Thanks Anne.

 

The sections you referenced are from a previous version of the Registration Data Policy. The language is from the version that was posted for public comment in July 2023. The current version of the Registration Data Policy, which comes into full effect in August 2025, does not include all of the cited language (although it does include section 10.1).

 

This is because the Board expressed concerns that language re: Urgent Requests may not be fit for purpose and that it was necessary to revisit Policy Recommendation 18 concerning requests for registrant data made in the context of situations that pose an imminent threat to life, serious bodily harm, infrastructure, or child exploitation (see Board letter).

 

For urgent requests (Rec 18), the policy recommendation language did not define the response timeline and left it open for the implementation team to determine.

 

During its December 2024 meeting, the GNSO Council considered the IRT’s previous discussions regarding the separate timeline for urgent requests and noted the
IRT could not agree to a timeline, in part, because of the lack of a global authentication mechanism. Now, in light of GAC`s work on an authentication mechanism, reviewing the timeline again would not constitute policy development as defined in Annex A of Bylaws (the GNSO PDP) but rather, would be continued implementation work on Recommendation 18 of the EPDP Phase 1 Final Report.

 

Councilors may feel other policy work may be warranted, but thus far, we have only signaled that we would review the timeline in light of GAC’s work on an authentication mechanism.

 

Thanks,

Greg

 

From: Anne ICANN <anneicanngnso@gmail.com>
Sent: Sunday, March 9, 2025 4:42 PM
To: Council@icann.org; DiBiase, Gregory <dibiase@amazon.com>; Terri Agnew via cou. <council@gnso.icann.org>; Steve Chan <steve.chan@icann.org>; Caitlin Tubergen <caitlin.tubergen@icann.org>; Saewon Lee <saewon.lee@icann.org>; Tomslin Samme-Nlar <mesumbeslin@gmail.com>; Nacho Amadoz <nacho@amadoz.cat>
Subject: [EXTERNAL] Urgent Requests - work done by the IRT but not implemented

 

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you can confirm the sender and know the content is safe.

 

Leadership and Steve,

 

Regarding the upcoming Council discussion on next steps for "Urgent Requests", below is what I understand to have been the Registration Data Policy IRT work that was not implemented even though the policy re urgent requests in Recommendation 18 was in fact adopted by the Board.  It would be great if staff could confirm before Wednesday that the sections below are consistent with staff's understanding of the IRT work that was done:

 

DEFINITION AND CONDITIONS FOR APPLYING TIMELINES

 

3.8 “Urgent Requests for Lawful Disclosure” are limited to circumstances that pose
an imminent threat to life, of serious bodily injury, to critical infrastructure, or of
child exploitation in cases where disclosure of the data is necessary in
combatting or addressing this threat. Critical infrastructure means the physical
and cyber systems that are vital in that their incapacity or destruction would have
a debilitating impact on economic security or public safety.

 

FORM AND TIMING OF DISCLOSURE REQUESTS

 

10.1 Registrar and Registry Operator MUST publish on their homepage (a publicly
available webpage where their domain name services are offered) a direct link to
a page where the mechanism and process for submitting Disclosure Requests is
detailed. The mechanism and process MUST specify (a) the required format and
content of requests, (b) the means of providing a response to the requestor, and
(c) the anticipated timeline for responses.

 

10.6 For Urgent Requests for Lawful Disclosure, Registrar and Registry Operator
MUST respond, as defined in Section 10.7, without undue delay, generally
within 24 hours of receipt.

 

10.6.1 If Registrar or Registry Operator cannot respond to an Urgent Request
for Lawful Disclosure within 24 hours, it MUST notify the requestor
within 24 hours of receipt of an Urgent Request for Lawful Disclosure
of the need for an extension to respond. Registrar or Registry
Operator’s extension notification to the requestor MUST include (a)
confirmation that it has reviewed and considered the Urgent Request for
Lawful Disclosure on its merits and determined additional time to
respond is needed, (b) rationale for why additional time is needed, and

(c) the time frame it will respond, as required by Section 10.7, which
cannot exceed two (2) business days from the time of the initial receipt
of the request.

 

10.6.2 In addition to the extension provided for in Section 10.6.1, if
responding to an Urgent Request for Lawful Disclosure is complex, or a
large number of requests are received by Registrar or Registry
Operator, it MAY extend the time for response up to an additional one
(1) business day provided it notifies the requestor within (2) business
days from the time of the initial receipt of the request of the updated
time frame to respond explaining the need for an additional extension
of time.

 

 

There are also some footnotes clarifying some issues in relation to requests that come on non-business days, etc. 

 

Thank you,

Anne

 

Anne Aikman-Scalese

GNSO Councilor

NomCom Non-Voting 2022-2026