Since it took effect on 25 May 2018 across the entire European Union, the General Data Protection Regulation has sent shockwaves through countless internet infrastructure industries. US-based organisation ICANN has been caught in the crossfire. The enforcement of these new data privacy provisions could significantly affect its WHOIS service and, in turn, the way IP due diligence is conducted. Law Graduate Phoebe St John reports.
By enforcing compliance with strict data privacy and governance frameworks, the General Data Protection Regulation (GDPR) aims to protect all individuals located in the EU from privacy and data breaches by the companies that process and hold their personal data. Caught in this shake-up of data protection laws is the Internet Corporation for Assigned Names and Numbers (ICANN), a US-based, non-profit organisation responsible for administering a large portion of domain names.
ICANN manages the WHOIS internet domain directory, which makes the administrative and technical contact details of those who have registered certain internet domains searchable to the public. By virtue of collecting the personal data (eg, a registrant's name, email and telephone number) of individuals located in the EU, ICANN falls within scope of the GDPR. This means public domain registration data relating to a natural person is no longer available on WHOIS.
Initially, ICANN showed no indication of abandoning its procedures to comply with the GDPR. Yet following pressure from IP specialists, cyber experts, industry and government officials alike, ICANN dramatically accelerated processes to bring WHOIS into compliance before the 25 May 2018 deadline. However, as it stands today, its various draft proposals are yet to be implemented, and many of its contracting registry operators no longer collect WHOIS information in fear of breaching the GDPR. This leaves WHOIS with a fragmented approach to data availability, and no clear path ahead.
The inability to confirm the registrant details of a large number of .com domain names worldwide presents two primary challenges.
Firstly, it can significantly limit the ability of a rights holder to discover the identity of individuals operating infringing websites. The non-disclosure of domain name registrant information presents a challenge for those seeking to chase down sources of counterfeit goods.
Secondly, parties undertaking due diligence during sale of business transactions are likely to encounter difficulties. Domain names are regarded as an important category of IP rights for businesses. The WHOIS directory is relied upon by many IP and cybersecurity professionals for the legitimate retrieval domain name ownership information. This is critical to ensure infringement is avoided, assets are verified, registrants are accurately identified and domain names are registered by the appropriate entity.
When contact information is removed for all registrants from WHOIS, the ability to confirm registrant information for (or inquire into) a domain name, to enforce legal remedies against cybersquatters, or to investigate security breaches and other domain name misuses are all jeopardised.
Compliance with the GDPR would likely mean that certain categories of personal data would not be available via the WHOIS directory (particularly where ICANN does not obtain consent to disclose it), with the result that such data would be unavailable for legitimate purposes such as due diligence. By attempting to balance its own data-governance practices and the GDPR, ICANN could risk either significantly limiting the utility of WHOIS searches, or facing steep multi-million euro penalties for failing to comply with the GDPR. Until such balance is struck, the IP community waits with bated breath.