GDPR and UDRP: a tricky relationship
This lack of information makes it way more difficult to conduct online brand protection activities, including domain name dispute proceedings. For example, not knowing who registered a domain name makes it very challenging for the complainant to prove registration and use in bad faith, which is a key element to obtain the domain name’s transfer or cancellation.
This topic was recently discussed during the workshop organized by WIPO Arbitration and Mediation Center, expressly focused on the impact of GDPR on domain names disputes (UDRP).
The first question is:
“after the entry into force of the new EU privacy regulation, domain name reassignment procedures are still a useful instrument to fight against infringing domain names?”
The answer is Yes. GDPR is not and should not be considered as an obstacle to domain names reassignment procedures. In fact, even before its implementation, whoever wanted to register a domain name without making his/her data public, could easily do it through the so-called privacy service providers. In this way, the registrant identity remained shielded as the domain name owner was formally the privacy service provider. As a matter of fact, while before not disclosing personal data was a choice, with the GDPR it became automatic, unless specifically authorized by the domain name owner.
This practice was, and still is, fully legitimate and has never been considered as an obstacle to UDRP. The same approach has been adopted for post-GDPR domain name disputes. Therefore, the brand owner can lodge a complaint against the infringing domain, based on the information, nearly void, available in the Whois. As a matter of fact, the complainant would be addressed to an unknown entity and would have limited contents. At this point, domain name dispute providers (WIPO, among others) will request the registrar (for example GoDaddy) to provide complete Whois records, including information on the registrant. It is significant noting that registrars are interested in providing such information if they do not want to lose ICANN’s accreditation. Whois complete record will be then forwarded to the complainant which will have the possibility to amend its writ within a few days, in light of the new information on the domain name’s ownership.
Certainly, the above described system extends the timing of the proceedings but allows the complainant to be able to prove the requirement of registration and bad faith use.
Therefore, in the post-GDPR era, it is still possible to file domain name reassignment procedures, although this option raises more critical issues compared to the past.
The first one, regards the so-called consolidation, which is the procedural tool which allows the complainant to include, in its complaint, more domain names registered by the same owner or submitted to a common supervision. In this way, the brand owner benefits from considerable costs reductions. In fact, procedural taxes are applied for preset domain names batches (for example, WIPO applies USD 1500 from 1 to 5 domain names and USD 2000 from 6 to 10). Hence, including more domain names registered by the same entity in one complaint is much more convenient than initiating different procedures for each one of them.
The GDPR makes it very tough to use the consolidation tool, as the identity of the registrant is no longer available. Consequently, it is not possible to know, in advance, if the same subject has registered more domains, which could be potentially included in one complaint. How to solve this problem? It’s extremely difficult. In the event the domain names redirect to the same website, and if the domains share identical registration date and registrar, the Complainant could try to support that they are subject to a common control and consequently attempt to justify the consolidation. However, these are only indicia, as the Whois complete record will be provided at a later stage.
Not being aware of the domain name owner’s identity also leads to another consequence regarding the merits of the Complaint.
It is not rare that who registers a domain name, composed by a trademark, is entitled to do so. Let’s think at distributors, sellers, agents or licensee who have been expressly or implicitly authorized to register domain names.
In addition, it could also happen that the registrant is able to prove a legitimate interest in a domain name, albeit not expressly authorized by the brand owner. Think about cases of registrants’ owners of trademarks or company names identical or similar to the domain name.
It’s worth reminding that in order to succeed in a UDRP, the registrant should not be able to prove to have a right or legitimate interest in the domain name. Being owner of a trademark or a company name identical or similar to the domain is a typical case in which the registrant could argue to have a right or legitimate interest in the registration of the domain name. In order to exclude this kind of critical issues, it is always advisable to conduct by name searches on the available trademark and company name’s databases.
However, in the post-GDPR era these searches cannot be conducted any more, since the complete Whois records are no longer available. How should we react then? In this case as well, the answer is not straightforward. It’s always useful to conduct some online searches to trace as much information as possible about the domain’s owner. For example, a research on the available databases to detect the existence of a trademark identical to the domain name (even without knowing who the owner is), could raise a red flag for the complainant.
Another option is to try to contact the domain name’s owner through the registrar. Indeed, registrars should have developed tools to allow to contact the registrant without spreading personal data (for example, by using anonymous e-mail addresses).
Whereby it’s not possible to obtain the necessary information about the domain’s ownership, the complaint can be lodged anyways, bearing the risk that the registrant could defend himself by arguing to have a right or a legitimate interest in the domain name.
This risk should not discourage brand owners from initiating reassignment procedures. It’s very rare that, whoever sells on a website counterfeit goods or genuine goods without the brand owner’s authorization (think about not authorized resellers), has previously registered a trademark or created a company with the sole aim of defending him/herself against a future reassignment procedure.
Most likely, but still quite unusual, is the case of a domain employed by a subject expressly or implicitly authorized to use the trademark by the brand owner. In such instances, the registrant’s identity (which is disclosed after the beginning of the appeal) could jeopardize the positive outcome of the procedure (for example because he/she is a trademark licensee). In order to limit such risk, WIPO allows the complainant to withdraw the appeal and obtain the reimbursement of the taxes already paid, if he finds out that the registrant had rights / legitimate interests on the domain name.
In conclusion, although the GDPR raised some critical aspects and topics never experienced so far, reassignment procedures are and will still be a valid and effective option to protect the trademark against domain name unlawful registrations.