Why GoDaddy is challenging Delhi HC’s order ending default privacy for domain owners

4 minute read
  • The December order can be accessed here.

GoDaddy, the world’s largest domain registrar, has challenged the Delhi High Court’s (HC) December order on fraudulent websites before a larger bench, arguing that the directions strip privacy protections from legitimate website owners and force it to police domain names worldwide, Reuters reported after reviewing non-public filings. Namecheap and Hosting Concepts filed separate challenges. The larger bench will hear the appeals on July 16.

The order in question is the Dabur India v. Ashok Kumar judgment, delivered on December 24, 2025, by Justice Prathiba M. Singh. Among the 14 directions issued to registrars, three are central to the appeal. The court directed them to:

  • Run electronic Know Your Customer (e-KYC) verification for all domain registrations, with periodic re-verification.
  • Stop offering privacy-by-default masking, making identity redaction a paid add-on rather than the default.
  • Disclose registrant details within 72 hours when requested by a court, a law enforcement agency, or a rights holder.

What is GoDaddy contesting? Its appeal, which Reuters reported runs to more than 5,000 pages, challenges three of the directions:

  • Ending privacy-by-default: Publishing every registrant’s name, address, phone number, and email address exposes legitimate owners to stalking and harassment. GoDaddy continues to market “free privacy protection forever.”
  • The 72-hour disclosure requirement for anyone with a “legitimate interest”: GoDaddy argues that it cannot determine who qualifies as having a legitimate interest.
  • The bar on brand-name variations: GoDaddy calls it unworkable, since “McDonald” is a common Scottish surname and a string like “HUL” would collide with 118 English words including “hulk” and “moghul.”

Does the privacy argument hold under Indian law? GoDaddy argues that removing privacy-by-default violates the Digital Personal Data Protection (DPDP) Act, 2023, and the European Union’s General Data Protection Regulation (GDPR), both of which require platforms to collect and disclose only the minimum personal data necessary. Justice Singh rejected that interpretation in her order.

She held that Section 7(e) of the DPDP Act allows a data fiduciary to process personal data without consent when complying with a court order. Therefore, the Act permits, rather than prohibits, the disclosures required under her directions. Applying the Puttaswamy proportionality test, she ruled that privacy cannot be weaponised to shield illegality.

Weeks earlier, the same court interpreted the DPDP Act differently in a right-to-be-forgotten case, ordering Google and Indian Kanoon to de-index the names of acquitted persons from search results. GoDaddy’s appeal asks the larger bench to revisit which interpretation of the Act should prevail.

Why does GoDaddy call it a global problem? Because domain names resolve identically across the world, GoDaddy argues that it cannot apply one WHOIS policy to Indian registrants and another to the rest of its customer base. As a result, the order effectively forces it to regulate registration data globally. It calls the directions “commercially destabilising” and warns that registrars may exit India, its biggest emerging market, where it manages 80 million domains.

What prompted the order? The order targeted more than 1,100 domains impersonating brands, including Tata Sky, Amul, Bajaj Finance, Meesho, and ITC. Fraudsters allegedly used these domains to sell fake franchises and job opportunities. Justice Singh found that several registrars were not passive intermediaries, as they had promoted alternative domains, sold infringing names at a premium, and offered hosting and search engine optimisation services to unlawful websites.

She narrowed the scope of safe harbour under Section 79 of the Information Technology (IT) Act, which shields intermediaries from liability for third-party content, holding registrars liable where they facilitate fraud at the registration stage. She also allowed the government to block non-compliant registrars under Section 69A, the IT Act’s content-blocking provision.

What the appeal actually tests. The dispute is less about trademarks than about who gets to write the rules governing the domain name system. Justice Singh’s order imposes registrar obligations, including e-KYC, disclosure timelines, and a reserved-names list for protected government and institutional domains, that neither Parliament nor the Ministry of Electronics and Information Technology (MeitY) has legislated. This effectively makes a single High Court the de facto rule-maker for domain registration in India.

Three fault lines emerge:

  • Court-made policy without a statute: The e-KYC and disclosure regime emerged through a commercial suit rather than through legislation, consultation, or delegated rule-making under the IT Act. Registrars are therefore challenging obligations that were not created through a formal rule-making process.
  • A privacy question the appeal could reopen: The larger bench could apply the proportionality test differently from Justice Singh, potentially redefining the extent to which registrars can rely on the DPDP Act to resist court-ordered disclosures.
  • One jurisdiction, global effect: WHOIS is a global system. An Indian order that ends privacy-by-default could affect every registrant served by a registrar worldwide. If upheld, the ruling could provide a template for courts in other jurisdictions to assert similar authority.

What the appeal leaves unresolved.

The order borrows the concept of “legitimate interest” from the GDPR but does not define who qualifies or who should make that determination, leaving registrars to make a judgment they argue they are not equipped to make.

The question of harm also remains unresolved. The court held that privacy cannot be used to shield illegality. However, Farzaneh Badii, a New York-based internet governance researcher, told Reuters that the people most likely to be exposed would be “journalists, activists, [and] small business owners,” while brand impersonators would remain largely unaffected.

Also read: