NOTE: Some or all of the following may perhaps have been rendered moot by the just-posted response of Sylvain Baya <abscoco@gmail.com> in this thread, but I'd like to get this all on the record anyway, especially since I spent over a hour composing it. :-) In message <d565baed-9c34-0ba5-9f8a-55b8c078d718@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
the RIPE NCC is a GDPR joint controller of the PII published in the ripedb. This is acknowledged by the RIPE NCC:
With regards to the RIPE Database, the RIPE NCC fills the role of “Data Controller” - that is, the entity legally responsible for all personal data stored in the RIPE Database.
From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/
This assertion, that RIPE is a "controller" under the GDPR, is simply wrong, at least with regards to these alleged millions of personal end-customer records that are alleged to have been stuffed into the RIPE WHOIS data base by these various alleged telecom companies, and or by any other third- party that sits between the natural person(s) whose PII is at issue and RIPE. Note that Ms. Fragkouli's assertion, as quoted above, is stated without any caveats or qualifications of any kind, and also without any reference to the actual text of GDPR, and lastly also without citation to any other statutory authority or to any existing case law. This is a perfect example of what I have been ranting about. Without any firm basis in either law or precedent it appears that Ms. Fragkouli, and others, have persuaded themselves that secrecy is a Good Thing and that thus, any excuse that may come to hand that may seem to permit even more excessive, arbitrary, and capricious secrecy must be, by definition, a Good Thing. I take issue with this viewpoint, which is arguably extreme, and I challenge both Ms. Fragkouli and any and all other parties to provide here the factual and legal basis they are claiming as support for this clear misinterpretation of the fundamental terms of reference of the actual GDPR legislation, as differentiated from the personal views of Ms. Fragkouli or any other member of the community. (A modest suggestion: It would perhaps be Helpful if some of the membership debating this issue would actually read the GDPR legislation, rather than simply speculating about what it actually says.) Again, to be clear, it is possible that RIPE may qualify, under the terms of reference of GDPR, as the data "controller" in those instances where there is no third party sitting between the natural person whose PII is at issue and RIPE, however even in those cases it is my assertion that the actual legal applicability of GDPR may be tempered by the explicit terms of the contractual relationship between the parties. In any and every case where there _is_ some third-party sitting between RIPE and the natural persons whose PII is at issue, I do not believe that there can be any question whatsoever that RIPE is not the data "controller", for purposes of GDPR, and that thus, RIPE bears no leagl responsibility of any kind in these instances.
If you explicitly give consent for them to publish your personal information, that's fine.
Now you are just playing with words. I _did not_ "explicitly" give consent to RIPE to publish any of my personal information. I simply included my personal information into an email message which was sent to this mailing list. Nontheless, subsequent to that RIPE _did_ in fact publish my private information. So now, do I have a legal cause of action against RIPE? Can I now sue RIPE for millions of dollars? Because that is one obvious possible implication of your use of the ever-so-maleable word "explicitly".
As this information is published in NL, your PII is subject to Dutch and EU law, and is therefore subject to the GDPR.
No, it isn't, and you are making the mistake of assuming, without any supporting evidence or any legal basis I might add, that GDPR applies to either natural persons or to data controllers that exist extirely outside of GDPR's legal jurisdiction (i.e EU+EEA). This is simply false, and GDPR does not have such broad extra-territorial jurisdiction over either natural persons or data controllers that exist entirely outside the GDPR jurisdictional region. (This is also one of my several pet peeves that I have been ranting about. I understand that there is a lot of wishful thinking associated with various bits of public speculation about the actual jurisdictional limits of GDPR, but the legislation just doesn't say either what many think it says or what many would like it to say.) In the example of my prior posting here I included some of my own PII. I am (and was) the "data controller" for purposes of GDPR with respect to that specific instance of "leakage" of my PII... not RIPE. To assert otherwise is to demonstrate a clear misunderstanding of the fundamental terms of reference of GDPR. And that misunderstanding becomes obvious when the legal implications of this misinterpretation of the term "controller" are adequately contemplated and found to lead to patently absurd practical outcomes. I cannot in fact sue RIPE over the fact that it has published my PII for all the world to see because as I have said, RIPE is not the controller in this example. Indeed, under the very explicit and specific terms of GDPR, I cannot even sue myself for having leaked my personal PII for the following TWO reasons: 1) I am a natural person residing outside of GDPR's jurisdiction, and thus, my own PII is not something that GDPR even has anything at all to say about. 2) I am (and was), for purposes of GDPR, the data "controller" when I posted my PII to this list. As a data controller which itself resides entirely outside of the GDPR jurisdictional area, GDPR does not provide me, as a natural person, with any grounds to sue myself, as a data controller, because the "data controller" is outside of GDPR's physical/territorial jurisdiction. If one of you Europeans gives your PII to some company that has a physical presence only in, say, Russia, or Ukraine, or Turkey, or Azerbaijan, or the United States for that matter, and if that company then splatters out PII all over the Internet, GDPR does not provide you with any basis for legal action. In summary, there has been and continues to be a great deal of mistaken misinformation and misinterpretation of the actual text of the GDPR legislation, much of which would lead to obviously absurd outcomes if taken seriously. These misinterpretations relate not only to the basic terms of reference, e.g. "controller", but also to the actual jurisdictional limitations and constraints of GDPR with respect to persons, places, entities and data. GDPR is not actually quite so boundless with respect to any of these things as some would wish, and mere misinterpretations of GDPR should not and cannot be used as a justification for ill-founded RIPE policies. Regards, rfg P.S. In order to forestall the inevitable assertions that I have herein been a sexist pig, or that I have in any way unfairly picked on Ms. Fragkouli or her expertise, I will say now quite plainly that all she has done is to write and publish a single somewhat overbroad sentence (quoted again above) regarding the applicability of GDPR to RIPE, and that one sentence is correct in some contexts, even as it is incorrect or inapplicable in others. For the sake of brevity, I assume, Ms. Fragkouli failed to attach to that one sentence relevant and important caveats which would qualify the sentence. More recently, and since the time Ms. Fragkouli wrote and published that one sentence, it has been others who have postulated what I believe to be incorrectly expansive interpretations of Ms. Fragkouli's single sentence on this topic. She is surely not not to blame in any way for these subsequent and arguably agressive misinterpretations.