Please find my comments below, inline...
Thanks.
Le lundi 27 juin 2022, denis walker via db-wg <
db-wg@ripe.net> a écrit :
Colleagues
There were 2 very long emails this weekend, both
Hi Denis,
Thanks for your email, brother.
pretty much along the same lines. These points have been made several times. I believe I
Sure, you tried...and thanks brother, it helped me to
better understand two or three things along...
have adequately addressed these points in my earlier reply here:
https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html
...i went through it again, and it appears to not
satify me, though :-/
What i understand is that your understanding of the
actual state of the RIPE DB compliance with GDPR
diverge to the public statement of RIPE NCC's Legal
Team, on the same topic... :-/
Given that you have a very insightful point of view
on the topic, i ask myself, what could justify that
*unexpected* divergence?
Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere.
Right! but, who said it's part of the draft proposal to
be implemented; if it reaches consensus?
The opening two lines of the proposed policy Abstract basically sum up what this proposed policy is about:
"This policy arises from the need for the RIPE Database to avoid the
publishing of unnecessary personal data. Personal data must not be
entered into the RIPE Database unless this can be justified according
to the acknowledged purposes of the RIPE Database."
...who have first invoqued [1] the GDPR regulatory
framework?
<quote>
"Summary of Proposal:
Since the beginning of the RIPE Database, personal
data has been entered extensively in PERSON
objects as well as in other objects’ attributes in the
database, such as email addresses for
notifications and postal addresses for resource
holders. In those early days little consideration was
given to privacy and personal data processing. In
almost all cases, personal data is not needed. Now
the EU General Data Protection Regulation (GDPR)
adds legal constraints on personal data and the
justification for its use. The RIPE NCC is the data
controller and facilitator of the RIPE Database. The
servers providing access to the RIPE Database are
operated by the RIPE NCC. The RIPE NCC is a
Dutch registered organisation based within the EU.
Therefore, the GDPR applies to all the personal
data contained within the RIPE Database,
regardless of where the data subject is located. In
almost all situations, there is no justification for
publishing any personal data in the RIPE Database.
This policy proposal outlines data that should be
used in areas where personal data has been used
in the past. All contacts must be documented as
roles. There is no need for documenting personal
information about any contacts in the database."
</quote>
__
Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of
what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the
RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region.
Fine! then, let's just bound on that. Or no? :-/
...having read and commented [2] the publication
series [3] from the RIPE NCC's Legal Team, i can tell
you that: *insertion* of PII into RIPE DB seems to
be actually in line with both the *GDPR* and right
of data subjects. Then if/when you find *a lot* of
PII the only ones to blame are the resource holders.
Because they have signed more than one legal documents where they agreed to not *pour* PII
of their client within the RIPE DB.
__
The RIPE NCC's Legal Team concluded that:
1| the RIPE DB has no *insertion* problem;
2| the remaining problem with the RIPE DB is in its
*query* to retrieve data it contains;
3| the RIPE Community should act accordingly;
4| ...
...i expect that those RIPE NCC Legal Team's
publication series[3] would be targeted as obsolete,
when the above will become false or inconsistent
with their assessment of the situation.
...i call anyone from RIPE NCC to, please, bring the
clarification needed to understand the current state
of the RIPE DB; regarding its compliance to GDPR.
I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.
You are right, imho!
...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database.
BtW! could you find anyone who can argue against
the good standing, interest and usefulness of the
RIPE DB's *purpose*?
The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database.
But it is not the only consideration.
Any other?
Thanks to add it here [1], brother.
To focus so heavily on the GDPR alone is a distraction.
The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.
If it's that the goal, then could we, please, start by
considering the following:
s0| identify, in all the twenty one (21) RIPE DB's type
of objects, attributes which could contain unwilling
PII;
s1| filter output in 's0' to catch the more dangerous
attributes to be balanced against (i) the purpose of
the RIPE DB, and (ii) privacy considerations;
s2| consult the members & community through a survey about the appropriate path to follow;
s3| split the proposal {as suggested by Ronald}:
s4| one separate DPP (Draft Policy Proposal) to
address the problem, if any, with the general
principles for processing data within the RIPE DB;
s5| one separate DPP to address the problem, if
any, with *insertion* of PII within the RIPE DB;
s6| one separate DPP to adress the problem, with
the *query* of the RIPE Database;
s7| one separate DPP to adress the problem, if
needed, with current PII present into the RIPE DB;
s8| ...
Hope this clarifies my personal PoV :-)
Thanks.
Shalom,
--sb.
cheers
denis
Proposal author
[...]