Hi Nick

I'll give you the short answers first, then the detailed reply. So people who don't like to read long emails can skip the detail.

On Sun, 19 Jun 2022, 16:06 Nick Hilliard, <nick@foobar.org> wrote:
denis walker via db-wg wrote on 16/06/2022 16:05:
> I have listened to your comments in recent discussions and had some
> preliminary talks with the RIPE NCC about what could be implemented. So
> now we have a second version of my proposal on personal data.

There are some fairly serious structural issues with the justification
in this proposal, for example:

- that there's something new with GDPR that wasn't there before

These issues have always been there. GDPR focused our minds on them in recent years. 

- that the RIPE database is not GDPR compliant

It isn't. 

- repeated claims that "In almost all cases, personal data is not needed".

It isn't. 

- etc

Please expand if you want me to reply. 


GDPR, and previously the 1995 Data Protection Directive, has been
addressed continuously by the RIPE NCC over the years.

No it hasn't. The first time it was considered was by the task force in 2006. They concluded in 2009. Nothing much was then discussed until GDPR came into effect in 2018.

  There are some
blog posts on the RIPE NCC web site which provide an overview of the
current lawful basis for holding and publishing the information:

> https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc


These blogs were written over 4 years ago and have quite a number of open issues outstanding. 

So in the absence of firm reasoning to the contrary, this policy needs
to step back quite far from claiming or hinting at GDPR non-compliance.

Read the detail below for the firm reasoning...


There are numerous other cases where the current justification presents
opinions without providing an adequate factual basis.

Please highlight these opinions and I'll offer the factual basis. 


Incidentally, I'm not arguing that there shouldn't be changes to the
scope and style of information contained in the ripe database, but as it
stands, the scope of this policy proposal isn't justified by the
rationale provided.

Again, please elaborate and I'll expand on the rationale. 


Nick


Now the detailed answers. Let me firstly disclose my interest here. I was a RIPE NCC staff member of the Data Protection Task Force (DPTF) from start to finish. Unlike with the recent Database TF, I wasn't just an advisor. Jochem and I were full and active members of the TF. At the start of the DPTF work, the RIPE NCC had no legal team. We worked with the NCC's external lawyers, who had limited knowledge of the RIPE Database. I drafted the early versions of the RIPE Database Terms & Conditions, Acceptable Use Policy, NRTM and Bulk Access Agreements and much of the Database content of the DPTF report. Towards the end of this work the NCC had a legal council and I worked with Jochem and Athina on final drafts of these documents before community and EB approval.

So I have a good knowledge of what is in these documents, the context in which they were created and the mistakes (that still exist) in them.

You referenced a series of RIPE Labs articles on GDPR. These articles referenced the DPTF Report. These contain some interesting points, and some errors, partly as a result of the errors in the DPTF report. Bear in mind also that these labs articles were all written over 4 years ago and the DPTF report over 10 years ago. Knowledge and understanding of the issues has increased in this time.

1st labs article
----------------

"In 2005, the RIPE Database Working Group identified a need to comply with data protection legislation by updating the processes and services relating to the RIPE Database. At RIPE 52 in April 2006, the community established the RIPE Data Protection Task Force (DPTF). The DPTF was mandated by the RIPE Database Working Group to recommend steps that the RIPE NCC should take to comply with the legislation."

This was the first time the RIPE NCC and community considered privacy and personal data issues. It was a good starting point, but we were a bit naive and the external lawyers had little knowledge of the database. That is why some errors were made and these errors have been duplicated ever since.

"According to the Dutch Personal Data Protection Act (prior to the GDPR), personal data may be collected for specific, explicitly defined and legitimate purposes. Once collected, this data must:

-Be adequate, relevant and not excessive in relation to the purposes for which it is collected and further processed
-Be accurate and, if necessary, kept up-to-date"

The big mistake we made was to consider 'registration information' and 'personal data' as single entities. So when looking at the purposes of the database and asking the question "do the purposes allow for the processing of personal data" as a single entity, the answer was yes. But when you break down that personal data, single entity into components the answer is yes and no. The primary purpose of the database is as a public registry of 'who' holds or uses blocks of address space. The key is in the alternative name, 'whois database'. So yes the purposes do justify publishing names. Even for natural persons, there is justification for publishing the names. As a contact database to resolve network issues the purposes also justify processing phone numbers and/or email addresses. BUT none of these need to be personal. In fact in the second labs article it even stresses the business nature of this information. Now when it comes to (postal) address, this is where it is crucial to break down this personal data into components. By definition the postal address of resource holders is "a full postal address for the business contact related to the organisation holding the resource". By this definition this contact can be anyone located anywhere in the world. It has no 'relevance in relation to the purposes'. It also cannot be verified as accurate or up-to-date. Therefore it cannot be justified to be processed according to the purposes, where it is a personal address, under either the Dutch Personal Data Protection Act or the GDPR.


2nd labs article
----------------

"The contact details of a resource holder and their appointed contact persons consist of names, (business) email addresses, (business) phone and fax numbers, and (business) postal addresses."

Although broken down here into components and the business nature of the data is stressed, the individual components were not compared with the purposes.

"The purpose must be specified, explicit, and legitimate. Personal data may only be collected and processed to fulfil this purpose and must not be further processed in a way that is incompatible with this purpose."

Again when personal postal address is compared to the purpose, it cannot be justified.

"The purpose described in the third bullet point of Article 3 of the Terms & Conditions "Facilitating coordination between network operators (network problem resolution, outage notification etc.)" is the one that justifies the publication of personal data in the RIPE Database.

For this reason, the RIPE Database includes the contact details of resource holders and persons that are responsible for the administration and the technical maintenance of a particular network."

These statements are not correct. This need to coordinate between operators does not require any personal data. Contact details of persons is not needed. Contact details can all be business related information.


3rd labs article
----------------

[I am going to disagree with most of this...I have added my comments inside [...] ]

Legal grounds for lawful personal data processing

In order for the processing of personal data to be lawful, it must be done on a legitimate basis, as defined in Article 6.1 of the GDPR:

Processing shall be lawful only if and to the extent that at least one of the following applies:
[So which of these apply to the personal data in the RIPE Database?]

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
[Consent is difficult to verify in a database with such a widely distributed data entry. Better not to enter data that is not needed for the purposes, even if consent is given.]

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
[This covers some components of personal data, such as name of resource holder or end user.]

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
[Does not apply.]

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
[Does not apply.]

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
[This covers some components of personal data, such as name of resource holder or end user.]

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
[This one is interesting as the exception recognises that, if publishing the home address of resource holders or end users is against the interests of the data subject, that overrides the database purposes.]

Personal data of a resource holder

As our previous article mentioned, the RIPE NCC has a mandate from the RIPE community to register and distribute Internet number resources and maintain an Internet number resource registry. While the RIPE community defined the purposes of the RIPE Database, the RIPE NCC is responsible for operating it.
[The RIPE community is not a legal authority. It cannot mandate the RIPE NCC to force natural persons to publish their full home postal address in the database, especially as this address is not relevant to the defined purposes.]

The RIPE Database contains registration information about Internet number resources and, in particular, information about the natural or legal persons that hold these resources. The contact details consist of (legal) name, (business) email address, (business) phone and fax numbers, and (business) legal and postal address(es).
[This mixes registration information with contact details. They are not the same. Legal address is not held in the RIPE Database. The definition of the postal address makes it not relevant to the defined purposes.]

Contact details of the parties responsible for specific Internet number resources are essential for the smooth and uninterrupted operation of Internet and connectivity. The RIPE Database facilitates communication between the people responsible for networks to address technical issues, allowing for quick coordination between operators that do not have a direct relationship.
[This paragraph mixes 3 terms, parties, people and operators. Bottom line is, personal data is not needed for contacts.]

For the purpose described above, it is clear that the processing of personal data referring to a resource holder is necessary for the performance of the registry function, which is carried out in the legitimate interest of the RIPE community and the smooth operation of the Internet globally (and is therefore in accordance with Article 6.1.f of the GDPR).
[The postal address of resource holders, as defined, is not relavant to the purposes and therefore not in accordance with the GDPR. It also comes under the exception stated in Article 6.1.f above]

Personal data of a resource holder's contact person

When resource holders are legal persons, they must provide contact details for the individuals responsible for the networks the Internet number resources correspond to, and/or responsible for maintaining information in the RIPE Database. This is also the case for resource holders that are individuals but do not want to have this role themselves.
[Not correct. These contacts do not need to be identifiable persons for the purposes of the database.]

The contact details usually refer to the technical and administrative employees of a resource holder and consist of names along with a (business) email address, phone, fax number and postal address.
[Only business details are needed and no address is needed for a contact.]

The purpose for which personal data is requested and made publicly available in the RIPE Database is always the same: ‘Facilitating coordination between network operators (network problem resolution, outage notification etc.).
[Absolutely not correct. This purpose does not require any personal data.]

In order for consent to serve as the legal ground of a processing activity, the resource holder must be able to demonstrate that the individual has consented to the processing of their personal data...
[Consent is a murky area in a database with such a widely distributed data entry responsibility. It is possible to have multiple levels of sub-allocations. Each level introduces another layer of data entry, further removed from the RIPE NCC and resource holders. The data quality and responsibilities may be diminished with each level. Where personal data is not necessary for the purposes, it is better to avoid it rather than allow sporadic consensual data.]


DPTF Report
-----------

The Dutch Data Protection Act includes the definition:
"Personal data is any information relating to an identified or identifiable natural person."
So the term 'Personal Data' is an umbrella term for all pieces of personal information. It makes sense to use this umbrella term in some situations. But when considering if the database purposes cover the processing of 'personal data', this must be broken down into it's component pieces of information and each piece needs to be assessed against the purposes.

"The data subject has the right to request that the responsible party correct or delete their personal data."
In order for the data subject to be able to exercise this right, they must be given details of what personal data is processed and where to find it. It is not sufficient to sign a contract that mentions that personal details will be published in 'the RIPE Database' or 'some database'.

cheers
denis
Proposal author