On Fri, Jul 12, 2024 at 2:26 AM Nick Hilliard <nick@foobar.org> wrote:
In all these cases, the RIPE NCC is co-processor of the data, and has a responsibility for GDPR compliance.
And the RIPE NCC is doing a great job. [1], [2]
It's totally worth pointing LEAs to data relating to ALLOCATED-PA and ASSIGNED-PI because that will tell them where to serve the summons. But its often pointless for ASSIGNED-PA which makes up the majority of the objects (and consequently the person: objects) in the ripedb.
It would help to clarify in the RIPE DB what data is authoritative, i.e. subject to checks, and what sort of checks.
This information can be found in [3], it may or may not be useful to additionally signal it inside the DB.
For ASSIGNED-PI and ALLOCATED-PA, the resource holder needs to provide their details, for sure. That would constitute performance of a contract. But that's not the same as publishing it to the world, regardless of what it says in the T&Cs. You can't make the leap from stating that just because the RIPE NCC Privacy Statement says the information will be published, that this implies that "legal basis" is satisfied as a basis for data processing. This is not how GDPR works.
It is included in the SSA that applies to LIRs. LIRs then have the responsibility of obtaining consent from their End-Users AND keep the data accurate.
The difficulty here is that there is a mixture of PII and non-PII in the database. There's no difficulty with non-PII. The problem is that it's all mixed up together.
One incomplete solution for this would be to no longer allow natural persons to register resources, but I do not think this is a good idea, or something that anyone wants. I say incomplete because for example sole traders "John Doe trading as ACME" are both legal entities and natural persons at the same time.
Consent is complicated in GDPR. Legally it must be possible to withdraw consent without detriment. So if the GDPR basis for processing data is "consent", and the resource holder withdraws that consent, you gotta respect that and nothing can change contractually. This is something that the european data protection board has started taking action on in the last couple of years, and there is now case law to support this position.
The rationale behind this is that if there is pressure or coercion involved, then it's not consent: it's pressure or coercion.
Consent in GDPR gives the right for a data processor to hold information about a data subject if the subject agrees. But it does _not_ give the data processor the right to withdraw service if that consent is withdrawn.
You are probably thinking of the Cookie Monster situation where you can refuse cookies you don't like and still access a website. But there are the "required" cookies that you cannot refuse. If you withdraw consent to have your name, postal address and phone with Amazon it would be tricky for them to deliver your orders, so they might "withdraw service". If somebody registering unique numbers in the RIPE DB withdraws this consent they can't use RFC 6214 anymore so the resources can be deregistered.
There are arguable points in Legitimate Interest. If this is the basis for publishing the data, then this is why the RIPE Community needs to ensure that the policies and data management practices are assessed, i.e. to ensure that if this information is published on the basis of legitimate interest, then there is careful consideration of this within GDPR, that the policies are compliant with GDPR and that the practice is compliant with the policies.
In other words, if the RIPE NCC / RIPE Community makes a claim that a specific legal basis is used for processing data, then the justification for that basis must be analysed carefully and clearly described.
See above, RIPE NCC is doing a great job at it. Best, Radu [1] https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-... [2] https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-legal-gro... [3] https://www.ripe.net/publications/docs/ripe-826/