Swiss law has recently been revised in two respects. Both changes relate to data protection and have a direct impact on the prosecution of online infringements. First, since 1 April 2020, IP addresses may (again) be processed for anti-piracy purposes – second, as of 1 January 2021, no personal data is published any longer in the WHOIS with regard to .ch domain names. This article discusses the second change. The first change was discussed in part 1.
Part 2: No More Personal Data in WHOIS – More Difficult Identification of Infringing Parties
Until recently, WHOIS queries were an efficient tool in the fight against online infringements in Switzerland. The identification of infringers is now more difficult.
What It’s All About
In order to be able to prosecute rights infringements online, rights owners must first identify the responsible persons (i.e. obtain personal data of the infringers). If the infringement occurs via a .ch domain name, anyone could – until recently – query the respective holder’s identity anonymously and without much effort online at the registry (administrator of .ch domain names) SWITCH (WHOIS query). See in this context also article no. 1 of our series “Online Enforcement”, “The Role of the WHOIS Directory”.
Since 1 January 2021, however, no more personal data will be published in the WHOIS for .ch (and also for .li) domain names. The identity of domain name holders can now only be obtained by identifying oneself to SWITCH (i.e. by itself disclosing personal data) and providing specific proof of interest.
The New Legal Basis
The publication of data in the Registration Data Directory Service (RDDS) database (WHOIS) relating to .ch domain names is governed by art. 46 of the Swiss Federal Ordinance on Internet Domains (OID).
Under the previous law, name and address of the domain name holder and the technically responsible person had to be published. The revised law takes a different approach: No personal data is published as a matter of principle. SWITCH can only publish the holder’s personal data if the holder consents. In addition, it may also publish the holder’s identification data and contact details if the holder is a legal entity. The previous and the new art. 46 OID can be compared as follows (bold print added):
Data Protection as a Pretext
In their Explanatory Note of 26 October 2020 on the revision of the OID (German/French; English version not available; hereinafter “OFCOM Explanatory Note 2020”; p. 54), the Swiss Federal Office of Communications (OFCOM) provides a data protection justification for the non-publication of personal data in the WHOIS: OFCOM states that with the entry into force of the European General Data Protection Regulation (GDPR), the ideas and expectations regarding the WHOIS have “clearly evolved in the direction of a fundamental prohibition of the publication of any personal data of domain name holders”.
This is not convincing for two reasons:
Firstly, Swiss data protection law differs fundamentally from European data protection law in conceptual terms: Under the GDPR, personal data may only be processed if there is a (legal) basis for doing so (such as consent, necessity for the performance of a contract or overriding private interests) (so-called “prohibition regulation”). In contrast, under Swiss data protection law (also under the new law which will enter into force in 2022), a justification is only required if either the processing principles are not complied with, the data subject has objected to the processing, or particularly sensitive personal data is to be disclosed to a third party. The revised art. 46 OID disregards this conceptual difference.
It is also noteworthy that in their Explanatory Note of 13 February 2014 on the (in 2015 newly introduced) OID (German; English version not available; hereinafter “OFCOM Explanatory Report 2014”; p. 20), OFCOM still weighted the public interest in disclosure higher than the interest of domain name holders in keeping their personal data confidential: “A domain name holder cannot oppose the disclosure of his or her data. The public interest in publicity – protection of the rights of third parties and consumers, the need for transparency in the medium of the internet, the guarantee of the effectiveness of the law, and the technical stability of the internet – outweighs the interest in keeping the disclosed personal data confidential in the present case.” It is not clear why the weighing of interests should now be different.
Secondly, under Swiss law, most website operators have to disclose their identity and address in an imprint according to art. 3 para. 1 letter s no. 1 Swiss Federal Unfair Competition Act. And even those who are not subject to the imprint obligation, have to disclose their identity in the privacy notice.
Data protection therefore appears to be a pretext for the justification of the revision. It seems more likely that OFCOM has bowed to pressure from the Internet Corporation for Assigned Names and Numbers (ICANN) without offering any resistance. In the course of a reform of the RDDS service (WHOIS) for generic internet domains (gTLDs, such as .com, .net and .org domain names), ICANN had decided to refrain from publishing personal data in the WHOIS in the future.
Requesting Information From SWITCH
If someone wants to find out who the holder of a specific .ch domain name is, they must now submit a written request for information to SWITCH. SWITCH provides an online form for this purpose (there is a separate online form for authorities). This requires not only proof of identity (i.e. disclosure of personal data), but also proof of interest. SWITCH will only disclose the holder’s personal data if the applicant shows credibly that he/she has “an overriding legitimate interest” in the requested data.
SWITCH examines on a case-by-case basis whether, in their view, such an overriding legitimate interest exists. SWITCH provides examples of such legitimate interests (see also OFCOM Explanatory Report 2020, p. 55):
- verification of the current domain name record by the holder or technical contact of the domain name in question (self-disclosure);
- (presumed) infringement of trademark rights;
- (presumed) infringement of copyright or personal rights;
- necessity of the data for an authority’s fulfilment of a statutory task (authority information).
However, according to SWITCH, “the intention to buy a domain name or to contact the operator of the website” is not considered sufficient. The basis for the claim, the related documents and proof of identity (official ID or extract from the commercial register) must be uploaded and sent to SWITCH.
According to art. 52 para. 4 OID, SWITCH may in principle request a fee for granting access to personal data, “in accordance with the rules and fees applied at international level.” However, according to the OFCOM Explanatory Report 2020, access is to be free of charge and the set-up and operating costs are to be covered by means of a slight increase in the wholesale price which SWITCH will charge for each registration or renewal of a .ch domain name from 1 January 2021. The costs will thus ultimately be passed on to the individual domain name holders.
Also, those who request information from SWITCH will have to bear their own costs in connection with the request for information.
At least in the transition period, an increase in direct inquiries to registrars of .ch domain names is to be expected (generating costs for them). Their contact details remain visible in the WHOIS. However, registrars are neither responsible for any infringement of rights that may occur via their customers’ domain names, nor are they the right point of contact for the disclosure of personal data. They are well advised to refer third parties to SWITCH for specific information or (if the third party’s request goes beyond a simple identity query) to proceed in accordance with the Code of Conduct Domain Names (CCD) of the Swiss ICT industry association Swico. See in this context also article no. 2 of our series “Online Enforcement”, “The Role of Hosting Providers”.
Cybercriminals Will Profit
The non-publication of personal data primarily serves cybercriminals who want to disguise their identity and also ignore other relevant provisions such as the obligation to provide an imprint and information under data protection law.
Certainly, anyone who wanted to disguise their identity as the holder of a .ch domain name could already do so under the previous law – for example, by using a “WHOIS Privacy” service, or by providing false information for the publication in the WHOIS. With the new law, however, this disguise will become even easier – for example, it is to be expected that many false information will (due to the non-publication) remain undiscovered for some time.
It remains to be seen how efficient SWITCH will make the procedure regarding requests for information. Particularly in the case of infringements online, rights owners depend on obtaining the requested information promptly in view of possible preliminary measures (such as blocking a specific domain name). Otherwise, they run the risk of forfeiting their rights.
If SWITCH rejects a request for information in an individual case, the question also arises as to whether the justification can be improved and whether SWITCH’s decision can be subject to judicial review.
In any case, the newly implemented information request procedure will unnecessarily lead to additional administrative work (and unnecessary disclosure of personal data) for all those who rely on the relevant information, such as IP rights holders.
Our series “Online enforcement” deals with particularities in the enforcement of rights on the Internet.
Other articles in this series: