European Privacy Regulation Results in Changes to ICANN Policies
The 2018 passage of the General Data Protection Regulation (“GDPR”) created stricter regulations for companies to meet when handling the personal and sensitive data of consumers and users. As such, the GDPR has created lasting impact in areas of regulation that were previously not affected by domestic laws. This changed, however, when the European Union passed the GDPR, forcing the Internet Corporation for Assigned Names and Numbers (“ICANN”) to create new policies to respond to the heightened security standards.
ICANN is a nonprofit organization that oversees and manages the Internet’s global domain name system (“DNS”). ICANN’s responsibilities include the management of root name servers, introduction of any new generic top-level domains (“gTLDs”), and the creation of new policies that govern and manage the DNS system. ICANN’s policies are recognized internationally, and countries look to ICANN to arbitrate disputes regarding the DNS system as well as to maintain the overall stability of the Internet as it pertains to DNS systems, Internet protocol address spaces, and regional Internet registries.
Domain Ownership Anonymity Facilitated With Heightened Data Privacy Laws
Since the 2018 introduction of the GDPR by the European Union, ICANN has now found itself tasked with the difficult challenge of reconciling the GDPR’s strict guidelines with the ever-present need for information transparency via the WHOIS database. The WHOIS system allows for public query and will return the contact information of domain owners when used. The contact information made available by a WHOIS query normally includes the mailing address, phone number, and email address of the domain name owner or administrator, and as such, this can leave domain owners vulnerable to the misuse of their contact information by spammers, mass-marketers, and even hackers or identity thieves. To counter this issue, some registrars offer, at a fee, to provide their contact information in place of the true domain owner.
It is well-understood that ICANN generally handles any disputes regarding domains, which may include but is not limited to, cybersquatting, impersonation of brands on websites, and infringing web-use of IP, etc. Generally, to serve, contact, or open a dispute with the infringers, the “true” IP owners must have access to the infringers’ contact information. But with the recent passage of the GDPR, legitimate brand owners now face an even harder time retrieving such data.
ICANN Implements the Temporary Specification
As a compromise, ICANN has now implemented a temporary fix to allow users who are experiencing difficulty in unmasking infringers by creating the Temporary Specification for gTLD Registration Data (“Temporary Specification”). The Temporary Specification provides a safe haven for gTLD registry operators and registrars alike to qualify as “compliant” with ICANN’s WHOIS directory system if they maintain collection of registration data and persona information with increased security, allowing only tiered or layered access. In other words, in order to access personal or more sensitive data, query-users will now have to demonstrate and provide a legitimate reason to ICANN for requesting access to personal information. Moreover, the amount of information requested must also be proportionate to the demonstrated need.
While the Temporary Specification is still very much a work in progress, it does provide a helpful compromise because it requires increased data security without weakening the WHOIS query system too much. As the tiered or layered access required by the Temporary Specification process is not fully fleshed out, ICANN is looking to experts in the field to provide public comments and feedback in order to create sweeping guidelines that will simultaneously meet the requirements of the GDPR, allow for the pursuit of infringers, and still maintain relative transparency when it comes to finding out the contact information of domain owners for legitimate purposes.
About the Firm:
Klemchuk LLP is a litigation, intellectual property (IP), and business law firm, located in Dallas, TX. The firm offers comprehensive legal services including litigation and enforcement of all forms of IP as well as registration and licensing of patents, trademarks, trade dress, and copyrights. The firm also provides a wide range of technology, Internet, e-commerce, and business services including business planning, formation, and financing, mergers and acquisitions, business litigation, data privacy, and domain name dispute resolution. Additional information about the Technology & Data law firm and its Technology & Data attorneys may be found at www.klemchuk.com.
Klemchuk LLP hosts Culture Counts, a blog devoted to the discussion of law firm culture and corporate core values with frequent topics about positive work environment, conscious capitalism, entrepreneurial management, positive workplace culture, workplace productivity, and corporate core values.
Also published on Medium.