Dear RIPE DB-WG,
Hope this email finds you in good health!

Please find my comments below, inline...
Thanks.

Le lundi 27 juin 2022, denis walker via db-wg <db-wg@ripe.net> a écrit :
Colleagues

There were 2 very long emails this weekend, both



Hi Denis,
Thanks for your email, brother.

 

pretty much along the same lines. These points have been made several times. I believe I




Sure, you tried...and thanks brother, it helped me to
 better understand two or three things along...

 

have adequately addressed these points in my earlier reply here:
https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html



...i went through it again, and it appears to not 
satify me, though :-/

What i understand is that your understanding of the
 actual state of the RIPE DB compliance with GDPR
diverge to the public statement of RIPE NCC's Legal
 Team, on the same topic... :-/

Given that you have a very insightful point of view 
on the topic, i ask myself, what could justify that 
*unexpected* divergence?

 


Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR  is not mentioned anywhere. 




Right! but, who said it's part of the draft proposal to
 be implemented; if it reaches consensus? 

 


The opening two lines of the proposed policy Abstract basically sum up what this proposed policy is about:
"This policy arises from the need for the RIPE Database to avoid the
publishing of unnecessary personal data. Personal data must not be
entered into the RIPE Database unless this can be justified according
to the acknowledged purposes of the RIPE Database."




...who have first invoqued [1] the GDPR regulatory 
framework?

<quote>
"Summary of Proposal: 

Since the beginning of the RIPE Database, personal
 data has been entered extensively in PERSON 
objects as well as in other objects’ attributes in the
 database, such as email addresses for 
notifications and postal addresses for resource 
holders. In those early days little consideration was
 given to privacy and personal data processing. In 
almost all cases, personal data is not needed. Now
 the EU General Data Protection Regulation (GDPR)
 adds legal constraints on personal data and the 
justification for its use. The RIPE NCC is the data 
controller and facilitator of the RIPE Database. The
 servers providing access to the RIPE Database are
 operated by the RIPE NCC. The RIPE NCC is a 
Dutch registered organisation based within the EU.
 Therefore, the GDPR applies to all the personal 
data contained within the RIPE Database, 
regardless of where the data subject is located. In
 almost all situations, there is no justification for 
publishing any personal data in the RIPE Database.
 This policy proposal outlines data that should be 
used in areas where personal data has been used 
in the past. All contacts must be documented as 
roles. There is no need for documenting personal  
information about any contacts in the database." 
</quote>
__
[1]: https://www.ripe.net/participate/policies/proposals/2022-01#:~:text=Summary%20of%20Proposal,in%20the%20database

 


Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of
what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the
RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region. 




Fine! then, let's just bound on that. Or no? :-/

...having read and commented [2] the publication 
series [3] from the RIPE NCC's Legal Team, i can tell
 you that: *insertion* of PII into RIPE DB seems to 
be actually in line with both the *GDPR* and right 
of data subjects. Then if/when you find *a lot* of 
PII the only ones to blame are the resource holders.
 Because they have signed more than one legal documents where they agreed to not *pour* PII 
of their client within the RIPE DB.
__
[2]: <https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007501.html>
[3]: <https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc>

The RIPE NCC's Legal Team concluded that:

1| the RIPE DB has no *insertion* problem;
2| the remaining problem with the RIPE DB is in its 
*query* to retrieve data it contains;
3| the RIPE Community should act accordingly;
4| ...


...i expect that those RIPE NCC Legal Team's 
publication series[3] would be targeted as obsolete,
 when the above will become false or inconsistent 
with their assessment of the situation.

...i call anyone from RIPE NCC to, please, bring the 
clarification needed to understand the current state
 of the RIPE DB; regarding its compliance to GDPR.






I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.




You are right, imho!

...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database. 

BtW! could you find anyone who can argue against
 the good standing, interest and usefulness of the 
RIPE DB's *purpose*?

 


The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database. 


But it is not the only consideration. 




Any other?
Thanks to add it here [1], brother.

 

To focus so heavily on the GDPR alone is a distraction.




<https://dict.org/bin/Dict?Form=Dict1&Query=distraction&Strategy=*&Database=*> [1]?




The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.




If it's that the goal, then could we, please, start by 
considering the following:

s0| identify, in all the twenty one (21) RIPE DB's type
of objects, attributes which could contain unwilling
 PII;
s1| filter output in 's0' to catch the more dangerous
 attributes to be balanced against (i) the purpose of
 the RIPE DB, and (ii) privacy considerations;
s2| consult the members & community through a survey about the appropriate path to follow;
s3| split the proposal {as suggested by Ronald}:
s4| one separate DPP (Draft Policy Proposal) to 
address the problem, if any, with the general 
principles for processing data within the RIPE DB;
s5| one separate DPP to address the problem, if 
any, with *insertion* of PII within the RIPE DB;
s6| one separate DPP to adress the problem, with 
the *query* of the RIPE Database;
s7| one separate DPP to adress the problem, if 
needed, with current PII present into the RIPE DB;
s8| ... 


Hope this clarifies my personal PoV :-)

Thanks.

Shalom,
--sb.



cheers
denis
Proposal author

[...]


--

Best Regards !
__
baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure>
Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/>
__
#‎LASAINTEBIBLE‬|#‎Romains15‬:33«Que LE ‪#‎DIEU‬ de ‪#‎Paix‬ soit avec vous tous! ‪#‎Amen‬!»
‪#‎MaPrière‬ est que tu naisses de nouveau. #Chrétiennement‬
«Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)