Filing UDRP Complaints Post-GDPR: A Guide for Trademark Owners

In the past, trademark owners and their representatives have relied heavily on this bulk access to registrants’ data for collecting information about registrants and cybersquatters abusing the DNS. The new limits imposed by the GDPR on accessing registrants’ data risked forcing trademark owners to resort to new criteria to demonstrate the absence of a legitimate interest or the presence of bad faith, on behalf of their UDRPs respondents.

While the conditions for filing a UDRP remain unchanged post-GDPR, the ability of complainants to satisfy the decisional criteria of the administrative panels risked becoming significantly impaired in the aftermath of the GDPR. In an effort to clarify the UDRP process post-GDPR for the parties involved, the World Intellectual Property Organization (WIPO) addressed the most relevant issues in an informal Q&A on the matter. 

While publicly available WHOIS data may no longer include domain registrant identifiers (such as the registrant’s name and the domain’s administrative, billing, and technical contacts), WIPO indicated that it would still be possible for trademark owners to begin the UDRP process against the respondent for the disputed domain by indicating as the details of the registrant the dataset results provided in publicly accessible WHOIS; e.g., 'PRIVACY REDACTED.' This is no different from what was previously required in cases where the registrant’s data was protected by proxy and privacy services (as per Tencent Technology (Shenzhen) Co.Ltd v. Super Privacy Service, WIPO Case No. D2018-0391).

The approach as to application was yet to be harmonized at the time of the Q&A: Some registrars indicated they might apply restricted access also in connection to the 'organization' data field, taking into consideration the possible issue of sole proprietorships, i.e. commercial operations bearing the name of an individual. Similarly, registrars having no establishment in the European Union (EU) might not necessarily apply redaction to WHOIS data for all their registrations. Instead, those registrars might redact WHOIS data only in connection with natural persons located in the EU.

As is the case where the defendant’s identity is protected by privacy services, once the UDRP complaint is filed, ICANN-accredited registrars are theoretically required to provide full registration data to the interested UDRP provider. In accordance with several commentaries on the GDPR, data disclosure on behalf of the registrar would in this context be legitimized both by Article 6.1(f)—legitimate interest and Article 6.1(b)—the performance of a contract.

When a UDRP provider receives the defendant’s information from the registrar, it would transmit it to the complainant then, thus allowing the amendment of the original complaint with the newly received information about the defendant. However, due to the inadequacies in ICANN’s Registrar Accreditation Agreement (RAA) with respect to the GDPR, there was a particular risk that registrars could refuse to provide the required dataset to the UDRP provider, or ask for further information regarding the case in question before agreeing to the data disclosure.

From a legal perspective, proving the absence of legitimate interest on behalf of the defendant can be significantly challenging per se for the trademark owner [1]. Such a burden of proof could hardly be met without knowledge of the registrant’s identity.

In these cases, WIPO does not provide a general answer but rather advocates finding solutions on a case-by-case basis, together with the possibility of resorting to ICANN for assistance in ensuring the registrar's compliance with the RAA. However, the latter solution does not guarantee success, as is suggested by the decision taken by the German courts in ICANN v. EPAG Domainservices, GmbH (preliminary reference pending before the Court of Justice of the EU).

Alternatively, in the absence of a centralized clearinghouse, and awaiting ICANN’s implementation of its compliance model, trademark owners might contact domain name registrars directly to request partial disclosure of the registration data of the subjects infringing their IP. Data disclosure by the registrar can in this context be legitimized under Article 6.1(f) of the GDPR only by conducting the appropriate balancing exercise between the complainant’s legitimate interest in obtaining the registration data on the one hand, and the fundamental right and interest of the data subject to have their data protected on the other.

Only when the latter do not override the legitimate interests of the complainant would the registrar be entitled to grant disclosure of the data. To qualify as legitimate, the complainant’s interest must necessarily be lawful, represent a defined and present interest, and be sufficiently specific and articulated to enable its effective balancing against the data subject’s right to data protection. The elements to be taken into consideration by the individual registrar when conducting the assessment are not harmonized, but WIPO indicated that trademark owners or their representatives should be able to provide (indicatively): the concerned domain name; details of the trademark owner; the requested information (i.e. the registrant name); a statement describing the claimed legitimate interest in accessing the information (in this case the enforcement of an IP right); information on the concerned trademark; a certification that the requested personal data would be retained and used for the claimed legitimate interest only within the permissible scope of the GDPR.

The ad hoc processes necessary for conducting the balancing exercise, together with the required level of expertise and the number of queries, led several registrars to request the payment of a fee when applying for the disclosure of registrants’ data. The legitimacy of such an economic burden in accessing registration information could certainly also be questioned in light of the aims of the GDPR, since it significantly impedes the free movement of personal data within the EU.

Launching the UDRP process against a defendant whose privacy is protected under the GDPR can present additional costs for the trademark owner already in the preliminary phase of the dispute. As mentioned, filing a UDRP against an unknown defendant would significantly limit the complainant’s ability to assess and demonstrate the absence of the respondent’s right or legitimate interest in respect of the disputed domain name, in accordance with what is mandated by paragraph 4(a) of the UDRP.

For cases where the information provided by an RAA-compliant registrar would lead to the withdrawal of the UDRP complaint (e.g., when the registrant would turn out to be the trademark owner’s authorized licensee), WIPO (and no other UDRP provider) provides the possibility for a refund.

With regard to consolidation, WIPO suggested that in the absence of the registrant’s information, the administrative panels might increasingly focus on other indicators of common control. The absence of the registrant’s data has made the identification of other unambiguous identifiers, such as the use of similar naming patterns, templates, and text, a fundamental requirement for trademark owners to demonstrate common control over multiple abusive domains

The inaccessibility of the identity of the registrant for the disputed domain risked also undermining the complainant’s possibilities of demonstrating the respondent’s bad faith pursuant to paragraph 4(a) of the UDRP (as per Carlsberg A/S v. Xu Guo Xing, WIPO Case No. D2017-0301).

In accordance with paragraph 4(b) of the UDRP, which contains a non-exhaustive list of conditions that could demonstrate bad faith in the registration or use of domain names, a pattern of abusive domain name registrations on behalf of the respondent constitutes evidence of bad faith. In its “Jurisprudential Overview 3.0” of 2017, WIPO highlighted how UDRP administrative panels have established that a minimum of two previous abusive domain registrations by a respondent constitutes:“A pattern of conduct of preventing a trademark holder from reflecting its mark in a domain name.”

The implementation of the GDPR, and the consequent removal of domain name registrants’ data from the data set displayed in response to WHOIS queries, no longer allows trademark owners to verify abusive patterns of behaviors through name-based searches of administrative panels’ archives before filing a UDRP when the registrar would not agree to such preventive disclosure, but only for possible amendments to their original complaints once the relevant registrar agrees to provide the registrant’s data to the UDRP provider. On its side, WIPO has ensured the publication of dispute party names following paragraph 4(J) of the UDRP, as necessary for the overall functioning of the UDRP procedures (and therefore for the performance of the RAA contract, in accordance with Article 6.1(b) GDPR).

Nonetheless, it would still be possible for any of the parties involved in a UDRP process to submit a motivated request for having their personal information redacted, thus potentially countering WIPO’s efforts to ensure the system's operability post-GDPR. The criteria set out by the GDPR and in the guidelines of the Article 29 Working Party on the matter of personal data deletion, most of all the criterion of relevance to the public, hardly support such deletions, especially where registrants are found to have conducted abusive registrations.

As a member of the IP Constituency at ICANN, Thomsen Trampedach, our center of excellence for domain name management, follows the development of the ongoing discussion of privacy regulations for the WHOIS service directory in all its aspects, including its effects on the UDRP process, registrar liability and the effective investigation and enforcement of online IP infringement. For more information and further support, contact our team.

[1] Questel does not provide any legal services. Legal services are provided by independent IP attorneys on the basis of a separate engagement agreement between you and, if you wish to, a partner IP attorney firm.