With just three weeks until new data protection laws come into force in Europe, concerns are being voiced about the impact on the enforcement of intellectual property rights.
According to several bodies, the new General Data Protection Regulation (GDPR), which requires organisations to enact new data privacy elements from 25 May, will be a coup for counterfeiters and criminal organisations.
In a comment piece for Out-Law.com, Iain Connor and James Robb, intellectual property law experts at Pinsent Masons, said GDPR is “set to cripple vital databases that brand owners rely on to identify and stop rogue operators online”.
The lawyers claim that once the regulations are introduced, brand owners could be left unable to identify the registrants of dodgy websites that sell counterfeit goods or host infringing content because the database and directory holding details about domain name owners will be limited in providing this information because it is being forced to improve its privacy options in order to be compliant with GPPR.
The system in question is WHOIS, a network of databases and directories, which contains information including the name, address, email, phone number and administrative and technical contacts for people and organisations that register domain names for websites. It is maintained by the internet’s global domain name organisation, the Internet Corporation for Assigned Names and Numbers (ICANN).
This data on registered domain names is publicly accessible and is used by journalists, law enforcement authorities and brand owners in their research into websites.
While this data is valuable for law enforcement activities regarding rogue sites, there is an issue with the public nature of the data. According to Connor and Robb, “WHOIS data may also be used by spammers, hackers and marketing companies, who ‘scrape’ WHOIS databases for contact details and subsequently sell that information or use it to carry out malicious activities online”.
For this reason, WHOIS conflicts with the objectives of the GDPR and its lawful bases for processing personal data, the lawyers said. If WHOIS is not compliant with GDPR, ICANN may be fined millions of dollars.
As such, WHOIS is being updated in order to be compliant with the GDPR and will likely implement a gated model, allowing access to the data only after the person seeking it has identified themselves and the purpose for using it. How stringent this identification process will be is, as yet, unclear.
However, there has also been moves by registrars and registries to put their own GDPR-compliance measures in place to protect themselves but which threatens to create fragmented WHOIS data, which will also impact IP enforcement.
“Whichever model is ultimately implemented, the WHOIS system will no longer be the open, relatively accessible system operating at present,” Connor and Robb said. “A GDPR-compliant WHOIS system will severely undermine the ability of brand owners to obtain relevant information about registrants and enforce their rights online. In a post-GDPR world, accessing registrant contact details is likely to be costly and administratively burdensome.”
The US Government and the International Trademark Association (INTA) have also voiced their concerns about the regulation, with INTA claiming that “a WHOIS blackout on May 25 will result in a field day for bad actors to purchase and misuse domain names at the public’s expense”.
The US government’s stance is that while it “agrees that data privacy is of critical importance, we also believe that public safety and rights protection are equally critical”.
Even ICANN has publicly noted the “negative consequences” that GDPR will have on WHOIS, claiming that a fragmented system will: “protect the identity of criminals who may register hundreds of domain names specifically for use in cyberattacks; hamper the ability of consumer protection agencies who track the traffic patterns of illicit businesses; stymie trademark holders from protecting intellectual property; and make it significantly harder to identify fake news and impact the ability to take action against bad actors.”
“ICANN recognises the importance of the GDPR and its goal of protecting personal data, we also recognise the importance of balancing the right to privacy with the need for information… [But] we strongly believe that if WHOIS is fragmented, it will have a detrimental impact on the entire Internet… It is for these reasons and countless others that we believe it is essential to spend more time considering the balance between the important right to privacy and the need for information.”
ICANN has called for a one-year temporary moratorium on enforcement of GDPR with respect to WHOIS, and is backed by the US government, which calls a moratorium a “necessity”. However, the EU’s data protection advisory body has so far declined this request.
In the meantime, Silicon.co.uk has reported that ICANN is expected to deliver a temporary GDPR-compliance plan in the coming days, which will give data guidance to registries and registrars.
©
SecuringIndustry.com