All, The Dutch DPA does not, by way of policy, respond to requests to look into policies upfront. No exceptions allowed. This is how the policy was explained to me last year by the DPA. So even if RIPE NCC wants to have a ruling this way, she will not get one. So it's of no use to keep discussing this part here. The DPA may look into complaints though. In this it should not matter where a complaint comes from. Whether or not she does, is at her discretion. So if you've filed a complaint, you need to go through that channel and follow it up with a call, e.g. There's nothing that this WG could do to alter this. Regards, Wout de Natris - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - De Natris Consult Raaphorst 33 Tel: +31 648388813 2352 KJ Leiderdorp Skype: wout.de.natris denatrisconsult@hotmail.nl http://www.denatrisconsult.nl Blog http://woutdenatris.wordpress.com
Message: 1 Date: Tue, 17 Jan 2012 08:20:06 -0500 From: "russ@consumer.net" <russ@consumer.net> Subject: Re: [anti-abuse-wg] What is Personal information? To: "anti-abuse-wg@ripe.net" <anti-abuse-wg@ripe.net> Message-ID: <4F157586.5030108@consumer.net> Content-Type: text/plain; charset=UTF-8; format=flowed
In other words, Russ could probably approach the Dutch privacy regulator with a query, cc RIPE NCC legal, and then accept whatever ruling applies? I seriously doubt if anybody on this list >other than the three parties above is qualified to comment definitely on this issue. So - Russ, please take it offlist, and do come back to let us know what ruling you get. I personally would be >interested in what you learn.
Under Dutch (and European) privacy directives, any information that can uniquely distinguish a natural person (ie. NOT 'a business'...) is to be considered 'personal information'. So, an IP >address CAN be personal information, if the data collector can link it to a person without too much hassle. Think webshops who log your IP at logon, they can connect that to your account >data, so in *that* case an IP address is logged by the shop is indeed considered 'personal information' and must be protected by the shop accordingly. In your case with RIPE, your IP address is >probably not considered 'personal information'. IANAL. Check out http://en.wikipedia.org/wiki/Data_Protection_Directive.
The same reasoning that says RIPE database information is "personal information" can be applied to IP addresses (in some cases). If the IP is registered you would get those contacts by running a whois (or doing a reverse lookup would identify a domain which can bee looked up). It seems to me if the RIPE database entries are "personal information" then so it the IP address associated with that record. Even if is is personal information the issue is then whether they gave permission to have it posted in a public database.
If the RIPE NCC legal department had an answer it would have been put on the public reports and/or they would answer the inquiries put forth my me and others. I have sent an inquiry to the Dutch privacy office but, while these offices sound good in theory, they are usually a bureaucratic nightmare. Since I dot live within the region I think it is unlikely I would get an answer. If the process is legitimate I would have thought RIPE would have gone to the office for a ruling before they changed the access policy. the fact is RIPE won't supply their legal department's analysis and they won't respond to my request to have the Dutch privacy office review the matter. There would be a much better chance of getting a ruling if RIPE would ask them ... but they don't seem to want to do that so I can only speculate why they would not want to do the obvious thing.
Thank You