The looming .eu changes that threaten online brand protection

In April 2018, the European Commission adopted a controversial proposal to revise the regulatory framework applicable to the .eu top-level domain (TLD). The controversy mainly revolves around the proposed changes to the provision concerning the .eu WHOIS database. This database allows internet users to obtain information related to a specific domain name registered in the .eu TLD.

Currently, if the domain name holder is a legal entity, this information includes the name of that entity, its language of registration, and its postal and email address. If the domain name holder is a natural person, only the registration language and email address are publicly accessible. This limitation serves to protect the privacy and personal data of individuals.

The publicly available identity and contact information of domain name holders in the .eu WHOIS database is important not only to verify whether and by whom a specific .eu domain name is, or was, registered—it also serves a number of other vital legitimate interest purposes, such as for law enforcement, consumer protection and IP enforcement.

IP owners depend on WHOIS data in their continuous battle against online infringers. The information is used to identify and/or contact owners of websites who are hosting illegal content, selling counterfeit products or have otherwise engaged in abusive domain name registration.

The EU institutions now threaten to further restrict the already limited information available in the .eu WHOIS database under the pretext of better aligning its provisions with the General Data Protection Regulation (GDPR) and enhancing the protection of personal data.

Currently, article 16(2) of EU Regulation 874/2004 (.eu Regulation) reads:

“2. The WHOIS database shall contain information about the holder of a domain name that is relevant and not excessive in relation to the purpose of the database. In as far as the information is not strictly necessary in relation to the purpose of the database, and if the domain name holder is a natural person, the information that is to be made publicly available shall be subject to the unambiguous consent of the domain name holder.”

Less information

In its proposal, the Commission suggests amending this provision to:

“2. The WHOIS database shall contain relevant information, within the limits set by Regulation 2016/679. In particular, the information collected shall not be excessive in relation to the purpose of the database, about the points of contact administering the domain names under the .eu TLD and the holders of the domain names. “Where the domain name holder is a natural person, the information that is to be made publicly available shall be subject to the domain name holder’s consent within the meaning of Regulation 2016/679.”

This change would effectively result in the full redaction of all identification and contact information of domain name holders who are natural persons (rather than legal persons), unless they give their explicit consent. And even if a potential infringer would consent to publishing certain personal information when registering the domain name, the GDPR provides that this consent can be easily withdrawn at all times.

More recently, the Telecommunication Working Party within the European Council has proposed additional, even more far-reaching amendments to this provision. The Working Party’s proposal reads as follows:

“2. The WHOIS database shall contain relevant information, which is not excessive in relation to the purpose of the database, about the points of contact administering the domain names under the .eu TLD and the holders of the domain names. Where the domain name holder is a natural person such information relates to an identified or identifiable natural person, the information that is to be made publicly available shall be subject to the domain name holder’s data subject’s consent within the meaning of Regulation 2016/679.”

These amendments risk abolishing the current distinction between natural and legal persons entirely, resulting in the redaction of more (if not all) important information from the .eu WHOIS database. The current distinction on the basis of whether or not the domain name holder is a natural person has the advantage of being clear and easy to implement.

Uncertainty related to assessing whether information potentially relates to an identified or identifiable natural person entails a risk of over-compliance. Information to which the GDPR does not apply—and which is vital for purposes related to e-commerce, consumer protection, IP, etc—risks being rendered inaccessible.

These proposed amendments are now referred back to the Permanent Representatives Committee of the Council, which must first endorse them before initiating negotiations with the European Parliament. The final text resulting from these negotiations should normally be adopted before the end of the current legislative cycle, ie, April 2019. In spite of these negotiations, the likelihood of having the current language reviewed is considered rather low.

No need for change

In essence, there is no objective reason for the EU institutions to amend the current provision on the .eu WHOIS database, as this provision was, and still is, in compliance with applicable rules on data protection.