Anonymous domain names: obtaining identity disclosure

Domain name protection is at the heart of a successful intellectual property strategy. This involves registering domain names for new trademarks, monitoring them, and taking action against the misappropriation of similar names. Domain name regulations are evolving both in France (Afnic) and internationally (ICANN). Under the impetus of the GDPR (General Data Protection Regulation), natural persons benefit from a right to anonymization when registering a domain name. How is it possible to claim prior rights or request a transfer of domain names when the holder remains anonymous?

Understanding domain name anonymization

What is domain name anonymization?

A natural or legal person registers a domain name with a registration office or registrar. Generally, the request is made through a professional hosting and website creation service provider.

To avoid spam and preserve the confidentiality of personal data, the holder may request to remain anonymous during registration. Indeed, the GDPR imposes the obligation to no longer leave the personal data of domain name holders in open access.

Legal framework: the GDPR

The General Data Protection Regulation (EU Regulation 2016/679 of April 27, 2016, known as GDPR) establishes the legal framework for personal data protection in the European Union. The regulation came into force on May 25, 2018, and is directly applicable in all member states.

Key principles of the GDPR include:

• Protection of natural persons with regard to the processing of personal data
• Free movement of personal data within the EU
• Strengthening individual rights (access, rectification, erasure, portability)
• Accountability of data controllers and processors

Practical impact: whois database anonymization

Concretely, this led to the anonymization of WHOIS records—queries related to domain names. Domain privacy is possible from registration by simply checking a box. For the public, this replaces the associated information with information relating to the domain or hosting service provider. However, the registrar retains the contact details of the domain name holder registered with them.

The NIS 2 Directive requirements

The NIS 2 Directive (Directive (EU) 2022/2555 of December 14, 2022) imposes the maintenance of accurate WHOIS databases with identification of domain name holders and their administrative contacts. In case of disputes, disclosure of contacts must occur within 72 hours.

The NIS 2 Directive aims to achieve a high common level of cybersecurity across the European Union. It significantly expands the scope of the previous NIS Directive from 2016 and includes specific provisions for domain name registries and DNS service providers.

International solutions: the ICANN RDRS system

Overview of ICANN’s response to GDPR

ICANN, the registration office for generic top-level domain names (gTLDs such as .com, .org, .net, etc.), reacted after the adoption of GDPR and the anonymization of data. Since November 28, 2023, ICANN has implemented the RDRS (Registration Data Request Service). This service offers controlled access to non-public data relating to domain names.

Who can use the RDRS?

This service concerns persons with a legitimate interest, including:

• Law enforcement agencies
• Government agencies
• Intellectual property attorneys
• Cybersecurity professionals
• Consumer protection advocates

Key features of the RDRS

The RDRS is a free, global, and centralized request system designed to manage requests for access to anonymized data relating to domain names. The RDRS connects the requester with registrars participating in this initiative.

The system provides:

• A standardized format for submitting requests to access gTLD non-public registration data
• A centralized platform that offers the ability to upload legal documents
• Automated identification of the correct registrar for a domain name
• A single request form, eliminating the need to complete multiple forms with varying requirements
• Tracking mechanisms for both requestors and registrars

Important limitations

This procedure deserves praise for its operational simplicity. However, several important observations must be made:

• Voluntary participation: The RDRS is based on voluntary participation by registrars under ICANN’s jurisdiction. As of 2024, 94 registrars representing 60% of gTLD domains under management have voluntarily participated.
• Limited scope: It exclusively concerns data masked by the registrar and not data anonymized through third-party services.
• No guaranteed access: The service does not guarantee access to requested registration data. All communication and data disclosure between registrars and requestors take place outside the system.

Data accuracy requirements

What happens in case of inaccurate data? ICANN requires registrars to send an annual verification request for contact data. Any invalid or outdated information may result in suspension of the domain name. Each registration office has the authority to sanction the holder if their contact information is not kept up to date. This sanction then occurs within the framework of their contractual relationship and is not necessarily linked to a third-party request.

It remains possible to solicit registrars with a court decision to support your request to obtain the lifting of anonymity. However, costs are often significant compared to the stakes involved.

Solutions in France: the Afnic procedure

Afnic’s disclosure procedure

Similarly, Afnic, which manages .fr domain names among others, has implemented a procedure for disclosing anonymized data. An online form allows any person claiming an infringement of prior rights to request disclosure of the contact details of a holder who is a natural person.

Afnic grants the request in case of identical reproduction or quasi-identical reproduction of a prior right, including:

• Trademark or distinctive sign protected in France
• French copyright
• Patronymic name or pseudonym

Important: Acceptance by Afnic does not constitute recognition of an infringement. Afnic’s examination focuses particularly on the similarity of signs and does not extend to website content.

Alternative Dispute resolution options

In case of refusal by Afnic, it is possible to obtain an ex parte court order from a judge or make a request to dispute resolution bodies, particularly through:

• PARL EXPERT procedure (Alternative Dispute Resolution Procedures)
• SYRELI procedure

These alternative dispute resolution procedures are governed by Afnic’s Naming Charter. They are contradictory procedures that allow any person (natural or legal) to recover a domain name or obtain its deletion within two months from filing the request.

Judicial remedies

Beyond administrative procedures, French law provides judicial remedies for domain name disputes. Rights holders can file an ex parte application (ordonnance sur requête) with a competent court to obtain disclosure of anonymized data or take conservatory measures.

The courts have consistently upheld Afnic’s anonymization procedure and its refusal to freeze or block domain names on simple third-party requests, as confirmed by the Paris Court of Appeal in its decision of October 19, 2012.

Comparative analysis and best practices

International vs. national approaches

The RDRS (international, for gTLDs) and Afnic procedures (national, for .fr) represent two complementary approaches to balancing privacy protection with legitimate access needs:

ICANN RDRS System:

• Global scope covering generic TLDs
• Voluntary participation by registrars
• Standardized request format
• Free service
• No guaranteed disclosure

Afnic System (France):

• National scope for .fr and French overseas territories
• Specific criteria based on prior rights
• Alternative dispute resolution mechanisms
• Clear legal framework under French law

Best practices for rights holders

Proactive domain monitoring

Domain name surveillance is more necessary than ever. Implement automated monitoring systems to detect potentially infringing registrations early. Many registrars offer domain watch services that can alert you if a similar domain to your trademarks is registered.

Document your prior rights

Maintain comprehensive documentation of your trademark registrations, copyright claims, and other intellectual property rights. This documentation will be essential when submitting disclosure requests or pursuing dispute resolution procedures.

Choose the appropriate procedure

For gTLD domains (.com, .org, .net, etc.), use the ICANN RDRS system. For .fr domains and French overseas territories, use Afnic’s disclosure procedure. Consider the costs, timeframes, and success rates of each approach.

Prepare thorough documentation

When submitting a disclosure request, provide comprehensive evidence of your prior rights, the similarity between your mark and the domain name, and your legitimate interest in obtaining the information. Include trademark certificates, copyright registrations, and evidence of use.

Consider alternative dispute resolution

If direct disclosure requests fail, consider UDRP (Uniform Domain-Name Dispute-Resolution Policy) for gTLDs or Afnic’s PARL EXPERT and SYRELI procedures for .fr domains. These procedures are often faster and less expensive than court litigation.

Timeline and costs comparison

Understanding the timeline and potential costs for each procedure is essential for strategic planning:

ICANN RDRS:

• Timeline: Variable, depends on registrar participation and response
• Cost: Free service
• Success rate: Variable, as disclosure is at registrar’s discretion

Afnic Disclosure:

• Timeline: Response within reasonable timeframe, typically within a month
• Cost: Free service
• Success rate: Depends on evidence of prior rights and similarity

PARL EXPERT/SYRELI:

• Timeline: Decision within two months from filing
• Cost: Administrative fees apply (typically between €400-€800)
• Success rate: Higher when prior rights are clearly established

Conclusion

The landscape of domain name privacy and disclosure has evolved significantly with the implementation of GDPR. While the regulation protects individual privacy rights, it also creates challenges for rights holders seeking to combat cybersquatting, trademark infringement, and other forms of domain name abuse.

Both ICANN’s RDRS system and Afnic’s disclosure procedures represent important steps toward balancing these competing interests. However, the voluntary nature of RDRS participation and the specific criteria required for Afnic disclosure mean that rights holders must remain vigilant and proactive in protecting their domain name portfolios.

The NIS 2 Directive’s 72-hour disclosure requirement for disputes represents a significant development that may streamline access to domain holder information in critical situations. As this directive is transposed into national law across EU member states, we can expect further refinements to the disclosure process.

Ultimately, effective domain name protection requires a comprehensive strategy combining proactive monitoring, proper documentation of intellectual property rights, and familiarity with available disclosure and dispute resolution mechanisms across multiple jurisdictions. By understanding and using both international and national procedures, rights holders can navigate the complexities of anonymized domain registration while protecting their legitimate interests.

Stéphane Bellec, Attorney, Partner Cabinet De Baecque Bellec

Intellectual property attorney

sbellec@debaecque-avocats.com

Tél. + 33 (0) 1 53 29 90 00