In this blog post, we will be analysing impact GDPR has on Domain name disputes and challenges faced by brand owners in the context of non-availability of registrant contact details due to GDPR. First, we will look the evolution of GDPR. The GDPR was an initiative by the EU for which they formed the Article 29 Working Party to advise on issues of data protection in order to repeal the 1995 European Data Protection Directive . The key rights brought into this regulation are the right to portability and the right not to be profiled. This regulation applies primarily to an enterprise. ‘Personal Data’ as envisaged by the GDPR means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
The essence of this regulation lies in three core domains:
- Data Governance – It is how the data controllers will exert their control and conformance over the data assets. This is to ensure that they comply with and as well navigate the GDPR, which is established through breach notification, privacy by design and vendor management.
- Data Management – This refers to how the data controllers and the processors will be efficiently handling the data processing. GDPR enables efficiency and efficacy of data management through mechanisms such as data erasure, data processing, data transfers, and establishing a Data Protection Officer (DPO).
- Data Transparency – The data subjects are entitled to certain rights such as consent to be sought regarding their data, right to withdraw the consent at any point of time, and right to data portability .
Now let us analyze and understand the implication of this regulation on the IP laws, more specifically domain name disputes. GDPR led to the redaction of contact information of domain registrants, making investigation by trademark owners of abusive domain registrations a complex challenge. One such case study that has relevance here is the Whois domain name dispute. Obtaining the personal data of domain owners, among which some were proxies, had become a challenge. Hence, the primary purpose of Whois which was to provide details of domain registrants, became inoperable. This was reported and INTA along with ICANN worked and formulated the NIS2 directive to address cybersecurity issues in compliance with GDPR. The NIS2 was a massive step in protecting the personal data and allowing access for legitimate use, and it also facilitated the work of Whois to a certain extent. The NIS2 has set down clear-cut and accurate requirements for registrants and brand owners looking to combat abuse, such as:
- Recital 28 – the Top-Level Domain (TLD) name registries and entities providing domain name registration services have to collect and maintain accurate and complete domain name data with due diligence as regards data which are personal,
- Recital 109 – to maintain accurate and complete database of the Whois data and to provide lawful access, with security, stability, and resilience of the domain name system,
- Recital 111 – it emphasizes that the TLD name registries and entities have to ensure integrity and availability of data, to prevent inaccurate registration data, and to adopt and implement procedures to verify the domain name registration data, and
- Recital 110 – enabling lawful access to specific domain name data.
Along with this, Article 28 provides for
- Ensuring accuracy and completeness of WHOIS data.
- To make publicly available all WHOIS data that is not personal data, including the data of legal persons.
- To reply and respond without delay to WHOIS data access requests and provide access upon lawful requests in any event within 72 hours.
- To provide legitimate access to WHOIS data free of charge (recital 112).
With the difficulties faced by the implementation of GDPR and the effect it has on domain name registration and access to personal data, the NIS2 facilitates for free flow of information to a certain extent with all safety and security of personal data protection. The NIS2 has created an impact due to its binding effect on the laws protecting personal data. It also provided clarifications on how trademark owners can access reliable and legitimate personal data about the registrants of domain names by overcoming proxies and thus combat IP infringement without hassles.
In the upcoming blog post, we will be comparing GDPR and DPDP Act, 2023.