ICANN seeks community input on timeline for urgent disclosure of nonpublic domain registration data

ICANN has opened a public consultation to determine how quickly registrars and registries should respond to urgent requests for access to nonpublic registration data, such as in cases involving imminent threats to life, serious harm, or child exploitation. The move addresses a long-standing gap in the implementation of Recommendation 18 of the Expedited Policy Development Process (EPDP) for gTLD Registration Data, which called for a specific, expedited response timeline but left it undefined during earlier policy work.
ICANN seeks community input on timeline for urgent disclosure of nonpublic domain registration data

The Internet Corporation for Assigned Names and Numbers (ICANN) launched the consultation on 22 October 2025, inviting feedback until 15 December 2025. The consultation focuses on the timeline for responding to urgent lawful disclosure requests for nonpublic registration data, information that identifies domain name registrants but is shielded under privacy rules such as the EU’s General Data Protection Regulation (GDPR).

This initiative follows the Expedited Policy Development Process (EPDP) on the Temporary Specification for gTLD Registration Data, specifically Phase 1 Recommendation 18, which anticipated ‘a separate timeline’ for urgent requests. Although the current Registration Data Policy, effective since 21 August 2025, outlines when requests may be treated as urgent, it does not yet specify how quickly they must be processed.

Under existing definitions, an urgent request applies only to limited, high-risk circumstances:

  • an imminent threat to life or serious bodily injury
  • a danger to critical infrastructure (whose loss would affect economic security or public safety)
  • cases of child exploitation where disclosure is necessary to address the threat

These categories were agreed upon by the EPDP Implementation Review Team (IRT), but the actual response window – whether hours or days – remains unresolved.

Why the timeline matters

The absence of a clear deadline for action has become a point of contention among law enforcement agencies, governments, and contracted parties (registrars and registries). In 2024, the ICANN Board, Governmental Advisory Committee (GAC), and Generic Names Supporting Organization (GNSO) Council jointly concluded that timelines measured in business days – such as one, two, or three days – were inappropriate for emergencies. They instead urged ICANN to establish a much shorter turnaround, ideally in minutes or hours, when authenticated entities request data to respond to imminent threats.

The challenge lies in balancing swift access with privacy and legal safeguards. Registrars often require proof that a requester is a legitimate authority and that disclosure complies with applicable law. Without an international authentication mechanism, these checks can slow the process.

To address this, the GAC’s Public Safety Working Group (PSWG) proposed a two-track approach in 2024:

  1. Authentication path – developing a global mechanism to verify requesters’ identities.
  2. Timeline path – assuming authentication exists, defining the appropriate response window.

In February 2025, the GNSO Council, GAC, and ICANN Board jointly agreed that the timeline work should resume under the EPDP IRT as part of implementation, not as a new policy process.

Current proposals under review

ICANN’s consultation seeks feedback on the draft language for new provisions – Sections 3.8, 3.9, 10.7, and Implementation Note K – that would be added to the Registration Data Policy. The public is invited to comment on:

  • whether the draft text clearly sets out obligations and definitions;
  • whether the proposed urgent-response timeline aligns with Recommendation 18 and expectations from the Board, GAC, and GNSO; and
  • whether an authentication mechanism would require separate policy development or can be handled within the implementation.

The draft text reflects months of discussion among IRT members, some of whom believe that the authentication system may necessitate further policy work, while others see it as an implementation detail.

Process and next steps

At the end of the consultation, ICANN will compile a Public Comment Summary and Analysis Report, reviewing the submissions and determining next steps in cooperation with the IRT. The organisation emphasises that the work on the urgent-request timeline remains part of implementing Recommendation 18, not a restart of the policy-making process.

Once agreed, the new provisions will clarify how contracted parties must handle life-threatening or critical-infrastructure-related data-access requests, establishing a concrete expectation for turnaround times and potentially standardising global practices for emergency data disclosure.

Broader implications

This consultation marks a significant step in reconciling public-safety needs with data-protection principles. Since the EU’s GDPR curtailed open access to WHOIS data in 2018, investigators and law-enforcement agencies have repeatedly expressed concern that delays in obtaining registrant information can hinder urgent action against cybercrime or threats to life. The forthcoming timeline aims to bridge that gap while maintaining the privacy safeguards required under international law.

Civil Society Alliances for Digital Empowerment (CADE) is a project co-funded by the European Union.

Civil Society Alliances for Digital Empowerment (CADE) 2024. All rights reserved.

This website is co-funded by the European Union. Its contents are the sole responsibility of CADE and do not necessarily reflect the views of the European Union.

Web accessibility | Privacy policy

Go to Top