The Impact of GDPR on Online Brand Enforcement: Lessons Learned and Best Practices for IP Practitioners

• Author: Brian J. Winterfeldt - Griffin M. Barnett - Janet J. Lee
• Position: Brian J. Winterfeldt is the principal of Winterfeldt IP Group PLLC in Washington, D.C. He specializes in trademark, copyright, domain name, and Internet policy and online intellectual property enforcement issues. He can be reached at brian@winterfeldt.law. Griffin M. Barnett is an associate with Winterfeldt IP Group in Washington, D.C. He...
• Pages: 50-66

Published in Landslide® magazine, Volume 11, Number 4, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2019 by the American Bar Association. Reproduced with permission. All rights reserved.

This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

The Impact

of GDPR on

Online Brand

Enforcement

Lessons Learned and

Best Practices for

IP Practitioners

By Brian J. Winterfeldt,

Grifn M. Barnett,

and Janet J. Lee

Brian J. Winterfeldt is the principal of Winterfeldt IP Group PLLC in

Washington, D.C. He specializes in trademark, copyright, domain name,

and Internet policy and online intellectual property enforcement issues.

He can be reached at brian@winterfeldt.law. Grifn M. Barnett is an

associate with Winterfeldt IP Group in Washington, D.C. He specializes

in trademark, copyright, domain name, and Internet policy and online

intellectual property enforcement issues. He can be reached at grifn@

winterfeldt.law. Janet J. Lee is an associate with Winterfeldt IP Group

in Washington, D.C. She specializes in trademark, copyright, domain

name, and Internet policy and online intellectual property enforcement

issues. She can be reached at janet@winterfeldt.law.

Published in Landslide® magazine, Volume 11, Number 4, a publication of the ABA Section of Intellectual Property Law (ABA-IPL), ©2019 by the American Bar Association. Reproduced with permission. All rights reserved.

This information or any portion thereof may not be copied or disseminated in any form or by any means or stored in an electronic database or retrieval system without the express written consent of the American Bar Association.

T he European Union (EU) trans-

formed the global landscape of

data protection and privacy when it

passed the General Data Protection

Regulation (GDRP) in 2016. The

GDPR entered into force on May

25, 2018. Ever since, businesses

around the globe have been scrambling to

understand this far-reaching legislation,

and what they may need to do to com-

ply with it—in the face of incredibly

stiff penalties of up to 4 percent of

global revenues. Ironically, while the

GDPR is intended to protect consum-

ers from misuses of their personally

identiable information, the GDPR

has also caused a number of practical

hurdles for companies trying to protect

consumers through brand enforcement

efforts against online bad actors preying

on Internet users.

In particular, efforts to comply with the

GDPR have led to the substantial redaction

of historically public information about who

owns and operates any given website through

the online domain name registration database

known as “WHOIS.” Brand owners have tradi-

tionally relied on this information as a starting point

for enforcement efforts; but under current changes in

WHOIS rules, much of the relevant information is no lon-

ger publicly available, presenting huge challenges to online

enforcement efforts. Meanwhile, bad actors continue to prolif-

erate under the new privacy rules, harming the very consumers

the GDPR was intended to protect, including through the sale of

online counterfeit goods, phishing, and other fraudulent schemes

that leverage intellectual property assets to dupe Internet users.

With traditional self-help tools like WHOIS no longer sufcient to

facilitate online enforcement efforts, brand owners have had to get

more creative in order to address online abuse—often adding sub-

stantial delay and cost.

This article will provide an overview of the GDPR and its effects

on the WHOIS system of domain name registration data, the result-

ing challenges for online intellectual property enforcement, lessons

learned since the GDPR took effect and public information in

WHOIS was signicantly reduced, and best practices and strategies

for intellectual property owners to employ as part of their online

enforcement programs in the post-GDPR world.

The European Union General

Data Protection Regulation

The EU GDPR, passed in 2016, replaces the EU Data Pro-

tection Directive 95/46/EC, and EU member state legislation

based on the Data Protection Directive. The GDPR is a broad

framework designed to protect EU citizens’ privacy, and to

level the playing eld for businesses by harmonizing data

protection and privacy rules across the EU. Because most

providers of goods or services collect data of some type, the

GDRP contains strict requirements for those who control

personal data (data controllers) and those who actually pro-

cess or publish the data (data processers).1 The GDRP has

potentially severe sanctions for GDPR violations: up to 20

million euros or 4 percent of the total annual revenue of the

sanctioned entity.2 Importantly, the GDPR applies not only to

those established within the EU that control or process data,

but also to any party located anywhere who offers goods and

services to data subjects located within the EU or who moni-

tor the behavior of data subjects located within the EU.3

Under the GDPR, personal data may only be processed for

certain legitimate and specied purposes. The data controller is

responsible for explaining the purpose behind its data process-

ing, and must inform the data subjects of such purpose before

processing.4 The GDPR provides that personal data processing

must be limited to what is necessary in relation to the pur-

poses for which they are processed (a concept known as “data

minimization”). Data processing must also be based on one of

the specic legal grounds set forth in the GDPR. As applied

to domain registration data, the three separate purposes under

which processing would be permissible are: (1) consent of the

data subject,5 (2) for the performance of a contract,6 and (3) for

a legitimate interest of the data controller or a third party.7

The WHOIS System of Domain

Name Registration Data

The Internet Corporation for Assigned Names and Num-

bers (ICANN) is the organization that accredits domain name

registry operators and registrars,8 and through its contracts

with these entities, sets forth the rules and requirements for

the provision of domain name registrations to members of

the public. Under existing accreditation contracts, ICANN

requires domain name registrars and registry operators to col-

lect and publish certain specied domain name registration

information in a publicly accessible online database known

as the WHOIS database (because, at least historically, it tells

you “who is” the registrant of a particular domain name).

Historically, WHOIS provided transparency and facilitated

a number of key activities to protect Internet users from harm

and ensure the security, stability, and resiliency of the Inter-

net, which is the foundation of ICANN’s mandate. WHOIS

facilitated the proper resolution of domain names through

their corresponding IP addresses, and in the early days of the

Internet was heavily relied on by technical administrators

of the Domain Name System (DNS) to address any techni-

cal resolution or security issues. Importantly, WHOIS has

been an essential tool to help identify parties responsible for

domain name registrations and associated online resources

such as website content or e-mail addresses who are engaging

in abusive or malicious conduct online, including infringe-

ment, sales of counterfeit goods, phishing, distribution of

malware, and fraud. Much like the articles of incorporation

for a traditional business, the WHOIS system ensured that all

sites have at least one “designated agent” to ensure proper

“chain of title” or to name and contact the appropriate party

in a dispute or legal proceeding regarding a domain name.

In response to the GDRP, ICANN imposed drastic changes

to the WHOIS system on an emergency temporary basis

to ensure adequate legal compliance with respect to data

GettyImages