ICANN introduces 24-hour response requirement for urgent domain data requests

The Internet Corporation for Assigned Names and Numbers has amended its Registration Data Policy to include a new requirement for contracted parties to respond within 24 hours to certain urgent requests for nonpublic domain registration data.

The rule applies to situations involving imminent threats to life, serious bodily harm, critical infrastructure, or child exploitation, where access to registration data is considered necessary to address the threat.

The requirement will not take effect immediately. According to ICANN, implementation depends on the creation of an authentication mechanism that can verify legitimate law enforcement requestors.

The issue concerns access to nonpublic registration data linked to generic top-level domains, commonly referred to as WHOIS data before privacy restrictions introduced under data protection frameworks such as the GDPR.

Access to this information has remained a contested issue in internet governance. Law enforcement agencies have argued that restrictions on registration data slow investigations into cybercrime, fraud, abuse, and security incidents. Privacy advocates and civil society groups have raised concerns about safeguards, proportionality, and potential misuse of disclosure systems.

ICANN stated that discussions on authentication mechanisms are ongoing within the Governmental Advisory Committee’s Public Safety Working Group. The organisation said it is also developing a proof-of-concept system together with law enforcement bodies including Interpol and the Federal Bureau of Investigation.

The work is also linked to longer-term efforts to develop a standardised framework for access and disclosure requests involving domain registration data. That process has remained under discussion within ICANN for several years following changes introduced after the GDPR entered into force.