Dear colleagues, Following recent discussions on this mailing list regarding personal data, the RIPE NCC would like to clarify a few points. The main issue is the limited access to what is considered personal data. One of the consequences of this limit is our access control system. That system automatically bans IP addresses that hit the daily limit of queries with personal data several times. There are some important points to bear in mind here: - The EU Directive sets minimum requirements for protecting personal data - The RIPE NCC is the secretariat for the RIPE community and as such implements the policies and wishes of the RIPE community - The RIPE NCC does not make any policies - The RIPE NCC itself is neutral regarding the choice of allowing either full or restricted public access to that information in bulk - As part of the RIPE Policy Development Process, the RIPE NCC may recommend a legal review of a policy proposal A few years ago, the RIPE Data Protection Task Force was formed to consider the whole issue of data protection for the data contained within the RIPE Database. After discussing different scenarios and analysing their impacts, the Task Force reported back to the RIPE Database Working Group. It was recognised by the Task Force that all the personal data contained within the RIPE Database must remain publicly available. Each individual personal data set can be queried by using the interfaces made available to the RIPE Database. The RIPE Database Working Group placed a number of action points on the RIPE NCC to implement some features, including restricting access to *bulk* personal data. The current policies impose restrictions on accessing *bulk* personal data to prevent possible abuse of the personal data contained within the database. Imposing any restrictions will have consequences. One of the consequences is restricted access to abuse contacts as currently stored in the RIPE Database. RIPE Policy Proposal 2011-06 is being discussed by the Anti-Abuse Working Group to address this specific issue. This policy will require an abuse contact related to Internet resources. This contact can be clearly marked and documented as a public field that, from the beginning, will not be regarded as personal data and will not be subject to any access restrictions, even bulk access. I would like to emphasise that the RIPE NCC executes the wishes of the RIPE community. When the community reaches consensus for a certain functionality or process, the RIPE NCC will implement and/or execute the functionality or process. In case of legal limitations, the RIPE NCC will strive for a solution that is as close as possible to the original community wishes. The RIPE NCC always reports back on this implementation and its details. There has been a suggestion that what is considered personal data should be publicly available in bulk, without any restrictions. If the community has any concerns about this restriction, perhaps this can be discussed as a specific issue on the Anti-Abuse or RIPE Database Working Group mailing list to determine if there is any consensus within the community to amend this restriction. As always, the RIPE NCC will follow all discussions and will do its best to implement the wishes of the community. The RIPE NCC always welcomes direct feedback from its members and the community. However for issues such as this, addressing concerns directly to the RIPE NCC has little effect because the RIPE NCC does not have the authority to make such a decision on behalf of the community. I hope this has helped explain some background to the concerns and ways to move forward if the issues are not resolved. Please let me know if there are any further questions, or put them to the community using the mailing lists. Kind Regards, Kaveh. --- Kaveh Ranjbar RIPE NCC Database Group Manager