If B, C, or D, please elaborate.

The EPDP Recommendations were issued in February 2019 and expected to be approved by the GNSO and Board in short order. The EPDP team (including representatives of contracted parties) understood that it would take some time to translate the recommendations in to policy and then to have contracted parties implement that policy. Accordingly, Recommendation 28 extended the validity of terms within the Temporary Specification to allow for the creation and implementation of the policy. After due consideration the EPDP team set a deadline for contracted party compliance at 29 February 2020 (1 year after issuance of the Phase 1 report). Clearly the EPDP team underestimated the amount of time needed to translate the recommendations into policy. However, the EPDP team, including registry and registrar representatives unanimously believed that the allowed period was sufficient for contracted party implementation. Given Recommendation 28, and the fact that these recommendations are reasonably consistent with the Temporary Specification, and that the differences have been well known now for several years, the ALAC believes that allowing an additional 18 months for contracted party implementation is excessive and uncalled for.

If B, C, or D, please elaborate.

The Final Report said "A separate timeline of [less than X business days] will be considered for the response to ‘Urgent’ Reasonable Disclosure Requests, those Requests for which evidence is supplied to show an immediate need for disclosure [time frame to be finalized and criteria set for Urgent requests during implementation]." It is important to note the definition of "URGENT" requests. “Urgent Requests for Lawful Disclosure” are limited to circumstances that pose an imminent threat to life, serious bodily injury, critical infrastructure, or child exploitation in cases where disclosure of the data is necessary in combatting or addressing this threat. Critical infrastructure means the physical and cyber systems that are vital in that their incapacity or destruction would have a debilitating impact on economic security or public safety. It is unfortunate that the report specified "business days" as the basis for the policy. That being said, to set it at TWO days in light of the definition of Urgent requests is totally unreasonable! It is not uncommon to have three consecutive non-business days resulting in a potential of 5 calendar days for responses to URGENT requests. The ALAC notes that the RAA already includes provision 3.18.2: Well-founded reports of Illegal Activity submitted to these contacts must be reviewed within 24 hours by an individual who is empowered by Registrar to take necessary and appropriate actions in response to the report. As such, registrars must already have staff who are able and authorized to respond to critical situation within 24 hours. There is no reason not to use these same capabilities for situations where there is imminent threat to life, serious bodily injury, critical infrastructure, or child exploitation. The ALAC also notes that the recently approved EU NIS 2 Directive allows an absolute maximum of 72 hours for response to ALL requests for access (not just critical requests).

If B, C, or D, please elaborate.

The document gives the date the EPDP Team issued its Initial report and the date the GNSO Council adopted the Final Report, but should also give the date of the Final Report (20 February 2019).

If no, please explain why the suggested changes are incorrect and provide any suggested changes.

The EPDP recommendation on the transfer of data from registrars to registries makes the implementation of the Thick Whois policy difficult, but it does not make it impossible. This is particularly true for registrations the contain no personal information. Moreover, the recently approved EU NIS2 requires that registries and registrars publish publicly available data, and make available redacted data to legitimate users; AND that registrars and registries cooperate so that data does not need to be collected twice. That implies that if registrars are the prime collector of the data (as they are with gTLDs) that registrars must cooperate and provide registries with the data. NIS 2 notes that this obligation is sufficient legal reason for processing the registration data under GDPR Article 6.1(c). [NIS 2: Recitals 109-112 and Article 28]