WIPO Center informal Q&A concerning the GDPR as it relates to the UDRP

The GDPR came into force across European Union (EU) countries on May 25, 2018. As stated by the European Commission, the overarching aim of the GDPR is to address privacy and data concerns, as measured against legitimate third-party interests such as addressing legal disputes. In light of its potential implications vis-à-vis data in WhoIs databases, while the GDPR impacts online trademark enforcement in very broad terms, it is also impacting aspects of domain name dispute resolution under the Uniform Domain Name Resolution Policy (UDRP).

To assist parties’ understanding in this regard, the WIPO Center has produced the present Q&A on the GDPR’s relation to the UDRP. While this Q&A represents a faithful effort to understand such relationship, it is not intended to be future-proof, comprehensive, or legal advice.

Separate from GDPR-related challenges brand owners are facing in broader enforcement terms, in principle brand owners’ ability to actually file a UDRP case should not be foreclosed by the GDPR.

Much like cases filed today against a WhoIs privacy/proxy service, if a UDRP complaint contains all available registrant information – e.g., where the respondent identified in the complaint matches the publicly-identified registrant in the registrar’s WhoIs database such as “Name Redacted” – then such a complaint would be accepted by WIPO for processing and compliance review.

To first identify the registrar-of-record for a particular domain name, one place to start (among others) is the InterNIC webpage (screenshot below).

On this page, and merely by way of example, a search using the domain name (which redirects to ) produces a report that lists the registrar-of-record; in this scenario, “GoDaddy” (screenshot below).

A further search on the registrar’s WhoIs database shows the publicly-available information for the domain name registrant; in this scenario, “Registrant Name: Domain Administrator” and “Registrant Organization: ICANN” (screenshot below).

After May 25, 2018, for domain names registered by “natural persons” (i.e., individuals), as opposed to “legal persons” (i.e., businesses), publicly-available WhoIs data may no longer include full identity and contact details for the domain name registrant, nor for the administrative, technical, and billing contacts. Instead, the publicly-available WhoIs record may provide very limited information such as the registrant’s legal (or “organization”) name, its state, and its country.

Moreover, a range of interpretations as to the scope of the GDPR presently exists such that some registrars may take a more global approach, other registrars may tailor application of the above-noted GDPR-triggered limitations to natural persons with an EU nexus, and still others may apply such principles based on the registrar’s EU nexus regardless of where a particular registrant is based.

Notably, the registrant’s actual email address may not be provided.

However, in order to facilitate contact with the domain name registrant, the registrar is required to provide an “anonymized” email address or a web-based contact form.

In any event, it should be possible to contact the registrar directly to request this information. (See below regarding requests for disclosure of non-public WhoIs information.)

This possibility is in line with ICANN’s Temporary Specification for gTLD Registration Data, Annex A, Section 4.1 which states that “registrar and registry operators must provide reasonable access to personal data in registration data to third parties on the basis of a legitimate interest [ ] pursued by the third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the registered name Holder or data subject pursuant to Article 6(1)(f) GDPR”.

At present, registrars do not seem to have adopted a standardized approach for requests for non-public WhoIs (registrant) contact information. (See below concerning WIPO’s involvement in stakeholder discussions on a WhoIs access model) A range of guidance/information is however emerging, cf., the Nominet (.UK) Data Release Request form, or the EURid (.EU) Personal Data Disclosure Form Personal Data Disclosure Form.

Especially noting that the disclosure process may vary for each registrar, and that the below information is merely provided as a guideline, such requests to a registrar may be expected to include:

  • the concerned domain name;
  • the name and contact details for the requestor (e.g., the trademark owner);
  • if applicable, the name and contact details for the trademark owner’s representative;
  • the information being sought (e.g., the registrant’s name and specific contact details (which may include all or some of the registrant’s postal address, email address, telephone number));
  • a statement outlining a specific legitimate reason why the information is being sought (e.g., to pursue a claim for trademark infringement, to identify the registrant for purposes of a possible UDRP complaint filing, for acquisition due diligence, etc.);
  • information on the concerned trademark (e.g., its registration number and jurisdiction, and/or if possible to attach: a relevant registration certificate);
  • a certification that the non-public registrant data will be retained/used for a legitimate purpose within the permissible scope of the GDPR (e.g., for specific enforcement purposes, such as to prepare a UDRP complaint).

If the information provided by the registrar in response to a request is believed to be inaccurate, a complaint can be submitted using the ICANN WhoIs inaccuracy form.

In addition to the above, contact information may also sometimes be found on the website under the relevant domain name.

As it stands today, where a UDRP complaint has been submitted to a UDRP provider, ICANN-compliant registrars will provide WhoIs information on request from such UDRP provider (and at the same time “lock” the domain name’s registration and registrar information). In the event that a particular registrar fails to do so, or imposes additional burdens, WIPO will treat this on a case-by-case basis and may look to ICANN for compliance assistance.

The ICANN Temporary Specification for gTLD Registration Data, Annex E, expressly acknowledges that registrars must provide full “Registration Data” to UDRP providers upon the UDRP provider notifying the registrar of the existence of a UDRP complaint. It is also noted that the ECO GDPR Domain Industry Playbook and the contemplated ICANN IPC/BC Accreditation & Access model specifically recognize that UDRP providers meet the GDPR’s Article 6(1)(f) “legitimate purposes” and Article 6(1)(b) “performance of a contract” criteria, such that registrars are expected to provide WhoIs data to UDRP providers.

In order to give effect to the UDRP, providers have a reasonable and legitimate purpose to relay registrar-provided WhoIs data to complainants in pending UDRP proceedings so as to provide an opportunity for complainants to make substantive and/or procedural amendments as appropriate (an accepted practice today concerning privacy/proxy services named as respondents). The provision of such data may also serve to facilitate party settlements (roughly 20% of cases filed with WIPO settle prior to panel appointment, saving the parties time and money; see below information about the WIPO’s UDRP fees).

Accordingly, once WIPO receives relevant information from the registrar, the complainant will be invited to amend its complaint to reflect the registrant information received from the registrar. (While undertaking such amendment is highly recommended, based inter alia on UDRP jurisprudence, a complainant’s failure to do so would not be treated as a formal deficiency under the UDRP Rules.)

ICANN’s Temporary Specification moreover identifies for future action, the need to develop “methods to provide potential URS and UDRP complainants with sufficient access to Registration Data to support good-faith filings of complaints.” Separate from WIPO’s UDRP provider function, with a view to addressing broader intellectual property (IP) enforcement concerns occasioned by GDPR implementation, WIPO is involved in stakeholder discussions on a possible WhoIs access model, including as to a potential WIPO role to certify IP owners’ rights for such access.

The GDPR does not directly impact WIPO’s UDRP filing fees. The filing fee for a UDRP case involving between 1 and 5 domain names to be decided by a single‑member Panel is USD 1,500; and USD 4,000 for a case that is to be decided by a three-member Panel. For more information (including on cases involving higher numbers of domain names), please consult the Schedule of Fees or contact us.

If a case is filed and the relayed information triggers withdrawal of a UDRP complaint (e.g., the previously unknown registrant turns out to be the trademark owner’s licensee who has legitimately registered the domain name, or the registrant and trademark owner wish to privately settle the matter), WIPO – uniquely among UDRP providers – will refund the unused (USD 1,000) Panel fee (as is the case today, e.g. if the parties settle prior to a WIPO Panel being appointed).

In principle, it is expected that Panels will continue to treat requests to consolidate UDRP cases further to the principles articulated in the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”) at section 4.11. It is anticipated that the overarching consolidation standard itself will remain unchanged (as will the various consideration factors), although it is possible that in the absence of registrant contact information in the public WhoIs, Panels may increasingly focus on other indicia of common control.

As with application of consolidation requests, in principle, it is expected that Panels, taking into account the evolution of the WhoIs, will apply substantive criteria further to the principles articulated in WIPO Overview 3.0, e.g., as to showing a pattern of registrant conduct under UDRP paragraph 4(b)(ii), or the defense that the registrant is commonly known by the domain name under UDRP paragraph 4(c)(ii).

Overall, it should be recalled that the UDRP has proven to be a flexible dispute resolution mechanism framework adaptable to an evolving DNS.

The above-described information relates to registrar provision of non-public WhoIs data. As to WIPO’s role as a UDRP Provider subject to the UDRP Rules, the legitimate purpose for which personal data is collected and processed by WIPO flows from the administration of cases under the UDRP – this includes notably:

  • assuring timely and reliable notice of UDRP complaints to domain name registrants (i.e., forwarding the complaint via email and fax, and the Written Notice to all physical addresses available for the registrant);
  • understanding the “mutual jurisdiction” in a particular case;
  • relaying registrant information which a complainant is required to include in its UDRP complaint;
  • allowing a UDRP complainant to amend, if it chooses, its complaint upon being apprised of the registrant’s contact details;
  • providing the fullest possible record on which appointed panelists decide a UDRP case;
  • within appropriate limits, providing case information legitimately retained by WIPO to parties involved in subsequent litigation;
  • publishing a range of statistical information on domain name disputes.

The categories of personal data necessary for the administration of a UDRP cases are: names, postal addresses, email addresses, telephone numbers and fax numbers for complainants and domain name registrants (and any authorized representatives).

(A range of physical and information security protocols cover WIPO’s domain name-related systems.)

Paragraph 4(j) of the UDRP mandates that “[a]ll decisions under this Policy will be published in full over the Internet, except when an Administrative Panel determines in an exceptional case to redact portions of its decision.”

In this respect, through their acceptance of the applicable registration terms and conditions, domain name registrants subject to a UDRP proceeding are bound by this provision as well as the other UDRP terms.

Publication of party names in UDRP decisions is essential to the overall functioning of the UDRP in that it helps to explain the panel’s findings, supports jurisprudential consistency, facilitates the conduct of other cases as appropriate, and furthermore can provide a deterrent effect.

NB, against the background of the above-mentioned purposes, any request to redact a party’s name from a decision should normally be submitted for the panel’s consideration during the UDRP proceeding. Also in light of the above-mentioned reasons for full decision publication, any such request should be appropriately motivated.