Thanks.
Le vendredi 24 juin 2022, Nick Hilliard via db-wg <
db-wg@ripe.net> a écrit :
Ron,
Ronald F. Guilmette via db-wg wrote on 24/06/2022 00:40:
Second as was previously discussed, responsiblity, both legal and otherwise,
for any unnecessary "leakage" of PII under GDPR belongs to the party that
first leaked the data. So if some telecom company is carelessly shoveling
their customer PII into the RIPE data base in a way that is not consistant
with GDPR then the entire legal responsibility for that belongs to the telecom
companies involved... *not* to RIPE.
the RIPE NCC is a GDPR joint controller of the PII published in the ripedb. This is acknowledged by the RIPE NCC:
With regards to the RIPE Database, the RIPE NCC fills the role of
“Data Controller” - that is, the entity legally responsible for all
personal data stored in the RIPE Database.
From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/
Hi Nick,
Thanks for sharing that precious URI, brother!
...fwiw, we should start by questioning whether
that [1] *old* publication series is still reflecting
the actual understanding of RIPE NCC in how PII
data shall be managed within the RIPE Database.
__
This first precaution is needed, due to the fact that
its very content [2,3,4] seems to prove that RIPE
NCC has nearly no problem in regards to its implementation of the GDPR regulatory framework;
within the RIPE Database.
<quote1>
"The RIPE NCC considers that it is the responsibility
of the one who inserts the data in the RIPE
Database (i.e. the maintainer) to ensure that they
have obtained valid consent for the processing to
take place."
</quote1>
__
<quote2>
"We’ve heard feedback that there’s a lot of interest
in the way personal data is processed in the RIPE
Database and how it will be affected by the GDPR
implementation. Spoiler alert: our assessment
indicates that current operations are in line with the
legislation."
</quote2>
__
<quote3>
"Conclusion The RIPE NCC is confident that the current RIPE Database operations are in line with the requirements of the GDPR. Having said that, we do see some room for improvement in the relevant documentation and we are currently reviewing our procedures accordingly."
</quote3>
__
The above add more doubt in the rational between
the goal and problem statement attached to this
Draft Policy Proposal (DPP) :-/
<quote4>
"Responsible party’s obligations
As mentioned above, the responsible parties are
identified by the maintainer object (referenced by
the “mnt-by:” attribute in any data object), which is
mandatory for all objects in the RIPE Database, and
indicates who is really responsible for specific
personal data recorded in the RIPE Database.
In summary, the maintainer is responsible for:
• The accuracy of the personal data they insert into
the RIPE Database, that it is appropriate for the
purpose of the RIPE Database and that it is kept up-
to-date
• Informing the data subjects that their data is
being processed, of the purposes of the RIPE
Database, the RIPE NCC's role, and the maintainer’s
role as the responsible party
• Receiving the data subject's consent (before their
personal data is entered) • Handling any request
from persons whose personal data is inserted
regarding correction or deletion of personal data
• Accepting liability for any damage resulting from
the data being inaccurate, not relevant or out-of-
date, and any damage resulting from not informing
the data subjects, or receiving their consent or not
handling their requests
These responsibilities are already described in the
RIPE Database Terms and Conditions and the
resource holders, including the maintainers, are
contractually bound to these obligations."
Given that RIPE NCC has no record of fines for
have violating the GDPR since 2018; is there any
chance to find some valid usecases which could
justify such apparent need to change the *purpose*
of the RIPE Database?
Third and lastly, underlying these arguments is a sort-of implicit and
unspoken assumption that simply is not true and that can quite easily
disproven, i.e. the obviously flawed assumption that the RIPE region is
synomymous with the EU and/or the EEA and that thus, GDPR applies
throughout the RIPE region. It doesn't.
there is no assumption, implicit or otherwise, that the RIPE service region is synonymous with the EU. However, as the RIPE NCC is legally constituted and operates in The Netherlands, it is subject to dutch and EU law.
If you explicitly give consent for them to publish your personal information, that's fine. As this information is published in NL, your PII is subject to Dutch and EU law, and is therefore subject to the GDPR.
...we do not need to deal with the usecase shared
by Ronald; because, imho, the legal team within RIPE NCC has already concluded [2,5], even in case
where PII of data subjects, from a country in EU,
are inserted into the RIPE Database, without formal
consent, by the *responsible* resource holder...
Now! the very *who is* question raised by Ronald
makes more sense :-/
<quote5>
"We have concluded that the processing of
personal data is in line with the GDPR and no
changes are necessary in this regard.
In this article, we’re taking a closer look at the
queries the RIPE Database allows; we will conclude
that some amendments are necessary to ensure
GDPR compliance."
</quote5>
__
:-/ so! the problem identified by RIPE NCC was not
about inserting PII into the RIPE Database; but its
query...
...here's a problem which might need a fix.
In addition to your right to provide consent to publish your PII, you have lots of other rights, including the rights of access, rectification, restriction, and others.
If you're concerned by the fact that your PII is now subject to the GDPR, perhaps you'd like to exercise your right of erasure?
Thanks for noting this, as Athina has also listed [7]
the rights of data subjects regarding any request of
PII data removal [8].
<quote6>
"Removal of Personal Data
An individual whose personal data has been
inserted into the RIPE Database has the right to
ask for their personal data to be corrected or
removed. As most of the personal data contained
in the RIPE Database is not managed by the RIPE
NCC but by the persons indicated in the maintainer
object referenced in the "mnt-by:" attribute (mainly
the resource holders), it is the responsibility of the
maintainer to remove this personal data and
replace it with the personal data of another
individual. If a maintainer fails to fulfill these
responsibilities, the RIPE NCC will intervene and
modify or delete personal data in the RIPE
Database. However, the resource holder must find
another individual who is willing to share their
personal data in the RIPE Database."
</quote6>
__
[8]: Procedure for the Removal of Personal Contact
Details from the RIPE Database
Note that, all these provisions appear to add more
arguments to the fact that RIPE NCC needs almost
no help to continue to manage the RIPE Database
in compliance to the GDPR regulatory framework.
<quote7>
"It must be highlighted that this procedure [6] was
established by the RIPE community through the
Data Protection Task Force as the right balance
between maintaining the accountability of resource
holders and safeguarding the data protection rights
of individuals."
</quote7>
__
Thanks.
Shalom,
--sb.
Nick
[...]