On Fri, 24 Jun 2022, 01:40 Ronald F. Guilmette via db-wg, <db-wg@ripe.net> wrote:
In message <e7ddcc2c-3d1a-2fbc-8d3e-5472679ad842@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
Perhaps the RIPE NCC can publish the top entries from a new set of
denis walker via db-wg wrote on 22/06/2022 23:54: these
stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question.
There are multiple obvious problems with this line of argument/reasoning/logic.
First and foremost, if in fact there exist such telecom companies, then -somebody- should be able to give us their names. I'm still waiting. I haven't seen -any- names of any such supposed telecom companies yet.
AFAIK the names of these organisations is not public information, only anonymous statistics have been published. If you have an issue with this I suggest you discuss it directly with the RIPE NCC legal team.
Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE. It is therefore quite obviously false to continue to insist that RIPE needs to take some action because of these specific companies or these specific WHOIS records. It doesn't.
This policy proposal is not about managing the legal responsibilities or liabilities of the RIPE NCC. It is about establishing a set of principles by which those who enter data into this database will manage personal data.
Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't.
The RIPE NCC is the data controller and is a Dutch organisation based in the EU. The RIPE Database is operated from servers within the EU. GDPR therefore applies to all data subjects within this database regardless of where they are located. Article 3.1 of the GDPR states: "This Regulation applies to the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not."
In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.)
There are Russian lirs who provide address space and services to end users based in the Netherlands. Internet operations and business are not bound by geographical, political or legal jurisdictions. Cheers denis Proposal author
I understand the desire of some in Europe to impose GDPR upon the entire rest of the world, and onto all persons and companies from Alaska to Zanzibar, but wishing does not make it so. RIPE is free, morally, ethically, and legally to publish *my* phone number any time it wishes, as I am an American, and thus not a subject of the GDPR regime, and also not least because I myself have, in the first instance, made my own phone number public in my own domain WHOIS records, thus relieving any and all parties of any legal responsibility, under GDPR, for any mere re-publication of this Personally Identifiable Information.
Regards, rfg
--
To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg