In message <e7ddcc2c-3d1a-2fbc-8d3e-5472679ad842@foobar.org>, Nick Hilliard <nick@foobar.org> wrote:
denis walker via db-wg wrote on 22/06/2022 23:54:
Perhaps the RIPE NCC can publish the top entries from a new set of these stats. If anyone then wishes to contest the numbers they can take it up directly with the RIPE NCC.
fwiw, the ripe ncc has consistently been clear that there is a handful of organisations who export very large quantities of registration information to the ripedb, so this issue is not particularly in question.
There are multiple obvious problems with this line of argument/reasoning/logic. First and foremost, if in fact there exist such telecom companies, then -somebody- should be able to give us their names. I'm still waiting. I haven't seen -any- names of any such supposed telecom companies yet. Second as was previously discussed, responsiblity, both legal and otherwise, for any unnecessary "leakage" of PII under GDPR belongs to the party that first leaked the data. So if some telecom company is carelessly shoveling their customer PII into the RIPE data base in a way that is not consistant with GDPR then the entire legal responsibility for that belongs to the telecom companies involved... *not* to RIPE. It is therefore quite obviously false to continue to insist that RIPE needs to take some action because of these specific companies or these specific WHOIS records. It doesn't. Third and lastly, underlying these arguments is a sort-of implicit and unspoken assumption that simply is not true and that can quite easily disproven, i.e. the obviously flawed assumption that the RIPE region is synomymous with the EU and/or the EEA and that thus, GDPR applies throughout the RIPE region. It doesn't. In addition to such notable and significant countries as Russia, Ukraine, and Turkey, it appears that there exist a whole raft of other countries also that are -in- RIPE but -outside- of EU/EEA, for example Aland Islands, Albania, Andorra, Armenia, Azerbaijan... and that's just the As! I'm sure that there are plenty more also. Companies and natural persons in these countries are not bound by GDPR, despite the fact that some would wish it to be so. Thus companies and persons outside of EU/EEA remain free to put whatever they like into the RIPE WHOIS data base, and RIPE is free to publish whatever they do put in there, as has already been discussed and agreed here. (Note that the Personally Identifiable Information involved in many of these cases will pertain to natural persons who themselves reside -outside- of the EU/EEA area, and GDPR is simply not applicable to the PII of any such persons.) I understand the desire of some in Europe to impose GDPR upon the entire rest of the world, and onto all persons and companies from Alaska to Zanzibar, but wishing does not make it so. RIPE is free, morally, ethically, and legally to publish *my* phone number any time it wishes, as I am an American, and thus not a subject of the GDPR regime, and also not least because I myself have, in the first instance, made my own phone number public in my own domain WHOIS records, thus relieving any and all parties of any legal responsibility, under GDPR, for any mere re-publication of this Personally Identifiable Information. Regards, rfg