On Mon, 27 Jun 2022 at 18:23, Sylvain Baya via db-wg <db-wg@ripe.net> wrote:
have adequately addressed these points in my earlier reply here: https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html
...i went through it again, and it appears to not satify me, though :-
Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere.
Right! but, who said it's part of the draft proposal to be implemented; if it reaches consensus?
Two of you seem to be focussing all your attention on GDPR
Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region.
Fine! then, let's just bound on that. Or no? :-/
...having read and commented [2] the publication series [3] from the RIPE NCC's Legal Team, i can tell you that: *insertion* of PII into RIPE DB seems to be actually in line with both the *GDPR* and right of data subjects.
We are going round in circles so I am not going to respond to these same points again. It is not ALL in line with either. Some resource holders and end users 'reluctantly' agree to some elements of their personal details (home address in particular) being entered into this database otherwise they will not get the resources they need for their business. Their home postal address is not needed to fulfill the database purposes. So some of this data is entered without the support of the database purposes and against the wishes of the data subject. That contravenes both GDPR and the rights of the data subject. To get around this some people are forced to enter false data into the database.
Then if/when you find *a lot* of PII the only ones to blame are the resource holders. Because they have signed more than one legal documents where they agreed to not *pour* PII of their client within the RIPE DB.
We are not playing the blame game. It doesn't matter whose fault it is that some PII data ends up in the database that should not be there. We are trying to establish principles that will ensure that only the necessary data is entered into the database.
__ [2]: <https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007501.html> [3]: <https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc>
The RIPE NCC's Legal Team concluded that:
1| the RIPE DB has no *insertion* problem; 2| the remaining problem with the RIPE DB is in its *query* to retrieve data it contains; 3| the RIPE Community should act accordingly; 4| ...
...i expect that those RIPE NCC Legal Team's publication series[3] would be targeted as obsolete, when the above will become false or inconsistent with their assessment of the situation.
...i call anyone from RIPE NCC to, please, bring the clarification needed to understand the current state of the RIPE DB; regarding its compliance to GDPR.
Again you are obsessed with GDPR.
I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.
You are right, imho!
...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database.
BtW! could you find anyone who can argue against the good standing, interest and usefulness of the RIPE DB's *purpose*?
My proposal does not attempt to change the database purposes.
The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database. But it is not the only consideration.
Any other?
Many other countries in the RIPE region, outside of the EU, have their own legislation on privacy...the UK for example.
The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.
If it's that the goal, then could we, please, start by considering the following:
s0| identify, in all the twenty one (21) RIPE DB's type of objects, attributes which could contain unwilling PII; s1| filter output in 's0' to catch the more dangerous attributes to be balanced against (i) the purpose of the RIPE DB, and (ii) privacy considerations; s2| consult the members & community through a survey about the appropriate path to follow; s3| split the proposal {as suggested by Ronald}: s4| one separate DPP (Draft Policy Proposal) to address the problem, if any, with the general principles for processing data within the RIPE DB; s5| one separate DPP to address the problem, if any, with *insertion* of PII within the RIPE DB; s6| one separate DPP to adress the problem, with the *query* of the RIPE Database; s7| one separate DPP to adress the problem, if needed, with current PII present into the RIPE DB; s8| ...
You are asking for 4 policies to do what one can do. That makes no sense at all. It would take about a year to even consider 4 consecutive policies. cheers denis (single) Proposal author
Hope this clarifies my personal PoV :-)
Thanks.
Shalom, --sb.