In-house counsel in both the UK and the US say they are still struggling to get to grips with data protection laws and that strict rules around revealing details of potential infringers have meant some threats go unchecked.
Speaking to Managing IP, counsel at travel company Thomas Cook, Getty Images and Expedia say that the General Data Protection Regulation (GDPR) plus rules being implemented in the US are forcing a more measured approach to tackling infringements.
Part of the problem, counsel say, comes in the form of changes to Whois, a database providing details of the owners of domain names.
One counsel said the database had been “purged” because of GDPR, causing various enforcement difficulties.
GDPR grievances
Under the EU’s GDPR, which has been force since May 25 2018, companies that are found to have breached the regulation can be fined as much as £18.5 million (€20 million), or 4% of annual global turnover – whichever is greater. Among potential breaches is the divulgence of personal data.
Counsel say this means they have struggled to obtain key contact details within the Whois database – which is used to contact owners of potentially infringing domains.
Paul Reinitz, director of copyright compliance at Getty Images in Seattle and who oversees enforcement activities globally, says it is now “even harder to track down the responsible party for an infringement”.
“Whois information has been purged and it is no longer a reliable way to find the owner of a website,” he tells Managing IP.
Helen Stanwell-Smith, head of the IP group at travel company Thomas Cook in London, agrees. She says that finding the identity of website owners is now “very difficult and frustrating”.
She says there are tools allowing people to tell whether emails registered to a site are attached to any others, but that is problematic as often those looking don’t know who the person is.
“You can write to the registry as another option and request the information, but a lot of times they won’t comply without a court order. Starting a Uniform Domain-Name Dispute-Resolution Policy (UDRP) is much harder because you do not have key details, which were far easier to get before.”
She adds: “Alternatively, you can write to the registry to request information, but a lot of times [the registry] won’t comply without a court order.”
The head of IP enforcement at a British multinational agrees.
“Mostly there is now very little data,” they say. “Sometimes it will provide an anonymised email for correspondence, but that has very rarely yielded any response.”
However, they say, Whois is not only used for domain recovery but occasionally to contact a suspected infringer for dialogue.
“With no details, that approach is tricky,” they say.
Backup options
While there are alternatives, these are sometimes “more long winded,” they add.
These have included making a test purchase, where the company would buy a product and wait to see if there is any correspondence – either a confirmation of purchase or returns email. Alternatively, they could ask authorities to take down the website in question.
The multinational also works closely with organisations like the Police IP Crime Unit in the UK and the IP Rights Crime Unit, a division of the Royal Canadian Mounted Police. Both help with taking down potentially infringing websites.
“Takedown methods are usually quicker but there’s a danger the infringing site or products could just crop up again. At least with the UDRP, if a domain is gone, it’s gone,” the head of IP enforcement says.
Stanwell-Smith says she now has to focus on the “most serious of infringements” and may have to let some others go.
“We have to be sure that what we target is where there is a genuine risk confusion and a commercial risk.”
Reinitz adds that a lack of Whois data is not the only problem.
He says many sites engaged in infringement rely on a web security company to hide the actual location of their server.
“There used to be public tools available that would help us find where the content was being hosted. This would give us at least a chance to attempt an internet service provider (ISP) takedown for the content. Post GDPR all of those tools were forced to shut down and we basically have no recourse other than asking the site to forward a note to the ISP on our behalf (which in practice never has any impact).”
He adds: “In general, we see that pirates are using GDPR to protect their anonymity while they use unauthorised content to earn advertising revenue.”
Patchwork of US laws
In the US it is more complex as data protection is dealt with on a state-by-state basis.
Legislation varies from state to state, rather than there being unified standards like in the EU. California and New York are among those currently updating their laws and other states are following suit.
Counsel say it is too early to predict the effect on IP enforcement. However, GDPR has also had an impact on US clients, they say.
Michael Graham, global director of IP at Expedia, says: “Globally, GDPR has provided us the opportunity to look at our privacy policies and how we handle user data. We are using GDPR as a guidepost, as similar laws are being rolled out in the US and around the world.
“In terms of Brexit, some of our EU IP is owned by our UK entities and a lot of work is going on to ensure that we are protected on day one should the UK leave the EU.”
The IP counsel at the British multinational says that in the US, lawyers have been telling clients to get GDPR ready but that there is uncertainty over what the US laws will look like.
Fourteen months on from the GDPR rollout, counsel are having to be more creative in how they approach enforcement strategies. Another question is whether a fresh batch of laws in the US will add to their woes.
