GDPR: a threat to global online brand protection?

The EU General Data Protection Regulation (GDPR) has received an unprecedented amount of attention over the course of the last two years. The GDPR, which will come into effect on May 25, intends to harmonise and strengthen the protection of personal data within the EU and respond to new trends in today’s digital society, such as big data analytics, data mining and profiling.

Although these objectives can be supported—especially in the wake of the recent Cambridge Analytica and Facebook data scandal—it is important to balance this with legitimate public interests in order not to let the data protection pendulum swing too far in the other direction. However, uncertainties regarding the GDPR’s concrete application and the threat of significant fines seem to have had just that effect, with potential far-reaching consequences for IP owners as a result.

The best example of this is the recent confrontation between the GDPR and the registration directory services connected to domain names. These directory services, also known as Whois, are coordinated by the Internet Corporation for Assigned Names and Numbers (ICANN), which is responsible for administering the internet’s domain name system.

The Whois system contains information on registered domain names, including the identity and contact information of domain name registrants. Currently, Whois information is publicly available to all internet users, meaning that everyone can inquire what person or organisation is the holder of a certain domain name within a generic top-level domain (TLD) and what their contact information is.

Expedient access to accurate Whois information is of vital importance to IP owners in their continuous battle against online infringers. The information is used to identify owners of websites which are hosting illegal content or selling counterfeit products. In order to address cybersquatting or other abusive domain name registrations, trademark owners depend on Whois data to identify the malignant registrant and take appropriate action.

Identification information is also necessary to address the correct respondent in administrative proceedings. For example, in local anti-cybersquatting proceedings Whois information is used to determine who has jurisdiction and what law is applicable. Before proceedings are initiated, the contact information is also necessary if there is to be an expedient option to settle the dispute amicably, negotiate an agreement or send a cease-and-desist letter.

Adapting Whois to GDPR standards

Although public access to Whois information is of vital importance to IP owners and a number of other legitimate actors, such as law enforcement, consumer protection agencies and online businesses, ICANN is currently looking to reform Whois, restricting public access in an effort to comply with the principles of the GDPR.