Hi Denis, Thank you for your comments. Regarding the processing of the various personal data that might be inserted in the RIPE Database, please refer to this Labs article where we have outlined which legal ground applies when processing personal data of resource holders and of their contact persons: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-legal-gro... 2023-04 policy proposal describes that ‘...It would be more efficient to remove the ‘solely for the connection’ limitation stated in the current policy, and to allow the creation of a single INETNUM object with status AGGREGATED-BY-LIR, then use this status for dynamic pools, grouping the IPv4 assignments used for the same purpose when they share the same contact information.’ In the Impact Analysis we are emphasising that, in the event this policy proposal were to be accepted, it would be up to the member to choose which contact details to insert in their aggregated assignments in the RIPE Database, and that before doing so, they would need to inform the contact persons and get their consent. In accordance with the RIPE Database Terms and Conditions <https://www.ripe.net/manage-ips-and-asns/db/support/documentation/terms/>, a ‘Maintainer’ is defined as ‘any Registrant or person to whom the authority to Update has been delegated by a Registrant either directly or indirectly, and who holds an identifier that allows updates to be authenticated and authorised.’ Article 6.3 describes that the one who holds an identifier and can therefore update (i.e. enter or remove) information from the RIPE Database ‘must ensure they have as a responsibility to inform the individual to whom the data pertains and to obtain their explicit consent for the entry in the public RIPE Database if required by law.’ Also, according to Article 6.2 they are responsible for ‘keeping all data maintained by them accurate and up-to-date, including correct Contact Details.’ The text in the Impact Analysis is an explanation of how the above rules are meant to be interpreted. This text does not supersede the RIPE Database Terms and Conditions. In our view an update to the RIPE Database Terms and Conditions in this regard is not needed. Kind regards, Maria Stafyla Senior Legal Counsel RIPE NCC On Mon, 6 May 2024 at 22:48, denis walker <ripedenis@gmail.com> wrote:
Hi Athina, Maria
It would be nice if one of you can give an update to the community on this issue of the Terms & Conditions being out of step your with current legal opinion.
cheers denis co-chair DB-WG
On Wed, 17 Apr 2024 at 07:36, denis walker <ripedenis@gmail.com> wrote:
Colleagues
In the Impact Analysis (IA) for 2023-04, the RIPE NCC legal team expressed rules for entering personal data into the RIPE Database that are quite different to our previous understanding. This legal IA was relied on heavily by the proposers of 2023-04 and constantly referred to by them during the policy discussions. Based on the discussions and the IA, the chairs of the AP-WG have now approved the proposal 2023-04. We MUST now update the RIPE Database Terms and Conditions to reflect this new understanding on personal data.
In the IA the legal team said this: "Inserting any personal data in the RIPE Database must be in compliance with the RIPE Database Terms and Conditions, even when it relates to the contact details of the member’s own contact person(s). In particular, before anyone updates the RIPE Database with personal data, they must obtain the contact person’s informed and expressed consent and ensure this data is kept accurate and up-to-date."
Article 6.3 of the RIPE Database Terms and Conditions currently says: "The Maintainer who enters personal data into the RIPE Database has a responsibility to inform the individual to whom the data pertains and to obtain their explicit consent for the entry in the public RIPE Database if required by law."
This article does not accurately reflect the statement in the IA by the legal team. The text "if required by law." must be removed. This suggests that some personal data may not need the 'contact person’s informed and expressed consent'. The IA makes it clear that all personal data entered into the RIPE Database must have the 'contact person’s informed and expressed consent'. There are no exceptions or caveats to this consent. Also the responsibility must not be restricted to the 'Maintainer'. ANYONE has the capability to enter personal data into the RIPE Database. This personal data can then be referenced by a Maintainer of resource data.
I would suggest Article 6.3 says something like this:
"Anyone who updates the RIPE Database with personal data must obtain the contact person’s informed and expressed consent to enter their personal details into a global, freely accessible, public database. This consent cannot be subject to any conditions. If the consent is withdrawn, the personal data must be removed from the RIPE Database in a reasonable time frame. The personal data must be kept accurate and up-to-date. The right to use some Internet resources requires a consenting contact. If no such contact person is available, the right to use some Internet resources may be revoked."
This is a clear and honest statement that fully reflects the IA understanding of the use of personal data in the RIPE Database. I would like to ask the RIPE NCC legal team to make arrangements for this update to the Terms and Conditions.
cheers denis co-chair DB-WG
======================================================== DISCLAIMER Everything I said above is my personal, professional opinion. It is what I believe to be honest and true to the best of my knowledge. No one in this industry pays me anything. I have nothing to gain or lose by any decision. I push for what I believe is for the good of the Internet, in some small way. Nothing I say is ever intended to be offensive or a personal attack. Even if I strongly disagree with you or question your motives. Politicians question each other's motives all the time. RIPE discussion is often as much about politics and self interest as it is technical. I have a style of writing that some may not be familiar with, others sometimes use it against me. I also have OCD. It makes me see the world slightly differently to others. It drives my mind's obsessive need for detail. I can not change the way I express my detailed opinions. People may choose how to interpret them. ========================================================