Dear all,
As long as there is no unified european law governing this, the RIPE NCC and all contracts it makes are by default governed by dutch law.
This is my understanding as well. If we look at the problem from the RIPE NCC's point of view (and this is what we are doing now, and should be doing), then we have to make sure the RIPE NCC complies with the Dutch data protection law. If we look at the problem from the maintainer's point of view (e.g. a LIR), then they have to make sure they act in accordance with any contract/agreement they have with the RIPE NCC, AND in accordance with all legal requirements of the country they act in. In other words, if Russian law requires a _written_ consent to publish personal data, the Russian LIR will have to make sure they have such a document from their client, but it is not RIPE NCC's task to enforce this.
So, in order to follow Larissa's argument, the RIPE NCC would have to create special/different contracts for contractors from different countries, if the parties need the contract to be governed by that country's laws.
I do not think this should be done, for the reason above.
I'm quite humble in legal matters
:)) The same with me. :)) I am not a lawyer either. Best regards, Janos