The recent update to ICANN’s Registration Data Policy (RDP) marks a significant shift in how registrars and registries handle user data, aligning for the first time with EU privacy laws since GDPR’s inception in May 2018. This change, effective from August next year, promises a more privacy-compliant Whois policy. However, it’s not without its controversies.

The new RDP, replacing a similar temporary policy, took an extraordinarily long time to develop. Its most notable omission is the lack of a requirement for the quick turnover of private Whois data in life-threatening situations. This decision, influenced by ICANN community politics, leaves a gap in urgent situations where Whois data could prevent severe harm or exploitation.

The policy outlines the data collection and sharing responsibilities of registrars, including what must be redacted for public Whois. While it mandates a response to private data disclosure requests within a specific timeframe, it fails to address the urgent disclosure needs for scenarios posing imminent threats to life or safety.

This omission has sparked debate within the ICANN community, highlighting the challenges of balancing privacy rights with the need for access to information in critical situations. The Governmental Advisory Committee (GAC) and the Registrars Stakeholder Group (RrSG) have both voiced concerns, leading to the removal of urgent request clauses from the policy, pending further discussion.


The exclusion of an urgent disclosure rule from ICANN’s updated Whois policy underscores the complex interplay between privacy, access to information, and the operational realities of data management. While the policy takes a step forward in privacy compliance, it leaves unanswered questions about how to handle situations where access to information could be a matter of life and death. The ongoing debate within the ICANN community reflects broader challenges in internet governance, emphasizing the need for policies that balance diverse and sometimes conflicting priorities.