Radu, there are a lot of things to unpick in regard to personal information in the RIPEDB. Person objects are not authenticated or checked, except inside the scope of RIPE ARC checks. Second and third parties can create person: objects for people without verification either for the email or phone number. So there are serious questions about the accuracy of the existing data in the database. This alone needs a good deal of attention and where necessary, remediation. As a general principle, no data is better than incorrect data. In regard to who uses the data, and what they use it for, LEAs are one of many classifications of RIPE DB data consumers. The data might be of use to them if it's verified (e.g. ARC checks / LIR verification / PI contractual obligations / etc), but for other stuff like unverified person objects, or ASSIGNED-PA objects, there is no guarantee of any form about whether the data is accurate in any way. In regard to your question, accurate registration details for this data are not a legal requirement in NL, and LEAs do not have statutory access to the data. That said, there's an obligation on the RIPE NCC to ensure that the policies and practices for accessing this data are legal and fit for purpose. That will includes providing access to LEAs within the scope of GDPR in the normal course of events, or e.g. providing access to internal data following a court order. When the DBTF noted that accurate registration of data and removal of unnecessary data (= data minimisation) from the RIPE DB should be followed up in a way that the DBWG thought was appropriate, they did this because these are legal requirements. In this context, it would be unwise to drop this from the DBWG's list of outstanding tasks. Nick Radu Anghel wrote on 08/07/2024 18:36:
I also support dropping NWI-17.
Removing contact information (address/phones) from the database just because "it looks like PII" would get more confused LEAs contacting RIPE and just defeat the purpose of the DB - a way to find contact information for _who_registered_this_resource_.
For GDPR there is the "legitimate interest" when dealing with persons, while company addresses are not PII at all.
Some persons found ways to keep the DB "accurate" regarding phone numbers, among other things, just check out a few examples nic-hdl: haz nic-hdl: fsci
Radu
On Sat, Jul 6, 2024 at 4:33 PM Nick Hilliard via db-wg <db-wg@ripe.net> wrote:
Denis,
denis walker via db-wg wrote on 03/07/2024 17:33:
The Task Force (TF) made the recommendation in NWI-17, but did not give any justification for it.
the justification is included in the final DB-TF report which was published as ripe-767. The recommendations in the various NWIs should be read in the context of this report.
The high cost and low (if any) benefit of splitting this data is completely pointless. [...]
My recommendation is that we drop NWI-17.
The DB-TF considerations behind NWI-17 related to GDPR, so this wasn't a recommendation that came out of nowhere. It would be a better idea to do something about the recommendation rather than unilaterally dropping it.
Since 2021, ML has become a thing. It would be interesting to see if any of the LLMs would return anything useful in response to a query along the lines of "provide a list of all database objects containing information which looks like it's PII".
Nick
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg