Dear DB-WG, <tl;dr> The legal team at RIPE NCC has made it easier for us to got a clear picture [1] of their implementation of the GDPR regulatory framework; within the RIPE Database. ...i'm mostly quoting their related publication series to conclude that this Draft Policy Proposal (DPP) is not needed; when it comes to help RIPE NCC in any quest of GDPR regulatory framework's compliance regarding PII data insertion w/ the RIPE Database. The legal team has said that their need could be about *query* [6]... </tl;dr>
Please find more context below, inline... Thanks. Le vendredi 24 juin 2022, Nick Hilliard via db-wg <db-wg@ripe.net> a écrit : > Ron, > > Ronald F. Guilmette via db-wg wrote on 24/06/2022 00:40: > >> Second as was previously discussed, responsiblity, both legal and >> otherwise, >> for any unnecessary "leakage" of PII under GDPR belongs to the party that >> first leaked the data. So if some telecom company is carelessly shoveling >> their customer PII into the RIPE data base in a way that is not consistant >> with GDPR then the entire legal responsibility for that belongs to the >> telecom >> companies involved... *not* to RIPE. >> > > the RIPE NCC is a GDPR joint controller of the PII published in the > ripedb. This is acknowledged by the RIPE NCC: > >> With regards to the RIPE Database, the RIPE NCC fills the role of >> “Data Controller” - that is, the entity legally responsible for all >> personal data stored in the RIPE Database. >> > > From: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr/ > > >> Hi Nick, Thanks for sharing that precious URI, brother! ...fwiw, we should start by questioning whether that [1] *old* publication series is still reflecting the actual understanding of RIPE NCC in how PII data shall be managed within the RIPE Database. __ [1]: < https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc > This first precaution is needed, due to the fact that its very content [2,3,4] seems to prove that RIPE NCC has nearly no problem in regards to its implementation of the GDPR regulatory framework; within the RIPE Database. <quote1> "The RIPE NCC considers that it is the responsibility of the one who inserts the data in the RIPE Database (i.e. the maintainer) to ensure that they have obtained valid consent for the processing to take place." </quote1> __ [2]: https://labs.ripe.net/author/athina/how-were-implementi ng-the-gdpr-legal-grounds-for-lawful-personal-data- processing-and-the-ripe-database/#:~:text=The%20RIPE%20NCC% 20considers,the%20processing%20to%20take%20place <quote2> "We’ve heard feedback that there’s a lot of interest in the way personal data is processed in the RIPE Database and how it will be affected by the GDPR implementation. Spoiler alert: our assessment indicates that current operations are in line with the legislation." </quote2> __ [3]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-database/#:~:text=We%E2%80%99ve%20heard%20feedback,current%20operations%20are%20in%20line%20with%20the%20legislation . <quote3> "Conclusion The RIPE NCC is confident that the current RIPE Database operations are in line with the requirements of the GDPR. Having said that, we do see some room for improvement in the relevant documentation and we are currently reviewing our procedures accordingly." </quote3> __ [4]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-database/#:~:text=Conclusion,our%20procedures%20accordingly . The above add more doubt in the rational between the goal and problem statement attached to this Draft Policy Proposal (DPP) :-/ <quote4> "Responsible party’s obligations As mentioned above, the responsible parties are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object), which is mandatory for all objects in the RIPE Database, and indicates who is really responsible for specific personal data recorded in the RIPE Database. In summary, the maintainer is responsible for: • The accuracy of the personal data they insert into the RIPE Database, that it is appropriate for the purpose of the RIPE Database and that it is kept up- to-date • Informing the data subjects that their data is being processed, of the purposes of the RIPE Database, the RIPE NCC's role, and the maintainer’s role as the responsible party • Receiving the data subject's consent (before their personal data is entered) • Handling any request from persons whose personal data is inserted regarding correction or deletion of personal data • Accepting liability for any damage resulting from the data being inaccurate, not relevant or out-of- date, and any damage resulting from not informing the data subjects, or receiving their consent or not handling their requests These responsibilities are already described in the RIPE Database Terms and Conditions and the resource holders, including the maintainers, are contractually bound to these obligations." </quote4> __ [5]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database/#:~:text=Responsible%20party%E2%80%99s%20obligations,to%20these%20obligations . Given that RIPE NCC has no record of fines for have violating the GDPR since 2018; is there any chance to find some valid usecases which could justify such apparent need to change the *purpose* of the RIPE Database? > >> >> Third and lastly, underlying these arguments is a sort-of implicit and >> unspoken assumption that simply is not true and that can quite easily >> disproven, i.e. the obviously flawed assumption that the RIPE region is >> synomymous with the EU and/or the EEA and that thus, GDPR applies >> throughout the RIPE region. It doesn't. >> > > there is no assumption, implicit or otherwise, that the RIPE service > region is synonymous with the EU. However, as the RIPE NCC is legally > constituted and operates in The Netherlands, it is subject to dutch and EU > law. > > If you explicitly give consent for them to publish your personal > information, that's fine. As this information is published in NL, your PII > is subject to Dutch and EU law, and is therefore subject to the GDPR. > > > ...we do not need to deal with the usecase shared by Ronald; because, imho, the legal team within RIPE NCC has already concluded [2,5], even in case where PII of data subjects, from a country in EU, are inserted into the RIPE Database, without formal consent, by the *responsible* resource holder... Now! the very *who is* question raised by Ronald makes more sense :-/ <quote5> "We have concluded that the processing of personal data is in line with the GDPR and no changes are necessary in this regard. In this article, we’re taking a closer look at the queries the RIPE Database allows; we will conclude that some amendments are necessary to ensure GDPR compliance." </quote5> __ [6]: https://labs.ripe.net/author/maria_stafyla/how-were-implementing-the-gdpr-amendments-to-the-ripe-database/#:~:text=We%20have%20concluded,ensure%20GDPR%20compliance . :-/ so! the problem identified by RIPE NCC was not about inserting PII into the RIPE Database; but its query... ...here's a problem which might need a fix. > > In addition to your right to provide consent to publish your PII, you have > lots of other rights, including the rights of access, rectification, > restriction, and others. > > If you're concerned by the fact that your PII is now subject to the GDPR, > perhaps you'd like to exercise your right of erasure? > > > Thanks for noting this, as Athina has also listed [7] the rights of data subjects regarding any request of PII data removal [8]. <quote6> "Removal of Personal Data An individual whose personal data has been inserted into the RIPE Database has the right to ask for their personal data to be corrected or removed. As most of the personal data contained in the RIPE Database is not managed by the RIPE NCC but by the persons indicated in the maintainer object referenced in the "mnt-by:" attribute (mainly the resource holders), it is the responsibility of the maintainer to remove this personal data and replace it with the personal data of another individual. If a maintainer fails to fulfill these responsibilities, the RIPE NCC will intervene and modify or delete personal data in the RIPE Database. However, the resource holder must find another individual who is willing to share their personal data in the RIPE Database." </quote6> __ [7]: https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-database/#:~:text=Removal%20of%20Personal%20Data,their%20personal%20data%20in%20the%20RIPE%20Database . [8]: Procedure for the Removal of Personal Contact Details from the RIPE Database < https://www.ripe.net/manage-ips-and-asns/db/support/documentation/removal-of-personal-data > Note that, all these provisions appear to add more arguments to the fact that RIPE NCC needs almost no help to continue to manage the RIPE Database in compliance to the GDPR regulatory framework. <quote7> "It must be highlighted that this procedure [6] was established by the RIPE community through the Data Protection Task Force as the right balance between maintaining the accountability of resource holders and safeguarding the data protection rights of individuals." </quote7> __ https://labs.ripe.net/author/athina/how-were-implementing-the-gdpr-the-ripe-database/#:~:text=It%20must%20be%20highlighted,protection%20rights%20of%20individuals . Thanks. Shalom, --sb. > > Nick > > [...] > > >> > > -- Best Regards ! __ baya.sylvain[AT cmNOG DOT cm]|<https://cmnog.cm/dokuwiki/Structure> Subscribe to Mailing List: <https://lists.cmnog.cm/mailman/listinfo/cmnog/> __ #LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!» #MaPrière est que tu naisses de nouveau. #Chrétiennement «Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)
-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/db-wg
