Kurt Erik Lindqvist wrote: [...]
We have talked with the Dutch Data Protection Authority about the Database as well, to make sure that we don't run afoul of the EU privacy directives.
I think that issue is somewhat more problematic than that. I guess that what Katri is actually asking for is the Swedish data protection law. I am no expert on this law but from what I know / remember, the law requires the direct consent of the registered party as well as certain guarantees that the data is not passed on (within some limits). This means that the Swedish ISPs in order to register these customers actually needs written consent from the customer, as well as to solve the issue on passing that data on further by registering the data in the RIPE DB.
Perhaps someone that knows the issue better could comment?
The lawyers told us that these registrations need to comply with the Dutch Data Protection Act which is derived from the EU Data Protection Directive. According to this Directive and the Dutch Data Protection Act storage and publication of personal data in a database is possible only (Article 7 EU Directive): a) with the data subject’s unambiguous consent, or b) if necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract, or c) if necessary for compliance with a legal obligation to which the controller is subject (controller is the party responsible for determining the purpose and means of the processing of personal data), or d) if processing is necessary in order to protect vital interests of the data subject, or e) if necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in a controller or in a third party to whom the data are disclosed, or f) if necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and interests and freedoms of the data subject which require protection under the EU Directive. They though that e) and f) may apply. Also, after discussing the case with the Dutch Data Protection Authority (and their main concern was .de unreferenced data at that moment), the conclusion was that though there are some issues, the problem should be significantly reduced after removal of .de contact data and other stale information that has no direct relationship to the NCC's business.
Best regards,
- kurtis - Best regards,
Andrei Robachevsky RIPE NCC