A U.S. domain registrar has taken the unusual step of appealing an Indian court ruling that orders the removal of default privacy protections for website owners, warning the directive could expose millions of legitimate users to harassment and force registrars to abandon one of the world's fastest-growing internet markets. GoDaddy filed the appeal before a larger bench of the Delhi High Court after a December ruling by a New Delhi court ordered more than 1,100 fraudulent websites blocked and introduced sweeping new rules for how domain registrars must operate in India. The case pits the urgent need to crack down on brand impersonation fraud against foundational principles of online privacy - and the outcome could set a precedent with consequences well beyond India's borders.
What the Court Ordered and Why
The dispute has its roots in lawsuits filed from 2019 onward by major corporations including Amazon and McDonald's, targeting websites that mimicked their branding to deceive consumers. The scale of the problem is significant: Indian government data shows authorities received 2.4 million complaints of alleged cyber fraud worth $2.4 billion in a single year, reflecting the pace at which digital fraud has expanded alongside India's smartphone and internet boom.
The Delhi High Court found that fraudulent websites had become "engines for large-scale deception" and concluded that the privacy protection services typically offered by domain registrars were functioning "as a cloak" behind which rogue operators could hide. Its remedy went beyond blocking individual sites. The court ordered registrars to stop offering privacy protection by default, require them to disclose domain owner details - including names, addresses, phone numbers and email addresses - within 72 hours to any party claiming a "legitimate interest," and prohibit the registration of domain names that constitute variations of protected brand names.
Why GoDaddy Says the Remedy Goes Too Far
GoDaddy's appeal, described in non-public court filings reviewed by Reuters, does not dispute the goal of reducing fraud. Its argument is that the prescribed remedy is disproportionate - one that would sweep up vast numbers of ordinary website owners while solving relatively little of the underlying problem.
The company's core concern is practical and grounded in well-documented risk. Privacy protection for domain registrations - commonly known as WHOIS privacy - works by substituting a registrar's contact details for those of the actual domain owner in public databases. This prevents personal information from being freely accessible to anyone who runs a lookup. Removing that shield by default means that any individual, small business, journalist, activist, or private person who registers a website would have their home address, phone number and email exposed in a publicly queryable database unless they pay separately for protection. GoDaddy warned this would leave legitimate owners vulnerable to stalking, harassment and other threats.
In its filings, the company described the directives as "commercially destabilizing" and cautioned that such requirements could compel domain registration companies to exit India entirely - a significant claim given that India represents one of the largest pools of new internet users in the world. If major registrars withdraw or restructure their Indian operations, the resulting market fragmentation could harm the very small businesses and entrepreneurs that India's digital economy relies on.
The Tension Between Fraud Prevention and Privacy Infrastructure
The case exposes a genuine and longstanding tension in internet governance. WHOIS databases - the systems that record domain ownership - were designed in an earlier era when the internet's user base was small, largely institutional, and personal privacy was not the concern it has since become. As registration opened to individuals and small operators worldwide, privacy protections became standard offerings precisely because public exposure of personal data created real security risks.
The European Union's General Data Protection Regulation effectively curtailed the public display of domain owner information for registrations in its jurisdiction, reflecting a consensus that blanket disclosure is incompatible with modern privacy standards. India's court has moved in the opposite direction, treating transparency as the primary instrument of accountability. The conflict between these two approaches is not merely legal - it reflects competing models of how internet infrastructure should balance openness and protection.
The 72-hour disclosure requirement raises additional procedural concerns. Granting disclosure rights to any party that asserts a "legitimate interest" - without specifying how that interest must be demonstrated or who adjudicates it - creates a mechanism that could be misused. Competitors, bad actors, or even harassers could potentially invoke such a standard to extract personal information about domain owners under the guise of brand protection.
What Happens Next
The Delhi High Court is scheduled to hear the appeals on July 16. The outcome will matter not only to GoDaddy but to the broader ecosystem of registrars, privacy advocates, and digital rights organizations watching how Indian courts handle the intersection of consumer protection and online privacy law. India has no comprehensive federal data protection framework fully in force, making judicial rulings like this one especially consequential as the country works through the implications of governing a digital population of more than 900 million users. Whatever the court decides, it will be cited - either as a model or as a warning - in similar disputes elsewhere.