Radu Anghel wrote on 12/07/2024 06:38:
The difficulty here is that there is a mixture of PII and non-PII in the database. There's no difficulty with non-PII. The problem is that it's all mixed up together.
One incomplete solution for this would be to no longer allow natural persons to register resources, but I do not think this is a good idea, or something that anyone wants. I say incomplete because for example sole traders "John Doe trading as ACME" are both legal entities and natural persons at the same time.
This option should definitely be part of a discussion.
Consent in GDPR gives the right for a data processor to hold information about a data subject if the subject agrees. But it does _not_ give the data processor the right to withdraw service if that consent is withdrawn.
You are probably thinking of the Cookie Monster situation where you can refuse cookies you don't like and still access a website. But there are the "required" cookies that you cannot refuse.
I was referring to other things, e.g. EDPB Opinion 08/2024: "Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms", or the local country DPA guidelines in terms of addressing consent. For example, the IE DPA's position is:
Similarly, consent will be presumed not to have been freely given if the data subject was not given the opportunity consent separately to distinct processing operations for different purposes. As noted above, controllers should also be wary when using consent in conjunction with a contract, because if the performance of that contract is made dependent on the individual providing consent to certain processing despite it not being necessary for such performance the consent will be invalid.
I.e. holding the data is one thing, and it stands to reason that you can't register a resource without proving registration details, so in this case, performance of a contract is a legitimate basis for holding PII. Publishing it is a separate argument though, and the SSA cannot override legislation in this regard. Consent is a difficult area.
If you withdraw consent to have your name, postal address and phone with Amazon it would be tricky for them to deliver your orders, so they might "withdraw service".
Delivering packages needs PII on the basis of performance of a contract. This is a straightforward situation: no details means that the package can't be delivered.
See above, RIPE NCC is doing a great job at it.
For sure they have, and have done so for years. The proof of the pudding is that the ICANN / domain name whois was shut down on foot of a court order due to inattention to privacy legislation, but the RIPE whois service stayed up. This happened because the RIPE NCC was careful over a long period of time to be compliant with privacy legislation, initially the Data Protection Directive which was published in 1995, and then its successor, the GDPR. That said, the DBWG has a part to play in this. The DBTF identified that there were data quality and storage concerns in the ripe db which needed to be looked at. NWI-17 was one of the work items which resulted. If NWI-17, or NWI-2 / NWI-15 / NWI-18 are summarily closed on the basis that "they've been there for too long so let's just close them", then the DBWG will incur risk for the RIPE DB by not formally looking at the issues. It could potentially happen that the outcome after a reasonable assessment is: nothing needs to be changed - the DBTF didn't prescribe or pre-suppose any outcome of this assessment. They just said that the issued needed to be looked at. Nick