WHO can see WHO on post GDPR WHOIS

24th September 2018

Following GDPR, the Internet Corporation for Assigned Names and Numbers (ICANN) has changed its policy and now requires domain name registries to restrict public access to Registrant (domain owner) contact information. The WHOIS database now only shows a redacted, “thin” version of previously available data pre GDPR. This has caused concern amongst brand owners seeking to enforce their rights in respect of online IP infringement.

What information is now available on WHOIS?  

On 17 May, ICANN adopted its “Temporary Specification for gTLD Registration Data” which is intended to be a temporary model for compliance with the GDPR. Under this model, certain information is still publicly available on the WHOIS database including the name of the Registrar, status of registration and the creation and expiry date of the domain name. However, for brand owners trying to contact Registrants of infringing domains, this information is not particularly helpful. It is the specific contact details of the Registrant which they need to pursue infringing domains and resolve disputes directly with domain owners.

So how do I now contact a Registrant? Is there a way to access the redacted WHOIS contact details?

 Contact Registrar

If you are a third party with a legitimate interest in gaining access to Registrant contact details you can contact the domain Registrar to request these details. Registrars are then under an obligation to respond to the request in a reasonable time. However at this stage it is unclear how much information the Registrar will release. If you do not get a satisfactory response or indeed any response, ICANN explains in its Advisory Statement that it will have a complaint mechanism available to you. If you find individual parties who you believe are not complying with their obligations under these temporary specifications or their agreements with ICANN, you may contact ICANN’s Contractual Compliance Department to file a complaint.

 Use the anonymised email provided

You can also try contacting a Registrant directly via an anonymised email provided by a domain name Registrar. However this is unlikely to prove successful as the Registrant may feel there is little risk in not responding to a cease and desist request in the knowledge that a rights holder is not aware of who the Registrant is and has limited others means of contacting them.

ICANN Unified Access Model

On 18 June 2018 ICANN released a working draft document to facilitate discussions about a possible unified approach to allow continued access to the full WHOIS data for users with a legitimate interest consistent with the GDPR. Only a defined set of users, determined by governments within the EEA would be granted access by Registrars to the full data on the basis of a legitimate interest, except where such interests are overridden by the fundamental rights and freedoms of those data subjects. According to ICANN, specific eligible user groups will include intellectual property rights holders, law enforcement authorities, operational security researchers and individual registrants. On 20 August 2018 ICANN published the Draft Framework for a Possible Unified Access Model for continued Access to WHOIS which can be viewed here; this aims to facilitate further discussions on the proposal. This Unified Access Model is set to be implemented in December 2018. Watch this space…

What about UDRP Complaints?

UDRP Complaints can still be filed and accepted without Registrant details and Registrars must provide the information to the UDRP provider once notified of a complaint (see Appendix E of the Temporary Specification).

The Future 

There are still a number of uncertainties surrounding WHOIS and access to Registrant details. We still don’t know what Registrant data will be permissible for domain name Registrars to disclose; we still don’t know how likely Registrants will be to respond to an anonymised email address and we still have a while to wait until the Unified Access Model has been implemented. Having gone from a pre-GDPR fully detailed WHOIS service to a much “thinner” service leaves us with a lot of unanswered questions. Brand owners pursuing online infringers still have ways of contacting Registrants (even before the Unified Access Model is implemented) ensuring that the end result is the same as pre-GDPR, however they may well have to be prepared for the fact that it may take a little longer to get there.

It is hoped that additional clarity will be provided by the result of the ongoing proceedings between ICANN and German Registrar, EPAG. ICANN filed injunction proceedings on 25 May against EPAG in an attempt to force it to continue collecting administrative and technical contact data for new domain name registrations. The hope was the proceedings might provide clarity as to how to maintain a global WHOIS system and still remain consistent with legal requirements under the GDPR. However ICANN lost its case for the third time in August although it is appealing this decision.

In light of all this uncertainty it seems that brand owners looking to assert their rights against online infringers are going to have to deal with a certain amount of trial and error before a more concrete plan is in place; we will be keeping a close eye on developments over the next few months.