This is the question being asked by intellectual property lawyers across Europe after the directive came in to force last week. You may have noticed fewer spam emails this week, after the "opt out" model was replaced by an active "opt in" one for marketing purposes in the EU.
Almost immediately after the roll out of GDPR, ICANN (the Internet Corporation for Assigned Names and Numbers) filed a lawsuit against German domain registrar EPGA.
The lawsuit centres on whether or not EPGA (and internet domain registrars generally) can be forced by law to keep gathering (and subsequently disclosing) private information gathered about users that buy web addresses from them. The reason this is particularly important in intellectual property (and commercial litigation generally), is that often an infringing website will not in its content explain who the owner is, nor provide contact details to reach him or her. When this happens, lawyers have traditionally used the WhoIs look up tool to find out the name and address of the person that registered the domain. This is publicly available information. Or at least it was.
With the introduction of GDPR there is a fear that registrar's will feel obligated to hide (if they store at all) this information for fear of breaching the new regulations. That would hinder lawyers' abilities to track down infringers for the purpose of issuing legal proceedings against them.
ICANN has taken a keen interest in ensuring that the registrars continue to keep and publish such data. ICANN has been criticised, however, for waiting until the implementation date to take up this issue. The coming of GDPR has been known for some two years, and it seems that ICANN is only now taking these steps after failing to have a temporary policy for its WhoIs lookup service approved in March.
EPGA is the target of the lawsuit as it has implemented its own GDPR-compliant system for gathering domain name registrant information. It says that some of the details required by ICANN are unnecessary (and therefore registrars must pay to store useless data), and there may be no legal basis for storing or disclosing it or other data in any event.
We will watch keenly to see how this case plays out, as it may have a significant effect on the cost of determining the identity of those perpetrating infringements online.
If you have any questions on the above, please do not hesitate to contact the team at McDaniel & Co. on 0191 281 4000 or firstname.lastname@example.org.Posted by: in: Civil Procedure, EU/International, Regulatory