In message <e7ddcc2c-3d1a-2fbc-8d3e-5472679ad842@foobar.org>,
Nick Hilliard <nick@foobar.org> wrote:

>denis walker via db-wg wrote on 22/06/2022 23:54:
>> Perhaps the RIPE NCC can publish the top entries from a new set of these
>> stats. If anyone then wishes to contest the numbers they can take it up
>> directly with the RIPE NCC.
>
>fwiw, the ripe ncc has consistently been clear that there is a handful
>of organisations who export very large quantities of registration
>information to the ripedb, so this issue is not particularly in question.

There are multiple obvious problems with this line of argument/reasoning/logic.

First and foremost, if in fact there exist such telecom companies, then
-somebody- should be able to give us their names.  I'm still waiting.
I haven't seen -any- names of any such supposed telecom companies yet.

Second as was previously discussed, responsiblity, both legal and otherwise,
for any unnecessary "leakage" of PII under GDPR belongs to the party that
first leaked the data.  So if some telecom company is carelessly shoveling
their customer PII into the RIPE data base in a way that is not consistant
with GDPR then the entire legal responsibility for that belongs to the telecom
companies involved... *not* to RIPE.  It is therefore quite obviously false
to continue to insist that RIPE needs to take some action because of these
specific companies or these specific WHOIS records.  It doesn't.

Third and lastly, underlying these arguments is a sort-of implicit and
unspoken assumption that simply is not true and that can quite easily
disproven, i.e. the obviously flawed assumption that the RIPE region is
synomymous with the EU and/or the EEA and that thus, GDPR applies
throughout the RIPE region.  It doesn't.

In addition to such notable and significant countries as Russia, Ukraine,
and Turkey, it appears that there exist a whole raft of other
countries also that are -in- RIPE but -outside- of EU/EEA, for example
Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just
the As!  I'm sure that there are plenty more also.  Companies and natural
persons in these countries are not bound by GDPR, despite the fact that
some would wish it to be so.  Thus companies and persons outside of EU/EEA
remain free to put whatever they like into the RIPE WHOIS data base, and
RIPE is free to publish whatever they do put in there, as has already been
discussed and agreed here.  (Note that the Personally Identifiable Information
involved in many of these cases will pertain to natural persons who themselves
reside -outside- of the EU/EEA area, and GDPR is simply not applicable to
the PII of any such persons.)

I understand the desire of some in Europe to impose GDPR upon the entire
rest of the world, and onto all persons and companies from Alaska to
Zanzibar, but wishing does not make it so.  RIPE is free, morally, ethically,
and legally to publish *my* phone number any time it wishes, as I am an
American, and thus not a subject of the GDPR regime, and also not least
because I myself have, in the first instance, made my own phone number
public in my own domain WHOIS records, thus relieving any and all parties
of any legal responsibility, under GDPR, for any mere re-publication of
this Personally Identifiable Information.


Regards,
rfg

--

To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg