Brian wrote: Some registrar interests that are in conflict (objectively) with providing access are: a) operational efficiency; MM: would be improved substantially by an SSAD with centralized requesting b) GDPR penalties MM: um, if they get penalized for disclosure, then the disclosure should not have happened, no? You might also think about the risks of concentrating all GDPR liability in a single source. c) future customer business MM: first, registrars have an interest in weeding out true bad guys as much as any of us. But from a data subject view, the impact of market discipline is a feature, not a bug. Switch it around. Would it be reasonable for advocates of end users/registrants to trust authorization providers who have NO accountability to end users? Why would NCSG ever accept that?