In message <YrEaVc7diIKX61MB@jima.tpb.net>, Niels Bakker <niels=dbwg@bakker.net> wrote:
* Ronald F. Guilmette [Mon 20 Jun 2022, 07:03 CEST]: [..]
Consider an analogy: I run a dry cleaning shop in Hamburg. You are my friend. One day I let you into my back office and let you copy down the names and addresses of many, most, or all of my customers. You then go back home to the U.S.A. or to Zimbabwe, or at any rate to some jurisdiction where GDPR does not apply. You then put all those names and address on your public web site? Who is liable for this "leak" of PII, under GDPR? Me or you?
You are. If this is an open question for you then in practice you don't know nearly enough about how GDPR works to have an opinion worth listening to in this matter.
THANK YOU! You have confirmed the exact point about GDPR that I was attempting to make. According to denis, there exist "some" (presumably that means more than one) telecom companies in the RIPE region who are in the inexplicable and unjustifiable habit of directly copying substantial amounts of the Personally Identifiable Information (PII) relating to their own customers directly into the RIPE WHOIS data base. (Note however that we are still waiting for denis to identify these alleged telecom companies. Until he does so, I personally will continue to question even the mere existance of any such reckless and profligate telecoms.) In any case, as denis would have us all believe, once these companies copy their customer PII into the RIPE WHOIS data base, then RIPE does exactly what it normally does, as a matter of routine, all day every day. It publishes its WHOIS data base in such a way that the entire world can view it, and thus the whole world becomes privy to the PII of the customers of these (alleged) telecom companies. denis contends that this makes RIPE responsible in some way, presumably legally, for the publication of the relevant PII and that thus it is RIPE that is violating GDPR... and on a grand scale. I disagree entirely, and apparently you do also. In such a scenario... even assuming that it actually exists at all, which itself requires a great leap of faith... it makes no sense at all to claim that RIPE would be in any way, legally, ethically, or morally, responsible for the GDPR violations represented by the publication of the telecom customers' PII in the RIPE data base. Rather, it would be the telecom companies that, in the first instance, "leaked" the PII (in an unnecessary and unjustifiable way) that would be the -only- parties that could, would, or should ever be held responsible for the unnecessary leakage/publication of their own customer PII. I thank you for confirming that anyone holding a different view on this rather simple and obvious point self-evidentally lacks a clear-eyed understanding of how GDPR actually works. Regards, rfg P.S. See also: *) "The Single-Publication Rule", and *) 47 USC 230(c)(1) Although both of the above are quite clearly applicable only in relation to U.S. litigation, I feel quite certain that GDPR also and similarly avoids unfairly assigning legal responsibility for any and all improper leakage of private and personal information to anyone other than the party or parties responsible for the leak in the first instance. Any other rule would make no sense and would result in endless floods of litigation against innocent third parties. Furthermore, my reading of GDPR suggests to me that (using GDPR terminology) in the scenario postulated by denis, the telecom companies would properly be construed to be the data "controller" and perhaps even the "processor", whereas RIPE could not reasonably be classified as being -either- a "controller" -or- even a "processor" of the telecoms' customers' PII, since it (RIPE) has not been explicitly or specifically contracted or directed by the telecoms for, or in relation to the processing of the customer PII at issue.