Like what exactly??
They distribute IP addresses and identify individual spammers. As I understand the definition of personal information that if you can track someone down from an IP then it is "personal information. In some cases you can and other cases you cannot. I wondered how this is handled under these European privacy Laws.
They normally list companies ..
They list IP's, companies, and individuals in some cases. They compile data from complaints, honeypots, etc. Then they report their findings via blacklists and reputations and sometimes they discuss activities of individual spammers (companies or individuals).
Why don't you ask them directly?
I did and the head guy answered under his pseudonym and gave some vague discussion about how they are a volunteer organization without resources, etc. etc. and then never answered any followups. I asked them to update their privacy policy but they never did. Back when they were being sued in the US I noticed several people in Europe had filed complaints against Spamhaus with some data protection office in the UK citing these European Privacy Laws. I was wondering what ever became of that and if any ruling was ever made. Thank You