The European Union’s General Data Protection Regulation (GDPR), which was adopted in 2016 and became enforceable on May 25, 2018, is creating significant new challenges to the already complex and difficult process of online trademark enforcement.
The GDPR was enacted to protect personally identifiable information of individuals within the EU (called “data subjects”) and applies to all enterprises doing business in the EU, regardless of geographic location. Such enterprises must adopt certain data protection measures and procedures to be in compliance with the GDPR and ensure that all personally identifiable information of data subjects is not publicly disclosed without the explicit consent of the relevant data subjects. The costs of compliance may be significant for many businesses. Unauthorized disclosures and data breaches can result in fines of up to 20,000,000 Euros or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
The potential stiff penalties for non-compliance have caused many domain name registrars to cease publishing the names, addresses, and contact information for individual domain name registrants in the WHOIS database, the publicly accessible database where such information has been readily available since the early days of the Internet. Trademark owners have heavily relied on the WHOIS database as an essential means for collecting information regarding the identities of domain name registrants that may be committing trademark infringement. The Internet Corporation for Assigned Names and Numbers (ICANN), which oversees the WHOIS database, was supposed to devise a means by which the WHOIS database would be GDPR-compliant, but registrant information could still be accessed by trademark owners and law enforcement. However, ICANN failed to devise a workable solution in advance of the May 25, 2018 GDPR enforcement deadline. As a result, for at least the next several months, if not longer, WHOIS data will be fragmented with individual registrant data being unavailable for a great many domain names registered after May 25, 2018.
The ensuing registrant data blackout will undoubtedly have a negative impact on trademark enforcement programs and strategy, since it will become significantly more difficult to ascertain the identities of domain name registrants. It is unclear if direct appeals to the domain name registrars to divulge registrant identities and contact information will yield positive results. If not, it may be necessary, at least in some cases, to commence legal proceedings and issue a subpoena to a registrar just to learn the identity of a domain name registrant, which will be quite costly and time consuming. This will likely cause trademark owners to be even more selective in enforcement actions depending upon the seriousness of the infringing activity associated with a domain name. Let’s hope that ICANN gets back on track and develops a GDPR-compliant WHOIS data model that will also enable trademark owners to have access to this important information needed for an effective trademark enforcement program.