An Impossible Domain Name Dispute Under the GDPR?

One way for a trademark owner to prove the "bad faith" element under the Uniform Domain Name Dispute Resolution Policy (UDRP) is to provide evidence that the domain name registrant has engaged in a "pattern of such conduct" -- a test that may be all but impossible to satisfy after implementation of the European Union's General Data Protection Regulation (GDPR).

A recent UDRP decision, which was decided in part based on this test, may be among the last to do so.

The case was filed by The Flannels Group Limited of London, which uses the domain name <flannels.com> and owns a U.K. trademark registration for FLANNELS for use in connection with ladies and menswear retail services. The dispute involved 17 domain names, each of which consisted solely of the word "flannels" plus a top-level domain, such as <flannels.family> and <flannels.irish>.

In its short decision, the panel wrote that the domain name registrant "requested payment for the Domain Names from the Complainant in sums substantially above the out of pocket costs of registration of the Domain Names" -- which the UDRP says is evidence of bad faith.

Other 'Well-Known Trademarks'

The decision also cites another important factor, noting that the respondent had registered a number of other domain names that contain trademarks in which it has no rights, including <burgerking.sale>, <hmv.store>, <hugoboss.work>, <kfc.irish>, <mcdonalds.ooo>, <pcworld.today>, <pizzahut.reviews>, and <toyota.finance>.

On that issue, the panel simply wrote: "The Respondent has registered a number of domain names containing well-known trade marks without explanation, which constitutes a pattern of cybersquatting conduct."

Although the decision doesn't explain how The Flannels Group identified these other domain names, a number of tools -- including paid "reverse whois" services offered by various companies -- are frequently employed by trademark owners to support their UDRP complaints. These services locate domain names that contain similar characteristics, such as the same registrant, by comparing data in the whois records.

However, as I recently wrote, much of this data may become inaccessible thanks to the GDPR, rendering such reverse whois searches of much less value because, presumably, many newly registered domain names (and perhaps historical records as well) will not identify the registrants.

In other words, if the identity of a domain name registrant is unknown, it seems nearly impossible to identify other domain names that are held by the same registrant. And if that's the case, then trademark owners may be unable to show that a domain name registrant has engaged in a pattern of conduct.

The End of Large Complaints?

The Flannels case also highlights another challenge created by the GDPR: Identifying multiple domain names for inclusion in a single complaint. The UDRP Rules state that a "complaint may relate to more than one domain name, provided that the domain names are registered by the same domain-name holder."

The Flannels UDRP decision does not explain how the trademark owner identified all 17 domain names in that case. But, if the GDPR had been in effect when that complaint was filed, The Flannels Group may have been unable to convince the panel that they were all registered by the same domain-name holder.

As a result, the Flannels case may also be among the last UDRP cases that involve multiple domain names, which has been a very efficient way for trademark owners to deal with cybersquatters. The same is true with respect to the Uniform Rapid Suspension System (URS), which was seen some noteworthy large cases.

Conclusion

For multiple reasons, the Flannels case may be among the last of its type. Under the GDPR, fewer UDRP and URS complaints may include bad faith arguments that hinge on a "pattern of conduct," and fewer complaints are likely to include multiple domain names.

As a result, trademark owners will have to rely on other evidence of bad faith and perhaps file more complaints to reclaim or suspend the same number of domain names.