Three months after implementation of the European Union’s (EU) General Data Protection Regulation (GDPR), the World Intellectual Property Organization's (WIPO) Arbitration and Mediation Center has expanded and updated its already helpful web page with important questions and answers about how the GDPR is impacting the Uniform Domain Name Dispute Resolution Policy (UDRP).
WIPO's updated GDPR web page expands the number of questions on this topic from seven to nine and provides additional details on some of the existing guidance.
The two new questions are:
- What is the legitimate purpose for which WIPO collects and processes personal data?
- Will party names still be included in published UDRP decisions?
WIPO Explains Whois Searches
The existing question with the most significantly expanded answer is:
- In preparing a UDRP complaint post-GDPR, how can a trademark owner conduct a WhoIs search/access the domain name registrant’s details?
WIPO now suggests that a trademark owner preparing a UDRP complaint may want to consider conducting a whois search in a manner similar to what I previously described in a GigaLaw blog post, "How to Conduct the Best 'Whois' Search." Specifically, WIPO describes a multi-part process that includes beginning with a general whois tool to identify the registrar for a specific domain name, followed by a whois search on the registrar's own website.
WIPO correctly notes that, because of the GDPR, many registrars have redacted important information on registrants in their own whois databases. But, as WIPO explains, the results are far from consistent:
[A] range of interpretations as to the scope of the GDPR presently exists such that some registrars may take a more global approach, other registrars may tailor application of the... GDPR-triggered limitations to natural persons with an EU nexus, and still others may apply such principles based on the registrar’s EU nexus regardless of where a particular registrant is based.
As a result, WIPO now suggests alternative ways "to facilitate contact with the domain name registrant" -- similar also to advice that I offered in another previous GigaLaw blog post, "Four Ways to Contact a Domain Name Registrant."
Publishing Party Names in UDRP Decisions
As for the issue of whether WIPO will publish party names in UDRP decisions even where, post-GDPR, a domain name registrant's identity has been withheld from the whois database -- the short answer appears to be "yes."
In connection with this answer, WIPO cites paragraph 4(j) of the UDRP, which requires that providers such as WIPO must publish their decisions "in full over the Internet, except when an Administrative Panel determines in an exceptional case to redact portions of its decision." WIPO also notes:
Publication of party names in UDRP decisions is essential to the overall functioning of the UDRP in that it helps to explain the panel’s findings, supports jurisprudential consistency, facilitates the conduct of other cases as appropriate, and furthermore can provide a deterrent effect.
WIPO's decision to publish the identity of domain name registrants in GDPR-redacted cases is consistent with its longstanding practice of publishing the identity of domain name registrants using privacy or proxy services (at least where the registrars provide that information to WIPO during the UDRP's administrative compliance process).
Still, however, WIPO indicates that a domain name registrant may ask a UDRP panel to redact its name from a decision -- if such request is "appropriately motivated." While WIPO doesn't elaborate on what an appropriate motivation might be, previous UDRP decisions (pre-GDPR) have redacted party names only in very narrow circumstances, such as where a registrant appears to have used the details of a third party in registering a domain name.
The Not-So-Temporary Specification
Finally, WIPO's updated GDPR guidance comes as ICANN continues to struggle with the so-called "Temporary Specification" (see "Despite GDPR, UDRP Survives"), which addresses how registrars should handle registrant data in Whois records as a result of the GDPR.
As WIPO states:
ICANN’s Temporary Specification moreover identifies for future action, the need to develop “methods to provide potential URS and UDRP complainants with sufficient access to Registration Data to support good-faith filings of complaints.” Separate from WIPO’s UDRP provider function, with a view to addressing broader intellectual property (IP) enforcement concerns occasioned by GDPR implementation, WIPO is involved in stakeholder discussions on a possible WhoIs access model, including as to a potential WIPO role to certify IP owners’ rights for such access.
Just one day before WIPO updated its GDPR web page, ICANN announced that it had reaffirmed the Temporary Specification for an additional 90 days because its "requirements continue to be justified in order to maintain the stability or security of registry services, registrar services or the DNS."