SAC112 was published on 20 August 2020. All SSAC publications can be found at

Recommendation DescriptionCurrent Phase
Recommendation 1The SSAC cannot endorse the Final Report of the Temporary Specification for gTLD Registration Data Phase 2 Expedited PDP1 (hereinafter as “The Final Report”) as it currently stands.

Firstly, we believe that a much better system is possible within the limitations imposed by the general data protection regulation (GDPR), and that the EPDP has not provided outcomes that are reasonably suitable for security and stability.

Secondly, the Final Report does not recommend a commitment to finish unaddressed charter items. The SSAC conditioned its participation in and support of Phase 2 EPDP based on the promise that several Phase 1 issues would be examined. Unfortunately, they were not examined, and remain unaddressed.

Thirdly, in addition to the issues discussed above, there are some specific recommendations to which the SSAC objects, namely:
  • Recommendation 6: Priority Levels. The classification of cybersecurity threats as “Priority 3” is insufficient to address the reality of serious online threats.
  • Recommendation 10: Determining Variable SLAs for response time for SSAD. The SSAC is concerned about long response times, that the SLAs are not practically enforceable, and that the implementation advice may allow contracted parties to respond to data requests more slowly over time.
  • Recommendation 12: Disclosure Requirement. The SSAC is concerned that contracted parties may, at their discretion, reveal the identities of data requestors, rather than doing so only when data protection law requires. Revealing the identities of data requestors may endanger them and compromise investigations.
  • Recommendation 14: Financial Sustainability. The recommendation contains flawed language that unfairly shifts costs onto victims, is inconsistent with normal business practices, and goes against previous SSAC advice to the ICANN Board. The recommendation was not drafted according to GNSO procedures, is unsupported by evidence, and may not be compliant with the GDPR.