Delhi High Court: While hearing a batch of commercial suits, including the present suit instituted by Dabur India, arising from the widespread misuse of well-known trade marks through the registration of fraudulent domain names by unknown entities for impersonation, phishing, sale of counterfeit goods, and other deceptive practices aimed at defrauding consumers, the Single Judge Bench of Prathiba M. Singh, J., examined the obligations and liabilities of DNRs in relation to infringing domain names, the adequacy of existing safeguards for protection of trade mark rights, the enforcement of court orders against non-compliant DNRs, and the formulation of appropriate directions, including grant of dynamic+ injunction, to curb such systemic abuse. The Court observed that,
“By registering domain names using a well-known mark or a registered trade mark, a whole network is built only to deceive innocent and gullible consumers and members of the public. The bank account is operated for a temporary period and after the money is collected the same is withdrawn and even before the trade mark owner is able to take action, the bank account is almost empty. Thereafter, even after the Court grants an interim injunction against the infringing domain names, there are further domain names/websites registered and opened which follow the same pattern as described above.”
Background
A batch of commercial suits was filed by various trade mark owners seeking injunctions against the misuse of their trade marks through the registration of fraudulent domain names by unknown persons. These domain names incorporated either the complete trade mark, a distinctive part of the mark, or the brand name of the plaintiffs and were used to derive illegitimate monetary benefits.
The infringing domain names were used in several ways. In some instances, they were registered to impersonate the plaintiffs and collect money from the public under the pretext of offering jobs, dealerships, or franchise opportunities. The fraudulent websites often reproduced content identical or similar to the plaintiffs’ official websites and used similar logos or marks to mislead users into making digital payments into unrelated bank accounts. In other cases, the domain names were used to host websites offering counterfeit or passing-off products for sale. Some websites also provided services while falsely representing themselves as the plaintiffs.
The suits were instituted against specific infringing domain names, and the Domain Name Registrars (DNRs) concerned were impleaded because the identity of the registrants could not be verified from WHOIS records. The information available in these records was largely fictitious or incomplete, usually providing only an email address that did not reveal the registrant’s identity. Other details such as addresses and mobile numbers were frequently inaccurate, and email IDs were often created using temporary mobile numbers or public access points such as cyber cafés, making it difficult to trace the actual individuals responsible.
Where bank account details were used to collect payments, further investigation was required to identify the account holders. These accounts were often opened using untraceable mobile numbers or potentially fake identification documents. Investigations then extended to telecom service providers, but the associated records also often contained unverifiable information.
Such practices created a network designed to deceive consumers by exploiting well-known trade marks. Bank accounts were typically used only for a short period to collect money, which was quickly withdrawn before action could be taken. Even after interim injunctions were granted, new infringing domain names and websites were often created following the same pattern.
The Court noted that these issues were systemic and required coordinated action from multiple stakeholders, including domain name registrants, domain name registrars, domain name registries, Internet Corporation for Assigned Names and Numbers (ICANN), banks, the Reserve Bank of India (RBI), telecom service providers, the Ministry of Electronics and Information Technology (MeitY), the Department of Telecommunications (DoT), and law enforcement agencies. The proceedings were therefore aimed not only at protecting intellectual property rights and business goodwill but also at preventing large-scale consumer deception caused by fraudulent domain names and websites.
The present suit was filed by Dabur India Ltd. under Section 20, Civil Procedure Code, 1908 (CPC) read with Section 27, Trade Marks Act, 1999 (TM Act), seeking a permanent injunction and damages for infringement of its trade mark “DABUR”, copyright in product labels and packaging, passing off, and unfair competition. The suit formed part of the broader batch of cases concerning domain names registered by unknown third parties that infringed the trade mark rights of various brand owners.
The Court identified the following issues to be addressed in the present proceedings:
-
What are the obligations and liabilities of a DNR in respect of an alleged infringing domain name registered with the said DNR? Whether the said obligations are sufficient for protecting the intellectual property rights of third parties?
-
What measures may be directed by the Court to be implemented by the DNRs to safeguard the trade marks of the plaintiff?
-
What measures may be directed by the Court against DNRs who refuse to comply with the Court orders?
-
Directions.
-
Relief to be granted in the applications seeking interim relief.
Analysis, Law and Decision
I. What are the obligations and liabilities of a DNR in respect of an alleged infringing domain name registered with the said DNR? Whether the said obligations are sufficient for protecting the intellectual property rights of third parties?
The Court examined the contention of the DNRs that disclosure of registrant information to the plaintiffs was restricted due to privacy obligations under their agreements with ICANN, as well as under the European Union’s General Data Protection Regulation (GDPR) and India’s Digital Personal Data Protection Act, 2023 (DPDP Act). It noted that the standard Registrar Accreditation Agreement adopted by ICANN in 2013, along with the Registry Agreement, did not originally mandate masking of registrant data. On the contrary, the WHOIS Specification (Specification No. 4: Registration Data Publication Services) required collection and publication of detailed information relating to the registrant, administrative contact, and technical contact.
However, following the enforcement of the GDPR, ICANN adopted the Temporary Specification for gTLD Registration Data on 17 May 2018. This framework required registrars and registry operators to redact registrants’ personal information, including name, address, phone number, and related contact details, from public WHOIS databases. In practice, this redaction became the default mechanism, with publication of such data occurring only where the registrant expressly consented. The Court observed that this regime had enabled unscrupulous actors to exploit privacy protections to shield infringing activities, while also limiting ICANN’s ability to ensure accuracy of registrant data and making it more difficult for complainants to identify domain name holders.
Importantly, the Temporary Specification also requires registrars and registry operators to provide reasonable access to registration data where a third party demonstrates a legitimate interest. Article 6(1)(f) GDPR permits processing of personal data for the legitimate interests of a third party, unless such interests are overridden by the data subject’s rights and freedoms. The Court emphasised that privacy cannot operate as an absolute or default barrier where legitimate interests justify disclosure.
New Registration Data Policy
The Court further noted that ICANN’s Registration Data Policy, which came into effect on 21 August 2025, introduced additional mechanisms governing the collection, storage, publication, and disclosure of registrant data. While Section 9.2 permits redaction of certain information to comply with applicable law, it also requires registrars to allow registrants the option to consent to publication of their data. Section 10 of the Policy establishes a formal procedure through which third parties may request disclosure of registration data.
Relying on K.S. Puttaswamy v. Union of India, (2017) 10 SCC 1, the Court reiterated that any limitation on the right to privacy must satisfy the threefold test of legality, legitimate aim, and proportionality. The DPDP Act satisfies the requirement of a lawful framework for processing personal data. Under Section 4 of the Act, processing may occur with consent or for legitimate uses under Section 7. Accordingly, the Court held that a DNR would be required to disclose registrant information upon directions issued by an Indian court.
The Court also highlighted the extensive obligations imposed on registry operators and registrars under the ICANN framework. These include operating WHOIS services, implementing rights protection mechanisms such as the Trademark Clearinghouse, verifying and reverifying registrant contact information, investigating inaccuracies, and taking action against DNS abuse. Registrars are also required to validate contact details and suspend or terminate domain registrations where registrants provide false information and fail to correct it within the prescribed period.
Modus Operandi of Infringing DNRs
Despite these safeguards, the Court observed that, in practice, the current system has failed to adequately protect trade mark owners in India. Registrant details are frequently redacted or inaccurate, making it difficult to identify infringers. In many cases, only an email address is available, which itself is often insufficient for tracing the individual responsible for the registration.
The Court noted that infringing domain names are commonly used to replicate the websites of legitimate trade mark owners and to run fraudulent schemes involving fake job offers, dealership or franchise opportunities. Unsuspecting members of the public are induced to transfer money to bank accounts controlled by unknown individuals. These transactions often occur through RTGS or NEFT, where the identity of the account holder is not readily visible to the payer.
The Court opined that such practices have turned infringing domain names and associated websites into instruments of large-scale cyber fraud, resulting in significant financial loss to members of the public. Consequently, the Court concluded that the existing safeguards implemented by DNRs and registry operators are inadequate, and stricter measures are necessary to effectively protect trade mark rights and curb such fraudulent activities.
II. What measures may be directed by the Court to be implemented by the DNRs to safeguard the trade marks of the plaintiff?
Responsibilities and duties of Registry Operators and DNRs
The Court observed that DNRs and Registry Operators derive significant revenue from domain name registrations, including those incorporating well-known trade marks and corporate names. Revenue is generated through various means such as selling domain names with different extensions of famous marks at premium prices, categorising certain domain names as “premium”, providing paid blocking services to trade mark owners, offering marketing and SEO services for domain names (including infringing ones), facilitating aftermarket sales, conducting domain auctions, and providing brokerage services for transferring already registered domain names. Many DNRs also provide hosting and related support services to infringing websites, thereby further monetising such registrations. The Court noted that certain registrars even promote alternative infringing domain names with different prefixes, suffixes, or top-level domains (TLDs) and charge exorbitant prices for them.
The Court expressed concern that, despite possessing the technological capability to lock, block, suspend, or deactivate infringing domain names, DNRs and Registry Operators often fail to implement such measures even upon requests from law enforcement agencies or trade mark owners. Instead, they frequently rely on privacy laws such as the GDPR to shield registrants who misuse well-known trade marks. Additionally, although payments for domain registrations are made through electronic transactions, registrars often fail to promptly disclose the payment details of the persons registering such domains.
In practice, the only reliable information typically available with registrars is the registrant’s email address, whose authenticity is also uncertain. Other identifying details, such as mobile numbers, Aadhaar numbers, passports, or other government-issued identification, are generally not collected or verified, despite ICANN agreements requiring registrars to obtain and periodically verify contact information. As a result, trade mark owners and victims of fraud face significant difficulties in enforcing their rights or recovering funds collected through fraudulent websites.
The Court further noted that most registrants of infringing domain names are “fly-by-night operators” who disappear after collecting money from unsuspecting users through fake job offers, franchise opportunities, or similar schemes. In many cases, even when investigations are initiated or arrests are made, the fraudulently collected funds cannot be traced. The widespread use of privacy protection and proxy services by DNRs, often enabled by default, further obscures registrant identities and complicates enforcement.
Measures implemented by DNRs and Registry Operators
The Court also examined the measures that DNRs claimed they could take pursuant to court orders. According to submissions by registrars such as GoDaddy and Newfold Digital Inc., they can suspend a domain name during its registration period, lock it from transfer, disclose available registrant and payment details, and transfer the domain name to the rights holder subject to payment of costs. However, these registrars argued that they cannot permanently suspend, delete, or block domain names, nor can they take action against websites, URLs, subdomains, or webpages, as these fall within the domain of hosting providers or internet service providers. They also contended that blocking specific word strings across all domain names should be undertaken by Registry Operators rather than registrars.
The Court noted, however, that Registry Operators possess additional technical capabilities. These include implementing protections such as the Trademark Clearinghouse and Domain Protected Marks List, applying EPP status codes (such as serverHold, serverRenewProhibited or serverDeleteProhibited) to disable domain functionality, and adding specific strings to reserved lists to prevent future registrations.
In light of these capabilities, the Court concluded that several effective mechanisms exist to prevent continued misuse of infringing domain names or their re-registration. However, these measures would remain ineffective unless DNRs and Registry Operators comply fully and promptly with court orders.
[Dabur India Ltd. v. Ashok Kumar, 2025 SCC OnLine Del 9651, decided on 24-12-2025]
Advocates who appeared in this case:
For the Plaintiff: Anirudh Bakhru, Ankur Chhibber, Prabhu Tandon, Avijit Sharma, Kripa Pandit, Christopher Thomas, Bhanu Gupta, Archita Mahlawat, Sazid Rayeen, Advocates
For the Respondent: Darpan Wadhwa, C.M. Lall, Senior Advocates, Yashvardhan Singh, Geetanjali Viswanathan, Yash Raj, Kruttika Vijay, Aishwarya Kane, Yash Raj, Alipak Banerjee, Shweta Sahu, Parva Khare, Brijesh Ujjainwal, Pradyumn Sharma, Shivani Chaudhary, Mohd. Kamran, K.G. Gopalakrishnan, Kunwar Raj Singh, Nisha Mohandas, Apoorv Kurup, Kirti Dadheech, Akshay Goel, Shivam Narang, Lalit Kashyap, Shubhendu Anand, Piyush M. Dwivedi, Kushal Gupta, Mohd Umar, Prashant Prakash, Ateev Kumar Mathur, Amol Sharma, Sarfaraz Khan, Abdul Wahid, Rajesh Kumar Gautam, Deepanjal Choudhary, Sanjay Gupta, Tanmay Garg, Aman Siwasiya, Varun Pathak, Thejesh Rajendran, Tanuj Sharma, Vinay Yadav, Ansh Kalra, Divyanshu, Kamna Behrani, Susmit Pushkar, Ananya Mehan, Nirupam Lodha, Kshitij Parashar, Vanshika Thapliyal, Rajesh Kumar Gautam, Likivi K Jakhalu, Dinesh Sharma, Deepak Gogia, Aadhar Nautiyal, Shivangi Kohli, Advocates
