The Effect of the GDPR on Domain Name Disputes, 0319 COBJ, Vol. 48, No. 3 Pg. 18

Position:Vol. 48, 3 [Page 18]

48 Colo.Law. 18

The Effect of the GDPR on Domain Name Disputes

Vol. 48, No. 3 [Page 18]

Colorado Lawyer

March, 2019



Th is article looks at the current state of domain name disputes in light of the recently implemented General Data Protection Regulation.

The General Data Protection Regulation (GDPR) came into force on May 25, 2018. Since then, companies and individuals have been working to determine how it affects domain name disputes. Implementation of the GDPR is consistent with today's privacy concerns and data usage, but it has raised questions, many of which remain unanswered. A common question for intellectual property practitioners is how the GDPR impacts the ability to enforce trademark rights in connection with domain names.

This article describes the GDPR, outlines the Uniform Domain-Name Dispute Resolution Policy (UDRP) and Uniform Rapid Suspension System (URS) processes, dives in to the current state of resolving domain name issues in light of recent changes, and looks at what lies ahead.


The GDPR (Regulation (EU) 2016/679) regulates the processing of personal data. It applies to individuals and businesses that are not using the data for personal use and that are either (1) located in the European Union (EU), (2) offering goods and/or services to persons in the EU, or (3) monitoring the behavior of persons in the EU[1] "Personal data" is defined as "any information relating to an identified or identifiable natural person... who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data... "[2]

The GDPR's goal is to simplify data protection. It requires those regulated by the GDPR to include privacy policies written in "clear, straightforward language."[3] They must also obtain affirmative consent from "data subjects" and be more transparent about how their personal information is being used, among other things.[4] The GDPR also gives data subjects the right to obtain information regarding any of their personal data that is being used by those businesses controlling the data and how the businesses are using it.[5] Data subjects also have (1) the right to be notified of data breaches, and (2) the right to have the data controller erase his or her personal data, stop disseminating the data, and potentially have third parties halt processing of the data.[6] As a result of the GDPR's enhanced privacy protections, it has become more difficult for third parties to obtain certain personal information, including information necessary to establish elements of UDRP and URS complaints.

Penalties for violating the GDPR include up to 4% of annual global revenue or €20 million.[7] Fines are tiered and may be lower for lesser infractions.[8] As stated above, even individuals and businesses not located in the EU are subject to the GDPR and its penalties for noncompliance if they meet conditions (2) and/or (3) above;[9] they are expected to maintain personal data in the same manner as EU-based businesses and individuals. And a non-EU company that does not have a physical presence in the EU is required to appoint a representative located in the EU to whom concerns will be directed.[10]

Overview of Domain Name Dispute Resolution

The Internet Corporation for Assigned Names and Numbers (ICANN) is currently the governing body for the domain name system. Before ICANN, Network Solutions Inc. (NSI), a technology consulting company, was primarily responsible for handling top-level domains (TLDs) such as .com,.org, and .net.[11] In 1998, NSI implemented a policy under which it would suspend a domain name registrant's domain name if a complaining party produced proof of trademark rights in a mark identical to that of the domain name. If the domain name registrant could not prove trademark rights before the complainant's first demand letter to the registrant, the domain was suspended.[12] This policy was highly criticized because, among other reasons, it strongly favored owners of trademark registrations,[13] but the policy remained in place until ICANN became the governing body for the domain name system.[14]

In lune 1998, the U.S. government announced its plans to hand domain name management over to the nonprofit agency ICANN.[15] The U.S. government advised that any dispute resolution adopted by ICANN should be limited to instances of cybersquatting, and disputes between parties with "legitimate competing interests in a particular mark" should be resolved in court.[16] When the IC ANN's UDRP policy became the standard for domain name dispute resolution in January 2000, the NSI dispute resolution system ended.[17]


ICANN was created to provide a variety of services, including managing generic and country code TLD name systems and accrediting registrars all around the world.[18] ICANN also created the WHOIS service. The WHOIS system houses the majority of domain name owners' information, including their names, emails, and addresses. Each registrar maintains control of the information, but it is made available through the WHOIS system. A person is able to conduct a WHOIS search by entering a domain name into one of several WHOIS search engines. Search results include the registrant's name, email, and address, as well as any other pertinent information (including domain name creation and expiration) associated with the domain name.

Although it was possible to hide much of this information through privacy services before implementation of the GDPR, the valuable WHOIS information is used to contact domain name owners, conduct investigations, and file UDRP and URS complaints. Those seeking to file domain name complaints often begin with the WHOIS information to conduct research into the domain name registrant, the purpose in owning the domain name, and any possible legitimate interests by the registrant in the domain name.


The UDRP is a process established by ICANN for resolving disputes regarding the registration of Internet domain names. The UDRP protects businesses from bad faith registrations.[19] In connection with ICANN's governance over domain names, ICANN requires all global top-level registrars to adopt the UDRP as part of all domain name contracts. At implementation it only applied to then-existing generic TLDs (gTLDs) such as .com, .net, and .org, but it now applies to a much larger list.[20] If a trademark rights holder believes the domain name registrant is cybersquatting (registering domain names, often those of well-known brands or companies, in the hope of reselling the domains for profit), the trademark rights holder may file a complaint with one of several forums.[21] The forums use panels to act as arbitrators of the domain name disputes. The forums also apply ICANN's rules as well as any supplemental rules that a particular forum may have adopted.

Under the UDRP, a complainant must satisfy several elements for a panel to find in the complainant's favor and order transfer, cancellation, or changes to the domain name. A complainant must assert the grounds on which the complaint is made, including that

1. the domain name is identical or confusingly similar to a trademark in which...

To continue reading