Hello Denis,
On 11/01/24 01:40, denis walker wrote:
So personal data does not always need consent of the data
subject. But you only ever refer to (a) consent.
There are indeed other possible lawful bases than consent, and this fact
is precisely why I wrote (emphasis added):
«Publishing this information requires *a* lawful basis, *e.g.*, consent.»
Consent is however the only lawful basis singled out by the RIPE NCC in
the RIPE Database Terms and Conditions and in the 2023-04 Impact
Analysis, so it seems reasonable to assume that some LIRs will seek consent.
Therefore we need to examine what that actually means in practice. You
sum it up quite accurately below:
If we take the latest revelation in the IA on 2023-04, ALL PII needs
consent, this has HUGE implications for the RIPE NCC and RIPE policy
generally. We MUST have a good understanding of the legal basis for
entering PII into the RIPE Database. Consent cannot be conditional. So
if a resource holder who is a natural person withdraws their consent
to have their PII in the database, it MUST be removed. That may leave
an allocation and organisation with no identity or contacts. That
would be a policy violation. BUT the resource cannot be reclaimed as
that would have made the consent conditional. Also we have an abuse
policy that requires all resources to have an abuse contact. If that
contact is a natural person and they withdraw their consent their
details must be deleted. Again that creates a policy violation. But
the resource cannot be reclaimed again as that would have made the
contact details consent conditional.
Your conclusion that this situation results in a policy violation, is
however entirely contingent on your interpretation of the current policy
as mandating the publication of the End User's (non-delegated) contact
information.
Under the RIPE NCC's interpretation of the current policy, on the other
hand, this situation is entirely unproblematic. Under their
interpretation, the LIR has, quote, «freedom to take over the
responsibility as the point of contact for their End User». No PII, no
GDPR, no problem.
https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-November/013892.html
Again you have selected just one example that can support your
argument, Farmer Fred. I could have used KPN or Apple Inc as an
example which would negate your argument.
KPN or Apple would not be relevant examples, as they (presumably) would
use non-personal NOC roles which are not PII, and thus out of scope of
the GDPR.
There are certainly many End Users whose contact information is not PII,
but that does not «negate» the fact that there are also many End Users
whose contact information *is* PII.
Both types of End Users must be catered to by the address policy.
Tore & Jeroen
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/address-policy-wg
