The ICANN community is in the middle of implementing its EPDP Phase 1 recommendations, culminating in a Registration Data Policy that is supposed to take into account the effects of the EU GDPR on the collection and disclosure of domain name registration data. The Registration Data Policy is an ICANN-community consensus policy that once implemented will be applicable for all gTLDs and ICANN-accredited registrars. Its estimated date of effect is 11 February 2025. However, its publication has been put on hold due to the letters to the ICANN Board from the Governmental Advisory Committee (GAC) and Registrars Stakeholder Group (RrSG) concerning the “urgent requests” response timelines outlined in the draft policy. In addition, the response timelines are also criticised by the ICANN Security and Stability Advisory Committee (SSAC).
The Draft Registration Data Consensus Policy limits “urgent requests for lawful disclosure” to circumstances that pose an imminent threat to life, of serious bodily injury, to critical infrastructure, or of child exploitation in cases where disclosure of the data is necessary in combatting or addressing this threat. The timeline for responding to such requests is generally expected to be within 24 hours. However, the language also retains some flexibility for operators to disclose the needed data within up to 3 business days.
According to the GAC letter to the ICANN Board (23 August 2023), “the proposed outcome of up to three business (not calendar) days to respond to the narrowly defined category of “urgent” requests for domain name registration data does not serve its intended purpose”. The GAC argues that the limited scope of circumstances that can justify the urgency of disclosure will by default limit the number of urgent requests addressed at operators. The GAC also asked the ICANN Board to consider next steps that would achieve an outcome that better meets the public safety considerations posed by urgent requests. The ICANN Board confirmed in September that “additional time is needed to consider the appropriate next steps”.
On 8 September, the RrSG sent a letter to the ICANN Board, responding to the GAC’s concerns. The RrSG reiterated that “registrars are committed to responding to urgent requests in the most swift and expeditious manner possible”. However, the fact that the GAC is asking for the issue review at this stage, according to RrSG, “calls into question the GAC’s support for the multi-stakeholder policy process” together with the “GAC’s willingness to meaningfully engage with other members of the [ICANN] Community in a manner that takes into account operational and legal realities”. According to the RrSG the best way forward is to proceed with the publication of the Registration Data Policy with the originally proposed policy language.
Security and Stability?
On 18 October, the SSAC issued its Draft SSAC Comment on Urgent Request where it concluded that the current policy language in the Registration Data Policy regarding the handling of urgent requests “is not fit for purpose”. Even the general 24-hr deadline to respond is not acceptable, according to the SSAC: “Normally, when words like ‘imminent threat to life’ are used, the expected response time is measured in minutes, not hours or days.” The SSAC also attempts to provide an industry standard for handling urgent requests, by highlighting the appropriate policies of Apple and Google (and interestingly no domain industry actors) and the statistic of 65% fulfilled urgent requests reported by Google (according to its policy). Going forward, the SSAC recommends recording and regularly reporting the data regarding urgent requests to the ICANN Org and ICANN community.
During the GAC meeting with the ICANN Board at ICANN78, ICANN Org reiterated its inclination to move forward with the Registration Data Policy, however, more discussions on the issue of urgent requests are needed. The pause in publication of the Data Registration Policy at the GAC request puts the ICANN Org in an “awkward position”, as the ICANN Board has already accepted a policy recommendation but is now backtracking. More consultations with the GNSO Council will follow, while the urgent request issue will be taken out of the publication of the Registration Data Policy for now.
More data is needed
Generally, it seems that more data is needed to understand the number of urgent requests that are already being sent to the operators to substantiate the need for potentially restarting the policy work. There is also an opportunity to collect some use cases from the upcoming Registration Data Request Service (RDRS) (see our previous reporting on this here) that will be launched in November 2023. The GAC members of the United Kingdom and the European Commission mentioned during the ICANN78 meeting that including urgent requests’ response timings into disclosure mechanisms in the RDRS might be beneficial to avoid further fragmentation. However, there is some reluctance to overburden a voluntary RDRS with strict mandatory urgent requests.
Perhaps instead of getting inspiration from the big tech companies’ policies on urgent requests, it might make sense for the ICANN community to explore how additional and voluntary cooperation mechanisms between European ccTLDs and law enforcement authorities are helping in the fight against cybercrime online (e.g. Nominet and CZ.NIC, just to name a few). In the end of the day, an established and mutually recognised voluntary cooperation agreement can go a long way, before the ICANN community agrees on the consensus policy. This may alleviate some of the public interest concerns and allow the ICANN community to move forward with the GDPR compliance.