GoDaddy challenges India court order, says $2.4B fraud fight violates GDPR
Key Takeaways
- GoDaddy’s appeal against a New Delhi court order pits India’s $2.4 billion cyber fraud problem against international privacy laws.
- The ruling requiring paid WHOIS privacy could set a precedent that reshapes how courts balance anti-fraud measures with data protection principles under the DPDP Act and GDPR.
Mentioned
Key Intelligence
Key Facts
- 1Indian authorities recorded 2.4 million cyber fraud complaints totaling $2.4 billion in 2025.
- 2In December 2025, a New Delhi court ordered the blocking of more than 1,100 fake websites and mandated that WHOIS privacy protection become a paid service.
- 3GoDaddy, managing approximately 80 million domain names globally with $5 billion in annual revenue, describes the directives as 'commercially destabilizing' and warns registrars may be forced to exit India.
- 4The ruling directly conflicts with India’s Digital Personal Data Protection Act and the EU’s GDPR, both of which promote privacy-by-default principles.
- 5Competitor registrars Namecheap and Hosting Concepts have also filed challenges against the order.
- 6GoDaddy argues the forced disclosure of registrant data would expose legitimate website owners to stalking, harassment, and other security risks.
Analysis
- Over 1,100 fraudulent websites blocked in one sweep
- Free privacy shields criminals; monetization adds accountability
- Protects brands and consumers from mass deception
- Violates India’s DPDP Act and GDPR privacy-by-design principles
- Forces public exposure of all registrant personal data, risking stalking and harassment
- May cause domain companies to exit India, destabilizing the digital ecosystem
Analysis
For legal and regulatory professionals, the Delhi High Court case represents a pivotal test of judicial overreach into domain governance. The order not only targets fake websites but also mandates a fundamental shift from privacy-by-default to a paid model, a move that directly contravenes India’s own data protection statute and the EU’s GDPR. The outcome could influence countless cross-border digital operations and define the limits of court-ordered tech compliance.
GoDaddy’s appeal against a New Delhi court order signals a high-stakes collision between India’s escalating cyber fraud crackdown and globally accepted privacy norms. At the center of the dispute is a December 2025 ruling that ordered the blocking of over 1,100 fake websites impersonating brands such as Amazon and McDonald’s, and — more critically — mandated that domain privacy protection become a paid service, stripping away the ‘privacy by default’ model. GoDaddy argues that this forced exposure of registrant data (names, addresses, phone numbers, emails) would not only violate India’s own Digital Personal Data Protection Act and the EU’s GDPR but also invite harassment, stalking, and identity theft against millions of legitimate website owners. The company has called the directives ‘commercially destabilizing’ and warned that domain registration companies could be forced to exit India entirely.
Authorities registered 2.4 million cyber fraud complaints valued at $2.4 billion in 2025 alone, a staggering volume fueled by a booming digital user base.
India’s motivation is clear. Authorities registered 2.4 million cyber fraud complaints valued at $2.4 billion in 2025 alone, a staggering volume fueled by a booming digital user base. Fake e-commerce sites, phishing portals, and counterfeit payment gateways have proliferated, leveraging default WHOIS privacy to hide behind anonymized registrations. The court branded these sites ‘engines for large-scale deception’ and concluded that free privacy functions as a shield for criminals. By monetizing privacy, the court aims to introduce a friction model — legitimate users can still hide their details, but at a cost, while law enforcement gains a clearer path to track bad actors.
Yet GoDaddy and competitors Namecheap and Hosting Concepts contend the remedy is worse than the disease. In legal filings, GoDaddy emphasized that domain registrars across the world rely on privacy-by-default to comply with data protection frameworks, and that suddenly pivoting to a paid model would fracture the global WHOIS system, invite jurisdictional chaos, and erode user trust. For a company managing 80 million domains and generating roughly $5 billion in annual revenue, India is not just a regulatory headache — it is its largest emerging market, and any threat to operations there carries material financial risk.
The ruling also raises profound internet governance questions. If India’s approach succeeds, other nations grappling with fraud may follow suit, creating a patchwork of conflicting mandates that could balkanize the internet. Registrars might be forced to implement geo-fenced WHOIS disclosure, a technically complex and legally fraught endeavor. The appeals process at the Delhi High Court is thus being watched not only by domain registrars but by brand owners, cybersecurity firms, privacy advocates, and global internet governance bodies.
What to Watch
GoDaddy’s core argument rests on proportionality. The company does not dispute the need to combat fraud but insists that less intrusive methods — such as faster judicial disclosure mechanisms, better coordination with registrars, and enhanced verification systems — can achieve the same goals without dismantling privacy for all. The EU’s GDPR and India’s 2023 data protection law both enshrine ‘privacy by design,’ which the court ruling directly contradicts. A larger bench of the Delhi High Court will now weigh whether national security and anti-fraud imperatives can override fundamental privacy rights, especially when alternative remedies exist.
The outcome could redefine the business landscape for international tech companies in India. If upheld, the ruling might prompt a rapid escalation in compliance costs, force domain registrars to reevaluate their Indian presence, and potentially trigger similar demands from other jurisdictions. Conversely, a reversal could establish that India’s data protection framework, still nascent, holds sway over judicial discretion in technology matters. The case is a litmus test for how the world’s most populous democracy balances digital growth, consumer safety, and individual rights.
Timeline
Timeline
New Delhi court orders blocking of 1,100+ fake websites
The court rules that fake websites are 'engines for large-scale deception' and mandates that free WHOIS privacy protection become a paid service to prevent cloaking of rogue operators.
GoDaddy, Namecheap, and Hosting Concepts challenge the ruling
The registrars appeal before a larger bench of the Delhi High Court, arguing the order violates India's data protection law and GDPR, and threatens legitimate privacy and business operations.
Sources
Sources
Based on 6 source articles- saltlakecitysun.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
- utahindependent.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
- cincinnatisun.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
- stlouisstar.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
- pittsburghstar.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
- philippinetimes.comGoDaddy warns India rules could reshape internet governanceJul 5, 2026
How we covered this story
Every story in our legal coverage is assembled from multiple primary sources, cross-referenced for factual consistency, and scored along three independent dimensions: sentiment, operational impact, and source-cluster confidence. Single-source rumors and unverifiable claims do not pass our editorial gate. When a story shows "Verified by N sources" with N≥2, the development is independently corroborated; when N=1, we mark it explicitly so readers can weigh the signal accordingly.
Impact scoring uses a 1-10 scale weighted toward regulatory, financial, and operational consequence rather than coverage volume. A topic that runs in every outlet but moves no real decisions ranks lower than a niche regulatory filing that reshapes how operators in the legal space have to behave. Read our full methodology for the scoring rubric, our glossary for term definitions, and our trends index for the longitudinal view across the beat.
| Signal on this page | What it tells you |
|---|---|
| Verified by N sources | Independent corroboration count. N≥2 is our confidence floor; N=1 is marked explicitly. |
| Impact score (1-10) | Regulatory + financial + operational weight. 8+ signals an experienced-operator action item. |
| Sentiment | Five-tier classification trained on labeled legal-specific corpora. |
| Timeline | Where applicable, the related-events sequence that contextualizes today's development. |