Canadian domain registry enacts new privacy policy

The group that oversees Canada's dot-ca registry introduced a new privacy policy this week to balance the rights of domain name registrants with those of trademark holders, it said.

The group that oversees Canada's dot-ca registry introduced a new privacy policy this week to balance the rights of domain name registrants with those of trademark holders, it said.

The Canadian Internet Registration Authority (CIRA) said that under the new policy, formally enacted on Tuesday, the personal information of individual domain name registrants, including registrant name, home address, phone number and e-mail address, would now automatically be protected. Corporate registrants will remain public.

Individuals, as opposed to businesses, own about 60 per cent of all of the dot-ca domain names in Canada. The personal information of these owners was previously available through an internet search called Whois (pronounced who-is).

CIRA said the new privacy rules would put it in line with the 2004 Personal Information Protection and Electronic Documents Act (PIPEDA), which restricts how private-sector organizations collect, use and disclose personal information in the course of commercial business.

"The new dot-ca Whois policy puts registrants first by restricting access to the private information of individuals while providing timely mechanisms for legitimate information requests," Byron Holland, president and CEO of CIRA, said in a statement.

The new protection has exceptions, however, allowing contact information to be disclosed "in situations arising from child endangerment offenses, intellectual property disputes (e.g. cybersquatting), threats to the internet, and identity theft," CIRA said.

Michael Stewart, general counsel for CIRA, said the policy is the organization's attempt to strike a balance between privacy and disclosure.

Not everyone is pleased with the policy. Privacy advocates say its exceptions are too broad and allow for a weakening of the privacy measures, while advocates for trademark holders say the process is too onerous to effectively protect intellectual property rights.

Privacy advocate Michael Geist, a law professor at the University of Ottawa and Canada Research Chair of Internet and E-commerce Law, who initially praised the spirit of the legislation, said the exceptions provide a "back door" for law enforcement and trademark holders, essentially gutting the policy.

"While the law enforcement exception appears to be narrowly tailored, the exception for trademark, copyright, and patent interests undermines a crucial part of the Whois policy," he wrote in his blog on Wednesday. "The organization has betrayed the very principles of consultation upon which it was built and sent a discouraging message that special interests matter more its own members."

But Eric Macramella, an Ottawa-based trademark lawyer with Gowling Lafleur Henderson, said the recent concessions still represent a significant barrier to trademark holders who are trying to pursue legal action against cybersquatters.

"They were trying to strike a balance and this is what we get," he said. "It's a foolish policy that doesn't recognize the rights of brand owners."

Companies must prove trademark is registered

Under the old rules, trademark holders could send a cease-and-desist letter directly to a domain name holder if they felt their trademark was being infringed. Under the new rules, trademark owners send their letter through a form on the CIRA website, which then directs it to the domain owner. If the trademark owner receives no response in 14 days, the trademark holder can fill out a request for disclosure of the registrant's information.

But in order to get the information the company must provide proof of a registered trademark, which Macramella says is a problem for owners of "common-law" trademarks that have yet to be registered or are in the process of being registered.

"If you don't have a registered trademark, it can take up to two years to get one," he said.

Stewart said restricting that information to holders of registered trademarks was a conscious decision by CIRA to ensure that complainants in question actually hold the rights they claim to hold.

"We want to ensure the requests are valid," he said. "A common-law trademark is not a fact, it's a matter of interpretation."

Law enforcement officials would follow a different procedure, said David Hicks, CIRA's director of communications and marketing.

The new privacy policy was put in place in response to privacy concerns regarding identity theft, unsolicited e-mail (spam), and cyber stalking.

CIRA said it was created following two extensive national public consultations with a wide range of interest groups, including domain name registrants and registrars, law enforcement groups, privacy advocacy groups and intellectual property specialists.