The GDPR came into force across EU countries on May 25, 2018. As stated by the European Commission, the overarching aim of the GDPR is to address privacy and data concerns, whereby these aims must be measured against legitimate third-party interests such as the conduct of legal disputes. While the GDPR is impacting trademark enforcement online more generally, it may also have consequences for domain name dispute resolution under the UDRP. In an effort to assist parties’ understanding in this regard, the WIPO Center has produced the present Q&A on the GDPR’s relation to the UDRP. While this represents a faithful effort to understand such relationship, in the current circumstances it is not intended to be future-proof, comprehensive, or legal advice.
Separate from GDPR-related challenges brand owners likely face in broader enforcement terms, in principle brand owners’ ability to actually file a UDRP case should not be foreclosed by the GDPR.
After May 25, 2018, publicly-available WhoIs data in many instances will no longer include full identity and contact details for the domain name registrant, or for the administrative, technical, and billing contacts – providing instead only limited information, including the “registrant organization” name, its state and country. Notably, the registrant’s actual email address may also not be visible. However, in order to facilitate contact with the domain name registrant, the concerned registrar is required to provide an “anonymized” email address or web-based contact form.
Much like cases filed today against a WhoIs privacy/proxy service, if a UDRP complaint contains all registrant information available – e.g., where the respondent identified in the complaint matches the publicly-identified registrant in the registrar’s WhoIs database such as “Name Redacted” – then such a complaint would be accepted by the WIPO Center for processing and compliance review.
As it stands today, where a UDRP complaint has been submitted to a UDRP provider, ICANN-compliant registrars will provide WhoIs information on request from such UDRP provider (and at the same time “lock” the domain name’s registration and registrar information). In the event that a particular registrar fails to do so, or imposes additional burdens, the WIPO Center will treat this on a case-by-case basis and may look to ICANN for compliance assistance.
The ICANN Temporary Specification for gTLD Registration Data, Annex E, expressly acknowledges that registrars must provide full “Registration Data” to UDRP providers upon the UDRP provider notifying the registrar of the existence of a UDRP complaint. It is also noted that the ECO GDPR Domain Industry Playbook and the contemplated ICANN IPC/BC Accreditation & Access model specifically recognize that UDRP providers meet the GDPR’s Article 6(1)(f) “legitimate purposes” and Article 6(1)(b) “performance of a contract” criteria, such that registrars can and should provide WhoIs data to UDRP providers.
In order to give effect to the UDRP, UDRP providers have a reasonable and legitimate purpose to relay registrar-provided WhoIs data to complainants in pending UDRP proceedings so as to provide an opportunity for complainants to make substantive and/or procedural amendments as appropriate (an accepted practice today concerning privacy/proxy services named as respondents). The provision of such data may also serve to facilitate party settlements (roughly 20% of cases filed with the WIPO Center settle prior to panel appointment, saving the parties time and money).
Accordingly, once the WIPO Center receives relevant information from the registrar, the complainant will be invited to amend its complaint to reflect the registrant information received from the registrar. (While undertaking such amendment is highly recommended, based inter alia on UDRP jurisprudence, a complainant’s failure to do so would not be treated as a formal deficiency under the UDRP Rules.)
ICANN’s Temporary Specification moreover identifies for future action, the need to develop “methods to provide potential URS and UDRP complainants with sufficient access to Registration Data to support good-faith filings of complaints.” Separate from the WIPO Center’s UDRP provider function, with a view to addressing broader intellectual property (IP) enforcement concerns occasioned by GDPR implementation, WIPO is involved in stakeholder discussions on a possible WhoIs access model, including as to a potential WIPO role to certify IP owners’ rights for such access.
The GDPR does not directly impact the WIPO Center’s filing fees. The WIPO Center filing fee for a UDRP case involving between 1 and 5 domain names to be decided by a single‑member Panel is USD 1,500; and USD 4,000 for a case that is to be decided by a three-member Panel. For more information (including on cases involving higher numbers of domain names), please consult the WIPO Center's Schedule of Fees or contact the WIPO Center.
If a case is filed and the relayed information triggers withdrawal of a UDRP complaint (e.g., the previously unknown registrant turns out to be the trademark owner’s licensee who has legitimately registered the domain name, or the registrant and trademark owner wish to privately settle the matter), the WIPO Center – uniquely among UDRP providers we believe – will refund the unused (USD 1,000) Panel fee (as is the case today, e.g. if the parties settle prior to a WIPO Panel being appointed).
In principle, it is expected that Panels will continue to treat requests to consolidate UDRP cases further to the principles articulated in the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”) at section 4.11. It is anticipated that the overarching consolidation standard itself will remain unchanged (as will the various consideration factors), although it is possible that in the absence of registrant contact information in the public WhoIs, Panels may increasingly focus on other indicia of common control.
As with application of consolidation requests, in principle, it is expected that Panels, taking into account the evolution of the WhoIs, will apply substantive criteria further to the principles articulated in WIPO Overview 3.0, e.g., as to showing a pattern of registrant conduct under UDRP paragraph 4(b)(ii), or the defense that the registrant is commonly known by the domain name under UDRP paragraph 4(c)(ii).
Overall, it should be recalled that the UDRP has proven to be a flexible dispute resolution mechanism framework adaptable to an evolving DNS.