On 25 November 2020, the European Commission published its “An intellectual property action plan to support the EU’s recovery and resilience” (COM(2020) 760 final: eur-lex.europa.eu). The EU Commission affirms, in particular, its intention to strengthen cooperation between all the actors involved in the fight against infringements of intellectual property rights, including market platforms, social media, advertising platforms, payment services, transport, and logistics companies. The Commission also includes top-level domain registries and domain name registrars. The Commission envisions a “toolbox” intended to clarify the roles and responsibilities of the stakeholders, develop methods of collaboration, and facilitate the sharing of data.
As a reminder, the General Regulations for Data Protection (GDPR: eur-lex.europa.eu) had plunged the holders of intellectual property rights and their representatives into a stupor. Indeed, the GDPR has added an additional obstacle to identifying the perpetrators of offenses committed in the digital space. The intellectual property infringements perpetrated by or through the registration or use of a domain name illustrate the problem well since the WhoIs data intended to identify the holder of an allegedly harmful domain name are made more difficult to access.
On 17 May 2018, the ICANN Board adopted the Temporary Specification for gTLD Registration Data (icann.org). These provisions help ICANN-accredited registrars to comply with ICANN’s contractual framework in light of the GDPR. Adopted in haste, the Temporary Specification entered into force on 25 May 2018, initially for 90 days. However, on 21 August 2018, the board decided to extend it every 90 days for one year (Icann.org, 6 November 2018). The Temporary Specification is still in effect.
On 6 April 2022, the ICANN replied to the European Commission (icann.org, 2022-04-06). ICANN recalls:
1. that its statutes provide for both access and protection to data.
2. that it has no control over the ccTLD operators (.FR for France, .DE for Germany, .IT for Italy, etc.), who are free to determine their own policy they;
3. its efforts to bring relevant entities (including registries and registrars) into GDPR compliance through the Temporary Specification;
4. the conditions of access to WhoIs data under the Temporary Specification;
5. the existence of the WhoIs Accuracy Program (Article 5 of the Temporary Specification provides the option for the registrar to suspend the domain name or terminate the registration contract (icann.org)).
The ICANN also stresses the impact of the GDPR on its ability to investigate inaccurate registration data, which poses challenges in the fight against cybersecurity.
The personal data of domain name holders are inaccessible to the public. In return, they must provide accurate data at all times, with strict liability applying. It is up to the registrars to ensure the accuracy of these data because they are the ones who have to provide reliable data to the judicial or extrajudicial authorities. This explains why they are at the heart of the draft NIS2 directive (iptwins.com, 2021-11-05). Indeed, the directive will impose on registries and registrars, considered as “essential entities”, a certain number of obligations:
- maintain accurate and complete WhoIs data (Cons. 61 and Art. 23);
- ensure the integrity of the data;
- make the data available in accordance with the GDPR (Cons. 59), and “as soon as possible” (Cons. 62).
According to para. (60) and Article 23.3, registries and registrars shall establish policies and procedures for the purpose of collecting and maintaining accurate and complete registration data. If a registry or registrar fails to comply with this obligation, it will incur liability.