Yesterday the ICANN Board adopted a Temporary Specification for GDPR compliance, pursuant to the procedure under ICANN’s Registry Agreements and Registrar Accreditation Agreement. The action puts into place a policy process to consider the development and adoption of a consensus policy to be conducted within the maximum of a one-year time frame allowed for a Temporary Specification (renewable by the Board at 90-day intervals for up to a year).
The three issues of the greatest interest to IP owners are the sections regarding: (1) the language about “reasonable access” that will be granted to those with legitimate interests in WHOIS information (law enforcement, IP owners, etc.); (2) the Annex which states Important Issues for Further Community Action; and (3) the acknowledgement of GDPR implications for the UDRP and URS processes, the Temporary Specification includes Annexes D and E, addressing the URS and UDRP issues.
First, the issue of “reasonable access” is still wholly undefined and this is essential to understanding what the Accreditation system is going to look like (i.e., method of requesting access, what information or evidence is going to be required, etc.). Second, along these lines, the Annex of Important Issues for Community Action basically threw back to the community all of the issues surrounding how the Accreditation will be implemented. There is concern that there could be a model in progress which charges for access to WHOIS information. Third, in relation to Annexes D and E, addressing the URS and UDPR, these sections speak to the continued provision of Registration Data Registry operators and Registrars will provide in relation to the dispute resolution providers, and state that Complaints will not be deemed defective if the domain registrant holder name is not included; thereby allowing of the filing of John Doe complaints with the recognition that the blackout will make this information void. The further acknowledgement was made that the production of this lacking information will be acceptable later in proceedings. While this is a helpful clarification for these vital Rights Protection Mechanisms, this does not address the fact that IP owners often need to investigate the owner of a domain name in situations where UDRP or URS filings are not yet appropriate. The Temporary Specification also specifies that Registrars must provide either an anonymized email address or a web contact form to enable communication with domain registrants, however, there are no guidelines for exactly how those mechanisms should work and most Registrars will not have these processes in place on May 25th. As a practical matter, this means that IP owners will be forced to submit higher volumes of abuse complaints to Registrars in order to request “non-public” registrant contact information.
While this appears to be a stop gap - it is a step forward, albeit a small one. Many of the interested bodies of the community have put forth great efforts to address the important issues that loom for IP owners and inform the Board of the important and real issues which they demand be addressed. There are many open-ended issues and questions and, we are hopeful that with the continued efforts of our community, the final working solutions will be balanced and practical for our clients.