On 5 Nov 2014, at 16:20, Sascha Luck <lists-ripe@c4inet.net> wrote:

how does the uncontrolled publishing of that data possibly comply with the EU Data Protection Directive and imminent General Data Protection Regulation,

especially considering the entirely uncontrolled transfer of such data to non-EU countries (whois lookups!)?

IANAL, but to me it looks like a breach of said regulations.

Sacha, what matters here is how Dutch law enacts the EU directive and regulation and how the Dutch Data Protection Authority enforces that law(s). I would presume/expect the NCC's legal staff have already checked this or got expert advice. The NCC is already publishing Personal Data -- eg names and addresses for Contact Objects -- without violating Dutch/EU Data Protection and/or Privacy legislation. So I would assume that publishing Person Objects will be equally acceptable. My understanding is the issues around export of Personal Data apply to cases where the data are processed/controlled in a country that does not have a Data Protection regime or Safe Harbour provisions equivalent to the EU Directives and Regulations. Publishing whois data probably does not fall into that. IANAL either. Though I have dealt with whois issues, ICANN, Data Protection and far too many lawyers in a previous life. The scars have nearly healed.