“Dynamic + injunctions”, which extend beyond specific domain names and provide protection against future instances of infringement with similar characteristics, are not novel to Indian jurisprudence.
In the recent years, the number of fraudulent and infringing domain names has significantly increased, with more and more intellectual property (IP) holders approaching courts seeking action against infringement of their trade marks. The misuse of domain names has also led to large-scale deception of ingenuous consumers, with some of the frauds being in crores of rupees. Thus, a more proactive and inclusive approach, and a structured framework for protecting IP rights of businesses and combating large-scale deception of ingenuous consumers, was long overdue.
In a significant ruling1, the Delhi High Court has addressed the pervasive issue of fraudulent and infringing domain names by establishing a comprehensive compliance framework and calibrating remedies with technological advancements. This marks a pivotal step in ensuring IP protection and curbing fraudulent transactions. The Court has issued detailed directions to the stakeholders, viz. 1) Domain Name Registrars (DNRs), being the entities enabling registration of the domain name by the domain name registrants (i.e., persons registering the domain name); and 2) Domain Name Registry/Registry Operators (ROs), being the Registry under which the DNR operates. Other stakeholders include the Internet Corporation for Assigned Names and Numbers (ICANN) (being the overall regulator of the internet); banks (where the infringers may have opened accounts to defraud customers using fraudulent and misleading domain names), Reserve Bank of India, telecom service providers; Ministry of Electronics and Information Technology (MeitY) and Department of Telecommunications (DoT) (overseeing access to the internet in India and regulating internet/telecom service providers); and law enforcement agencies (LEAs).
Systemic overhaul and streamlined obligations
The judgment has brought a much-needed overhaul of the incumbent system, by imposing various specific obligations on all the stakeholders. The Court has appreciated that fraudulent domain names are not one-off instances but rather constitute a pattern of unscrupulous registrants perpetrating large-scale fraud and deception of innocent customers, warranting an immediate revamping of the system, with stringent measures.
The judgment recognises the pressing need for clarity on the role of all stakeholders and for them to work closely towards curbing infringement and fraudulent activities. The directions in the judgment are inter alia aimed at imposing clearer obligations, prompt response and compliance with Court orders and LEAs (including by appointment of grievance officers), better transparency (by recognising that offering of “privacy by default” by DNRs is one of the reasons for proliferation of illegal domain names) ensuring effective implementation and outreach of injunctions and establishing a preventive and proactive framework rather than adopting a merely reactive response.2 Such directions, inter alia, include:
1. DNRs and ROs to not mask registrant details by default. Privacy protection may be offered only where expressly elected by the registrant as a paid, value-added service (not as a part of the default registration package).
2. Upon request by a court, LEA, or any person with a “legitimate interest”, DNRs shall disclose, promptly and within 72 hours, the registrant, administrative, and technical contact names; addresses; mobile numbers; email addresses, etc. in line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.
3. Where a domain name has been injuncted or determined to have been used for unlawful purposes, it shall remain permanently blocked and shall not be returned to the general pool for re-registration. ROs are required to take steps to ensure uniform implementation of this requirement across all DNRs.
4. Where a court directs an injunction in relation to a domain name extending to mirror domains, redirect domains, alphanumeric variants, or alternative extensions, DNRs shall give effect to such injunction, and cannot make available any alternate domain names.
5. For descriptive or generic marks, injunctions would be qua specific domains, and any application to additional domains would require the intervention of the Joint Registrar of the Delhi High Court.
6. Search engines and DNRs to not provide any promotion/marketing/optimisation services to infringing/unlawful domains.
7. DNRs offering services in India to appoint a grievance officer within one month of the judgment and prominently publish the contact details of such officer on their website. Further, email service of court orders upon such grievance officer shall be sufficient.
8. While acknowledging that trade mark monitoring and pre-registration blocking primarily fall within the ROs’ purview, the ROs (having agreements with ICANN) to implement Trademark Clearinghouse (TMCH) services and make them available to brand owners.
9. DNRs offering services in India to verify registrant details at the time of registration and periodically, thereafter.3
10. DNRs facilitating registrations under the National Internet Exchange of India (NIXI) (.in/.bharat) to furnish registration data to NIXI within one month of the judgment, and undertake monthly reporting.4
While the measures create a direct enforcement mechanism, additional safeguards, and expose those non-compliant to potential action, it is important for the DNRs and ROs to overhaul their internal processes prioritising sustained compliance and mitigating regulatory and civil exposure.
Tighter rope on DNRs and denial of safe harbour
The Court has noted that the non-implementation of steps to prevent trade mark infringement revenue-centric methods adopted by the DNRs would actually lead to non-grant of safe harbour protection. DNRs continuing to promote alternative infringing domain names, will not only lose the safe harbour protection, but would also be treated as infringers, against whom reliefs, including monetary damages, can be claimed. Further, failure of DNRs to comply with court orders/LEAs, repeated non-compliance adversely affecting the interest of society at large (including fraud), failure to appoint grievance officers or insistence upon service through Mutual Legal Assistance Treaties (MLAT)/other modes, etc. will attract stringent action, including blocking of the DNRs concerned.
Balancing privacy and “legitimate interest”
The Court also acknowledges that privacy protection cannot always be implemented in default, and the same needs to be balanced against the legitimate interest of the aggrieved third party. DNRs cannot now offer privacy by default, and “unless and until a registrant requests for privacy protection”, that too, as a value-added service. Thus, DNRs must streamline their registration workflows to ensure registrant details are publicly visible by default, with privacy protection available only upon express choice by the registrant to mask details, upon payment of additional charges.
Further, the Court has directed that upon request by a court, LEA, or any person with a “legitimate interest”, DNRs shall disclose within 72 hours all requisite data, in line with the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021. The concept of “legitimate interest”, as derived from the General Data Protection Regulation (GDPR), “Temporary Specification for gTLD Registration Data” and the prevailing directives of the European Union (EU), has been recognised in the judgment. In this regard, the Court has taken note of the approach adopted by the Court of Justice of the EU,5 wherein a third party who has suffered damage to its property may be considered to have a “legitimate interest” in obtaining registrant details from DNRs for the purpose of initiating legal proceedings. The disclosure of personal information would have to satisfy a three-fold test: 1) The disclosure must be made in terms of a law justifying the privacy encroachment; 2) the said law must be pursuant to a legitimate aim of the State; and 3) means for disclosure are proportional to the legitimate aim sought to be achieved. Thus, DNRs must develop a streamlined verification process for legitimate interest requests that does not require court orders or law enforcement involvement by default, thereby ensuring effective compliance with the judgment, including the 72 hours time-frame for disclosure of registrant data.
Real time reliefs against rogue infringers instead of conventional injunction aimed at one-off instances
To ensure the effectiveness of injunctions and to address infringing content generated on an ongoing basis (rather than merely past instances), the Court has directed that a “dynamic + injunction”6 (providing real-time relief upon the emergence of a new infringing domain name) shall apply wherever the brand or trade mark appears: 1) as it is, in the domain name; or 2) with a prefix or suffix that could lead to confusion; or 3) as an alphanumeric variation. Further, recognising the rights of legitimate registrants, the Court has directed that where a registrant disputes the suspension of a domain name and communicates such objection to the DNR concerned, the DNR may require the IP owner to obtain a court order before proceeding with any further action against the disputed domain.
“Dynamic + injunctions”, which extend beyond specific domain names and provide protection against future instances of infringement with similar characteristics, are not novel to Indian jurisprudence. Various courts have granted “dynamic + reliefs” to protect IP rights, premised on the principle that the rights of an IP holder cannot be rendered otiose on account of rapidly evolving technology, and that any relief granted must be both visible and effective, affording protection against infringing material created in real time.7 In the judgment, the Court has clearly delineated the circumstances in which a “dynamic + injunction” shall apply, while analysing the underlying nature of fraudulent and infringing domain names, thereby providing much-needed respite to IP holders contending with repeated infringements.
It is evident from the above that the Court has attempted to overhaul the incumbent framework relating to domain names and has issued multiple directions to the various stakeholders. In doing so, the Court has also mandated the Government and its relevant authorities to undertake industry-wide consultations and consider putting in place a domain name registration framework, including nomination of a nodal agency to prevent misuse and ensure effective compliance. As such, we may see further changes and additions to what has been set out by the Court in the judgment.
Globally, DNR obligations reflect a shared commitment to accurate registration data and anti-abuse measures, though implementation varies across jurisdictions. For instance, the EU mandates data accuracy and verification under the NIS 2 Directive, with GDPR-compliant databases and 72-hour disclosure to legitimate requesters.8 The United States follows ICANN’s Registrar Accreditation Agreement (RAA), requiring mandatory collection of accurate WHOIS data and cooperation with law enforcement and Uniform Domain Name Dispute Resolution Policy complaints for abusive domains.9 As such, the directions and guidelines set out in the judgment appear to be in line with international standards.
However, given the onerous directions on DNRs, the judgment may invite legal challenges, particularly against privacy norms and regulatory compliance burdens. Nevertheless, with India strengthening its IP law framework, including aligning domain name registration systems and enforcing strict disclosures under the Digital Personal Data Protection Act, 2023, the jurisdiction is evolving as a safer and more robust environment for IP owners. This progression holds promise for more effective deterrence against domain name based infringements and cyber fraud.
*Partner, Cyril Amarchand Mangaldas.
**Principal Associate, Cyril Amarchand Mangaldas.
***Senior Associate, Cyril Amarchand Mangaldas.
****Associate, Cyril Amarchand Mangaldas.
1. Dabur India Ltd. v. Ashok Kumar, 2025 SCC OnLine Del 9651.
2. In addition, the has also directed the banks to implement Beneficiary Bank Account Name Lookup facility (RBI Circular bearing no. RBI/2024-25/99 CO.DPSS.RPPD.No.S987/04.03.001/2024-25 dated 30-12-2024) and comply with the standard operating procedures issued on 31-5-2024 by the Central Economic Intelligence Bureau.
3. Ministry of Electronics and Information Technology, Indian Computer Emergency Response Team (CERT-In), Noti. No. 20(3)/2022-CERT (Notified on 28-4-2022), and consistent with NIXI’s Registrar Accreditation Agreement (RAA) requirements, which include prohibition of proxy registrations for .in/.bharat domains, validation of email addresses and telephone numbers, dual authentication, maintenance of IP logs, and implementation of anti-VPN measures.
4. NIXI’s RAA prohibits proxy or anonymous registrations for .in/.bharat domains and mandates the publication of WHOIS elements, implementation of KYC/e-KYC verification, retention of logs, dual authentication, anti-temporary email measures, and rapid updates to the “in” registry.
5. Directive 95/46/EC of the European Parliament and of the Council, EU Directive 95/46/EC; Meta Platforms and Others (General terms of use of a social network), C-252/21, EU:C:2023:537; SCHUF A Holding (Discharge from remaining debts), C-26/22 and C-64/22, EU:C:2023:958; Koninklijke Nederlandse Lawn Tennisbond v. Autoriteit Persoonsgegevens, C-621/22, EU:C:2024:858.
6. The Court has relied on its decisions in UTV Software Communication Ltd. v. 1337X.To, 2019 SCC OnLine Del 8002; Universal City Studios LLC. v. Dotmovies Baby, 2023 SCC OnLine Del 4955; Burger King Corpn. v. Swapnil Patil, 2023 SCC OnLine Del 8484.
7. Applause Entertainment (P) Ltd. v. Meta Platforms Inc., 2023 SCC OnLine Bom 1034; Jiostar India (P) Ltd. v. https//criclk.com, 2025 SCC OnLine Del 4608.
8. The NIS 2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It also calls on member states to define national cybersecurity strategies and collaborate with the EU for cross-border reaction and enforcement. (Art. 28), NIS 2 Directive | Articles.
9. 2013 Registrar Accreditation Agreement.