Forcing international domain name registrars (DNRs) – the organisations that manage the reservation and renewal of Internet domain names – to disclose the details of a domain registrant or to permanently block a domain name would amount to “jurisdictional overreach”, big DNRs such as GoDaddy have conveyed to the government, it is learnt.
On May 2, the Union Ministry of Electronics and Information Technology (MeitY) told the Delhi High Court that it was “exploring ways for holding registrar accountable to provide registrant data for lawful and legitimate purpose as and when sought by [Indian] LEAs (law-enforcement agencies) or in pursuance of Court Orders”.
A large number of DNRs are registered with the Internet Corporation for Assigned Names and Numbers (ICANN), a US-based global multistakeholder group and nonprofit organisation that regulates the structure of the Internet, including the allocation of domain names and Internet Protocol (IP) addresses.
‘Domain registrant’ refers to the individual, organisation, or entity that holds the rights to use a specific domain name.
Industry stakeholders have expressed concern over reported moves in India to compel global DNRs to provide registrant data to a government-designated central repository, disable default privacy to registrants, and permanently block/ suspend domain names, if requested or ordered by the government or a court.
On March 12 this year, MeitY officials had a meeting with ICANN’s Registrar Stakeholder Group (RrSG) in Mumbai to discuss a technically practical and feasible regulatory framework to curb the alleged misuse – including trademark infringement and brand impersonation to phishing and financial fraud – of registered domains in India.
The meeting, which was coordinated by the National Internet Exchange of India (NIXI), a nonprofit that aims to facilitate improved Internet services in India, was inconclusive.
Story continues below this ad
The meeting was held in compliance with directions issued by the High Court in December 2025. The High Court has been seized of the matter since 2022, when trademark owners including Dabur, Gujarat Cooperative Milk Marketing Federation Ltd (Amul), Bajaj Finance, Xiaomi, and McDonald’s, sought injunctions against the misuse of their trademarks through the registration of domain names, which were allegedly used for “illegitimate means in order to derive monetary benefit”.
However, the owners or registrants of these domain names could not be identified. Public records revealed the registrants were largely fictitious, or had supplied incomplete particulars. DNRs such as GoDaddy, the world’s biggest registrar by volume, were made parties to the suit.
Granting the injunctions in December, a single-judge Bench of Justice Prathiba Singh said: “Repeated cases of cyber fraud, cyber terrorism, and other forms of online fraudulent activity traces back to registration of infringing domain names. Misuse of domain names and website content deserves to be dealt with stringent action.”
The court directed that if a law enforcement agency requested the disclosure of data on any alleged infringement or unlawful domain name, DNRs would have to make the information available within 72 hours.
Story continues below this ad
The court also directed DNRs to appoint grievance officers, a requirement similar to the one mandated for social media intermediaries such as Meta, Google, and X Corp under The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (updated in 2023).
The court asked the government to hold stakeholder consultations with all DNRs and Registry Operators offering services in India, and to explore the possibility of putting in place a “framework” to meet various regulatory gaps.
In February this year, GoDaddy and others appealed against the “wide-ranging and generic directions” issued by the single judge against DNRs. A Division Bench of Justices V Kameswar Rao and Manmeet Pritam Singh Arora has been hearing these appeals on a day-to-day basis.
MeitY’s affidavit, filed through standing counsel for the central government, Satya Ranjan Swain, on May 2, shows that the consultation held in March made little headway. The DNRs also flagged challenges in complying with the directions issued by the court in December 2025.
Story continues below this ad
Minutes of the stakeholder meeting of March 12 suggest that the issue of urgent disclosure to law enforcement agencies has been under discussion within ICANN for more than two years.
MeitY joint secretary Sushil Pal said in the meeting that “in cases of persistent non-compliance with court orders relating to disclosure of registrant data or blocking of malicious domains, the government may consider appropriate regulatory/ legislative measures, including the best practices followed by other jurisdictions”.
In her December 2025 order, Justice Singh had asked the government to consider nominating a nodal agency such as NIXI (which is the registry for the ‘.in’ domain and mandates a strict framework for DNRs, including KYC verification measures) “as the data repository agency for India with which all the Registry Operators and the DNRs would maintain details related to Registrants on a periodic basis so that the said details are made available to the Courts, LEAs and the governmental authorities for the purpose of enforcement of orders of Courts and for preventing misuse”.
The ICANN RrSG, comprising members from 11 organisations such as Amazon, GoDaddy, and Net Chinese, however, said the requirement to share registrant data with a government-designated central repository can “raise legal, operational and cross-border data transfer challenges”, especially in situations where registrars and registrants operate under multiple jurisdictions and are subject to foreign data protection obligations.
Story continues below this ad
On the operational challenge of blocking or suspending domain names, the RrSG members said: “Domain names are finite resources that are designed to be reusable over time. In normal operation, domain names may expire, be released, and later be registered by new parties for legitimate purposes. Permanent removal of domain names from availability represents a significant departure from this model.”
Experts in this area said that since domain name registration operates in a global, multi-jurisdictional ecosystem, tailored compliances as per Indian regulations could conflict with foreign data protection and privacy laws such as the EU’s General Data Protection Regulation (GDPR) and already established frameworks, including contractual frameworks.
Also, registrars do not always control all information of registrants; certain data may be held by third-party service providers, such as hosting platforms, email providers, or payment processing platforms. A global registrar such as GoDaddy, complying with GDPR, would be prohibited from requesting or sharing personal data, even while complying with Indian law.
DNRs do not host websites or control their contents; they only provide technical services for registration and resolution of domain names. Industry stakeholders have cautioned that owing to the limitations, “actions taken at the DNS layer can have broad effects, and potentially unintended consequences”.
