.eu domain names, the transition period and update on GDPR restricted ICANN registrant data

UK businesses face a number of challenging interlocking issues in the run up to the end of the transition period on 31 December 2020. What could slip off the corporate risk radar are the smaller administrative matters.  Whilst domain name portfolio management might rank fairly low down the corporate agenda, loss of a .eu domain name relating to a major online platform could have very significant consequences for businesses dependent on their online offering in our “always on, always online” culture.  We also provide guidance on ICANN’s current policy in relation to access to WHOIS registrant data.

Managing .eu domain names as a UK individual / business during and after the transition period

As the dust settles following 31 January, and while we await the outcome of UK-EU trade negotiations, there are a number of practical steps you can take now to manage a domain name portfolio containing .eu domain names.  The European Commission has recently updated its notice to clarify the rules which will apply to the .eu domain names that are registered to UK residents following the end of the transition period.  So, unless there are any provisions to the contrary agreed in any trade agreement between the EU27 and the UK:

• undertakings and individuals that are based in the UK (i.e. the registrant’s residence or establishment country code is either GB or GI, unless the citizenship country code of the registrant corresponds to an EU27 country) will not be eligible to register or renew .eu domain names after 31 December 2020.
• From 31 December 2020, ineligible domain names will eventually be revoked by the .eu Registry.  Revocation would occur on expiry of any agreed grace period and the domain name first being declared withdrawn prior to revocation.  EURid had stated that this would be a two month period after the UK’s intended exit in October 2019.  EURid has not yet updated its guidance to indicate the length of any new grace period applying after 31 December 2020.

During the transition period, UK organisations and individuals can continue to apply for, renew and hold .eu domain names.  But consideration should be given now to your ownership strategy after 31 December 2020. If you will be unable to meet the residency / establishment rules for .eu domain names after 31 December 2020 and your .eu domain name is an important online presence for your business, consider if you should set up a redirect to a new domain name now (subject to observing EURid policy on the use of proxy servers).   

You should therefore review your domain name portfolio to check all .eu domain names are held by an EU27 based entity or individual and take steps to transfer any .eu registrations to an EU based entity that is established in one of the EU27 countries.  It is worth undertaking this exercise as soon as possible to avoid any additional expense or loss of the registration. Any renewals required to be made of any .eu domain names in the transition period should be reviewed to check that the domain name details either list the registrant as an EU27 based entity or individual or are updated to reflect ownership by an EU27 based entity or individual. 

EURid has stated that it will notify UK undertakings or individuals who hold .eu domain names by email of the risk  of non-compliance with the EU residency / establishment requirements.  It will be crucial to check within organisations that no critical email communications regarding this issue have been missed, for example, if they have been directed to individuals no longer with the company rather than a general company mailbox.  Registrants can then take steps to demonstrate continued compliance with the .eu registry rules by indicating a legally established entity in one of the eligible EU27 or EEA country, or updating their residence to an EU27 or EEA country, or providing a citizenship country code corresponding to an EU27 country, irrespective of their residence.

If there is no future economic agreement by 31 December 2020 (or at the end of any extension to the transition period) that supersedes the withdrawal agreement, all registrants who did not demonstrate their eligibility to hold a .eu domain name will be deemed ineligible and their domain names will be withdrawn. This will have the consequence that the domain name will not function, as the domain name is removed from the zone file and can no longer support any active services (such as websites or email).  Currently it is intended that after a certain further grace period, all affected domain  names will then be revoked and will become available for general registration.  Companies who are slow to take steps now may find their domain names hijacked by cyber squatters acquiring their .eu domain names once they are revoked, if they have not been transferred so as to be in compliance with EURid ownership eligibility criteria.  

For completeness, please note that there is no equivalent requirement for non-UK owners of .uk domain names to be UK entities or individuals and these domain names are therefore unaffected by the transition period coming to an end.

Can you access registrant data held by domain name registries?  

Separately, please note that there has been no update to ICANN’s stated position that domain name registrant information on WhoIs should be withheld from public access, as we discussed in our previous blog here.

ICANN has been consulting on the introduction of a ‘unified access model’. This would permit third parties to request access to personal data held by registry operators for a domain name and to give registry operators certainty about how to strike the balance between third party access and a data subject’s rights in their personal data contained in registration data. It would be done by permitting ‘eligible users’ to register with an accrediting body, allowing them to be issued with credentials to be used to access non-public WHOIS data. Any approved applicant would need to comply with terms of use requiring the safeguarding of personal data, and violation of the terms could result in revocation of the user’s access credentials.  The ICANN delivery team’s report on this model is out for consultation until 23 March 2020, following which, the team will publish its report, with the intention to produce an ICANN consensus policy for adoption by the ICANN Board.  We do not anticipate that a final policy will be adopted in the short or medium term.

Given this delay, it is key in corporate transactions to check: (i) the assurances you are given by sellers about the seller entities which hold critical domain names; and (ii) the robustness of your further assurance provisions.

Ash von Schwan is a Senior Associate in the London Technology & Commercial team at Bryan Cave Leighton Paisner.

Anna Blest is a Knowledge Development Lawyer in the London Technology & Commercial team at Bryan Cave Leighton Paisner.