As far as I'm aware, since IP addresses _can_ uniquely identify a person (think of static IPs offered by some ISPs), it is considered personal data by authorities. GDPR leaves a huge grey area that is up to interpretation, which in practice boils down to companies trying to avoid even said grey area and keeping a very strict GDPR policy. Been there, done that (doing that, in fact). Painful as it is, that's the law. Agoston On Sun, Jan 10, 2021 at 7:36 AM Michael Kafka via db-wg <db-wg@ripe.net> wrote:
On 2021-01-08 18:15, Randy Bush via db-wg wrote:
If the geofeed doesn't contain the above mentioned means to directly or indirectly identify a natural person then GDPR don't apply, especially if the geofeed refers only to a country or province.
note that the geofeed spec, RFC8805, is separate from the rpsl-based means to find the geofeed files, draft-ietf-opsawg-finding-geofeeds.
that wouldn't make a difference here. if the RIPE database points immediately to personal information GDPR applies.
i was not involved in the geofeed spec, but it was done by friends of the family who gossip :)
i was told that the reason there is no postal code in the geofeed file spec is because, in some cases, it resolves with sufficient precision to identify individuals.
randy
the precision of postal codes (e.g. in great britain) is a good point!
MiKa