed under ICANN domain name dispute resolution mechanisms (e.g., the UDRP). It would not be surprising to see such complaint filings increase exponentially(particularly complaints against numerous domain names in bulk) in order to reveal underlying non-public WHOIS data. The caveat is that a single complaint against multiple respondents is only proper where some credible evidence of co-ownership or common control exists. Nevertheless, initiation of lower cost proceedings, like the “UDRP light” proceeding known as the Uniform Rapid Suspension System (URS), could prove more useful than ever as an alternative form of revealing underlying domain name registration data, even if they cannot ultimately proceed on the merits against all named domains.

Litigation

Obviously, litigation remains the weapon of last resort in the context of IP enforcement, and in extreme cases efforts to secure critical information to inform a potentially hostile transaction. Through subpoenas,discovery, and court orders, it generally remains possible to secure needed information or other remedies from a court of competent jurisdiction over an infringer, hostile acquisition target, or an online intermediary who possesses needed data or can take action to address an infringement (such as suspension or termination of domain name registration or web hosting services).

While helpful, these tools simply do not, and cannot,get the job done as effectively as under the prior WHOIS regime when it comes to domain-related due diligence and intellectual property enforcement online.Thus, every effort should be made by parties who rely on such data to pressure ICANN to quickly develop and implement a unified access model and improve its compliance program around mandatory public data, as well as efforts outside ICANN to carve-out the WHOIS system from GDPR given its importance as a key tool for law enforcement, cyber-security, consumer protection, and commercial interests in service of the global public interest.


1.   More specifically, a data “controller” is a person or legal entity that determines the purposes and means of the processing of personal data. A data “processor”is a person or legal entity that processes personal data on behalf of the controller. “Processing” in this context refers to “any operation or set of operations which is performed on personal data or on sets of personal data,whether or not by automated means, such as collection, recording, organisation,structuring, storage, adaptation or alteration, retrieval, consultation, use,disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction.” See GDPR, art. 4 (Definitions). Under the GDPR, “personal data” is “any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data…. Personal data that has been rendered anonymous in such a way that the individual is

not or no longer identifiable is no longer considered personal data. For data to be truly anonymized, the anonymization must be irreversible.” See id.

2.   See GDPR, art. 83.

3.   See GDPR, art. 3.

4.   See GDPR, art. 5.

5.   See ICANN, Board Resolution re GNSO Expedited Policy Development Process on gTLD Registration Data (May 15, 2019),available at

https:// www.icann.org/resources/board-material/resolutions-2019-05-15-en#1.b;ICANN, Scorecard: EPDP Phase 1 Recommendations (May 15,

Copyright © 2019 CCH  Incorporated. All Rights Reserved.  Reprinted  from The Licensing Journal,  September 2019, Volume 39, Number 8,   pages 1–6, with permission from Wolters Kluwer, New York, NY,  1-800-638-8437,  www.WoltersKluwerLR.com

https://www.icann.org/en/system/files/files/epdpscorecard-15may19-en.pdf; ICANN, EPDP Phase 1 Final Report and Recommendations (Feb. 20, 2019), available at https://gnso.icann.org/sites/default/files/file/field-file-attach/epdp-gtld-registration-data-specs-final