Dear RIPE DB-WG, Hope this email finds you in good health! Please find my comments below, inline... Thanks. Le lundi 27 juin 2022, denis walker via db-wg <db-wg@ripe.net> a écrit :
Colleagues
There were 2 very long emails this weekend, both
Hi Denis, Thanks for your email, brother.
pretty much along the same lines. These points have been made several times. I believe I
Sure, you tried...and thanks brother, it helped me to better understand two or three things along...
have adequately addressed these points in my earlier reply here: https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007482.html
...i went through it again, and it appears to not satify me, though :-/ What i understand is that your understanding of the actual state of the RIPE DB compliance with GDPR diverge to the public statement of RIPE NCC's Legal Team, on the same topic... :-/ Given that you have a very insightful point of view on the topic, i ask myself, what could justify that *unexpected* divergence?
Now let's try to wrap this issue up with a reality check. In the text of the proposed policy, GDPR is not mentioned anywhere.
Right! but, who said it's part of the draft proposal to be implemented; if it reaches consensus?
The opening two lines of the proposed policy Abstract basically sum up what this proposed policy is about: "This policy arises from the need for the RIPE Database to avoid the publishing of unnecessary personal data. Personal data must not be entered into the RIPE Database unless this can be justified according to the acknowledged purposes of the RIPE Database."
...who have first invoqued [1] the GDPR regulatory framework? <quote> "Summary of Proposal: Since the beginning of the RIPE Database, personal data has been entered extensively in PERSON objects as well as in other objects’ attributes in the database, such as email addresses for notifications and postal addresses for resource holders. In those early days little consideration was given to privacy and personal data processing. In almost all cases, personal data is not needed. Now the EU General Data Protection Regulation (GDPR) adds legal constraints on personal data and the justification for its use. The RIPE NCC is the data controller and facilitator of the RIPE Database. The servers providing access to the RIPE Database are operated by the RIPE NCC. The RIPE NCC is a Dutch registered organisation based within the EU. Therefore, the GDPR applies to all the personal data contained within the RIPE Database, regardless of where the data subject is located. In almost all situations, there is no justification for publishing any personal data in the RIPE Database. This policy proposal outlines data that should be used in areas where personal data has been used in the past. All contacts must be documented as roles. There is no need for documenting personal information about any contacts in the database." </quote> __ [1]: https://www.ripe.net/participate/policies/proposals/2022-01#:~:text=Summary%...
Regardless of what part of the RIPE region any data maintainer or data subject is based in, regardless of legal jurisdiction, regardless of what personal data protection laws apply, regardless of who is considered to be the data controller of the data contained within the RIPE Database, this policy proposal is suggesting that these are the basic principles that the RIPE Database should operate under across the region.
Fine! then, let's just bound on that. Or no? :-/ ...having read and commented [2] the publication series [3] from the RIPE NCC's Legal Team, i can tell you that: *insertion* of PII into RIPE DB seems to be actually in line with both the *GDPR* and right of data subjects. Then if/when you find *a lot* of PII the only ones to blame are the resource holders. Because they have signed more than one legal documents where they agreed to not *pour* PII of their client within the RIPE DB. __ [2]: <https://www.ripe.net/ripe/mail/archives/db-wg/2022-June/007501.html> [3]: < https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-n...
The RIPE NCC's Legal Team concluded that: 1| the RIPE DB has no *insertion* problem; 2| the remaining problem with the RIPE DB is in its *query* to retrieve data it contains; 3| the RIPE Community should act accordingly; 4| ... ...i expect that those RIPE NCC Legal Team's publication series[3] would be targeted as obsolete, when the above will become false or inconsistent with their assessment of the situation. ...i call anyone from RIPE NCC to, please, bring the clarification needed to understand the current state of the RIPE DB; regarding its compliance to GDPR.
I don't think anyone can argue against the RIPE Database not containing unnecessary personal data or personal data that cannot be justified by the agreed purposes of the database.
You are right, imho! ...i, for myself, am opposed to any attempt to change the *purpose* of the RIPE Database. BtW! could you find anyone who can argue against the good standing, interest and usefulness of the RIPE DB's *purpose*?
The GDPR is a good guideline and benchmark to assess the database against as it does apply, without question, to a large part of the RIPE region and a large amount of the personal data contained within the database.
But it is not the only consideration.
Any other? Thanks to add it here [1], brother.
To focus so heavily on the GDPR alone is a distraction.
< https://dict.org/bin/Dict?Form=Dict1&Query=distraction&Strategy=*&Database=*> [1]?
The bottom line is that this policy proposal is about establishing reasonable, common sense principles for processing personal data across the RIPE region, supported by the agreed purposes of the RIPE Database.
If it's that the goal, then could we, please, start by considering the following: s0| identify, in all the twenty one (21) RIPE DB's type of objects, attributes which could contain unwilling PII; s1| filter output in 's0' to catch the more dangerous attributes to be balanced against (i) the purpose of the RIPE DB, and (ii) privacy considerations; s2| consult the members & community through a survey about the appropriate path to follow; s3| split the proposal {as suggested by Ronald}: s4| one separate DPP (Draft Policy Proposal) to address the problem, if any, with the general principles for processing data within the RIPE DB; s5| one separate DPP to address the problem, if any, with *insertion* of PII within the RIPE DB; s6| one separate DPP to adress the problem, with the *query* of the RIPE Database; s7| one separate DPP to adress the problem, if needed, with current PII present into the RIPE DB; s8| ... Hope this clarifies my personal PoV :-) Thanks. Shalom, --sb.
cheers denis Proposal author
[...]
-- Best Regards ! __ baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure> Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ #LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!» #MaPrière est que tu naisses de nouveau. #Chrétiennement «Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)