RIPE NCC Data Protection Report
1. Introduction
The RIPE NCC aims to protect personal data in the public sources it administers and controls, adhering to data protection legislation in the Netherlands. The RIPE NCC has a legal obligation to comply with Dutch data protection legislation with regards to the personal data it processes.
In order to comply, the RIPE NCC has developed a legal framework that guarantees the proper and lawful use of personal data. This legal framework has been established in coordination with the RIPE community through a task force created for this purpose, the RIPE Data Protection Task Force, which put forward proposals that were considered in the RIPE Database Working Group.
This paper outlines:
- The national data protection legislation to which the RIPE NCC must adhere (section 2)
- The implementation of this legislation in the RIPE Database and related services (section 3)
- The implementation of this legislation in other RIPE NCC services (section 4)
2. Data Protection Framework
The RIPE NCC is an association under Dutch law. Therefore, the applicable data protection legislation is the Dutch Personal Data Protection Act (“Wet bescherming persoonsgegevens”). The Dutch Personal Data Protection Act (hereafter “the Act”) outlines the conditions according to which processing personal data is lawful.
2.1. Basic concepts
The Act[1] defines some basic concepts. Accordingly:
- Personal data is any information relating to an identified or identifiable natural person.
- Processing of personal data is any operation or any set of operations concerning personal data, including in any case the collection, recording, organisation, storage, updating or modification, retrieval, consultation, use, dissemination by means of transmission, distribution or making available in any other form, merging, linking, as well as blocking, erasure or destruction of data.
- Responsible party is the person that determines the purpose and means for processing personal data[2].
- Data subject is the person to whom personal data relates.
2.2. Conditions for the lawful processing of personal data
According to the Act[3], personal data may be collected for specific, explicitly defined and legitimate purposes. Once collected, this data must:
- Be processed in a careful, proper and lawful manner
- Not be further processed in a way incompatible with the purposes for which it has been collected
- Be adequate, relevant and not excessive in relation to the purposes for which it is collected and further processed
- Be accurate and, if necessary, kept up-to-date
- Not be kept for any longer than is necessary to achieve the purpose for which it has been collected or processed
2.3. Rights of data subjects
The data subject has the right to be informed by the responsible party of the collection and processing of their personal data before their data is collected or processed in any way[4]. Additionally, the data subject has the right to request that the responsible party correct or delete their personal data[5].
3. Implementation of the Legal Framework in the RIPE Database Services
3.1. The RIPE Data Protection Task Force
In 2005, the RIPE Database Working Group identified a need to comply with data protection legislation by updating the processes and services relating to the RIPE Database. At RIPE 52 in April 2006, the community established the RIPE Data Protection Task Force (DPTF)[6]. The DPTF was mandated by the RIPE Database Working Group to recommend steps that the RIPE NCC should take to comply with the legislation.
The DPTF, working together with the RIPE NCC and input from the RIPE community, developed a revised set of procedures for the RIPE NCC to control personal data exposure and set up a legal framework for the use of personal data in accordance with the Act. Specifically, the DPTF proposed that the RIPE NCC:
- Make the “mnt-by:” attribute mandatory for all objects (see section 3.2.2)
- Create and make enforceable the RIPE Database Terms and Conditions, which, among other things, specify the purpose for the processing of personal data in the RIPE Database (see section 3.2.3)
- Introduce a procedure for the removal of personal data from the RIPE Database at the request of the Data Subject (see section 3.2.4)
- Automate removal of any unreferenced personal data from the RIPE Database (see section 3.2.5)
- Restrict unlimited access to personal data in the RIPE Database by creating the RIPE Database Acceptable Use Policy and by modifying the various RIPE Database-related services (such as the Near Real Time Mirroring (NRTM) and bulk access services) so that these services would be offered without personal data (see section 3.3)
The DPTF proposed the changes to the RIPE community and to the RIPE NCC Executive Board. There was extensive communication between the DPTF and the RIPE community (via RIPE Meetings, the DPTF mailing list and the RIPE Database Working Group mailing list). The changes in procedures and documents were finalised by the RIPE NCC and communicated to the RIPE community.
The task force was disbanded at RIPE 59 in October 2009 when the mandated deliverables were completed. The following sections outline the changes made in order for the RIPE NCC to comply with the Act, as proposed by the DPTF and agreed on by the RIPE community and the RIPE NCC Executive Board.
3.2. Data protection and the RIPE Database
3.2.1. Personal data in the RIPE Database
The RIPE NCC operates the publicly available RIPE Database. The RIPE Database contains registration details of Internet number resources (IP addresses and AS Numbers) and, in particular, information about the natural or legal persons that hold the Internet number resources. This information includes contact details of those responsible for the networks the Internet number resources correspond to and/or for maintaining the information in the RIPE Database (usually technical and administrative employees of the natural or legal persons that hold the resource). The contact details consist of names, (business) email addresses, (business) phone and fax numbers and (business) postal addresses. Since these contact details are information relating to an identified or identifiable natural person they are considered to be personal data according to the Act (see above section 2.1).
3.2.2. Responsible party - Mandatory mnt-by
The purpose and means of processing personal data registered in the RIPE Database are not determined by the RIPE NCC but by the RIPE community. However, the RIPE NCC is the organisation that implements or oversees the implementation of the instructions given by the RIPE community. In that sense, the RIPE NCC could be seen as the responsible party for processing personal data in the RIPE Database in accordance with the Act (see above section 2.1).
Although the RIPE NCC can be seen as the responsible party, the RIPE NCC has no, or only limited, control over the personal data stored in the RIPE Database. Most personal data is not registered in the RIPE Database by the RIPE NCC but by others (generally those responsible for the specific Internet number resources or by the data subjects themselves).
The DPTF considered that certain obligations coming from this “by default” responsibility must be shifted to those who are actually responsible for the personal data they collect and process (see section 2.3). Accordingly, it was proposed to contractually impose (via the RIPE Database Terms and Conditions) certain obligations on the persons who insert and maintain specific personal data in the RIPE Database.
In the RIPE Database, these persons are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object). The DPTF proposed that this attribute should be made mandatory for all objects. This attribute would be used to indicate who is really responsible for specific personal data in the RIPE Database. The maintainer would be responsible for:
- The accuracy of the personal data they insert in the RIPE Database, that it is appropriate for the purpose of the RIPE Database and that it is kept up-to-date
- Informing the data subjects that their data is being processed, of the purposes of the RIPE Database and of the RIPE NCC's role as the responsible party within the meaning of the Act
- Receiving the data subject's consent before they enter the data
- Handling any request from persons whose personal data is inserted regarding correction or deletion of personal data
- Accepting liability for any damage resulting from the data being inaccurate, not relevant or out-of-date, and any damage resulting from not informing the data subjects, or receiving their consent or not handling their requests
These obligations are outlined in the RIPE Database Terms and Conditions and the maintainers are contractually bound to these obligations by agreeing to the RIPE Database Terms and Conditions.
3.2.3. Purpose of collection and processing of personal data
As mentioned above, according to the Act personal data may be collected for specific, explicitly defined and legitimate purposes (see above section 2.2). Accordingly, the DPTF needed to clearly identify the reason why personal data should be inserted into, and made publicly available through, the RIPE Database.
The reason the Internet community initially requested that this data be made publicly available was for Internet operation purposes. Internet network operators should have each other's contact details in order to facilitate communication among the individuals responsible for networks in case of operational problems.
The DPTF concluded that the personal data in the RIPE Database should be contact details of persons that, because of their profession, are responsible for the administration and the technical maintenance of each network. This personal data may be used to contact that person in the case of a problem in the network (troubleshooting, abuse, etc.).
This purpose had to be explicitly stated in order for data subjects to give their consent on the use of their personal data. Therefore, the DPTF decided to document the purpose this personal data should be used for in the RIPE Database Terms and Conditions[7].
It was also necessary to ensure that RIPE Database users only use this personal data for the stated purpose. The DPTF considered the proper way for the RIPE Database Terms and Conditions to be enforceable. Accordingly, in order for somebody to use the RIPE Database, they must agree to these Terms and Conditions, which include the condition that the personal data contained in the RIPE Database will only be used for the purposes specified in the Terms and Conditions. Use of this data for any other purpose, and in particular for advertising purposes, is strictly forbidden[8]. In this way, users are contractually bound to use the data only for the purpose mentioned in the RIPE Database Terms and Conditions, to which the data subjects have given their consent.
3.2.4. Procedure for removal of personal data
According to the Act, the data subject has the right to ask for their personal data to be corrected or removed from any database in which it is stored. Accordingly, the DPTF created a procedure whereby anyone whose personal data is contained in the RIPE Database may request that their data be removed[9].
As noted above (section 3.2.2.), much of the personal data contained in the RIPE Database is not managed by the RIPE NCC but by the maintainer (persons indicated in the maintainer object referenced in the "mnt-by:" attribute). Therefore, the DPTF considered that if an individual wishes their data to be deleted from the RIPE Database, it is the responsibility of the maintainer to remove this personal data and replace it with the personal data of another individual.
The DPTF also considered that, since the RIPE NCC is the responsible party under the Act, if the maintainer fails to fulfill their responsibilities, the RIPE NCC has a legal obligation to intervene and to modify or delete personal data in the RIPE Database. The DPTF concluded that such a procedure would balance maintaining accountability with the privacy rights of individuals.
The DPTF also examined the case where the holder of Internet number resources is an individual and wishes their personal data to be removed. The DPTF considered that one of the purposes of the RIPE Database is to provide information related to the resource holder. Therefore, a data subject cannot maintain an Internet number resource and be anonymous. Where accountability for registrations of global resources conflicts with an individual's right to privacy, drastic action may be required. The data subject could be offered the option of having their personal data replaced with another person's data (provided this other person agrees)[10]. If this option is not acceptable for a resource holder, then the resources should be deregistered from them.
3.2.5. Automated removal of unreferenced personal data
The RIPE Database contained personal data that was not referenced by any other object (record) in the database. No one appeared to be responsible for this data and its existence in the RIPE Database could not be justified.
The DPTF proposed routine, automated removal of this unreferenced personal data from the RIPE Database[11]. The DPTF also recommended creating a “white pages” mechanism for individuals wishing to have their personal contact data publicly available in the RIPE Database without being referenced by any other objects in the database. Database objects listed in the white pages would not be subject to the automated removal process[12].
3.3. Unlimited access restrictions
3.3.1. Acceptable Use Policy
The RIPE Database has historically been a publicly-available service to which anyone might have unlimited access. The DPTF considered that this unlimited access could lead to abuse of the personal data in the RIPE Database. Moreover, unlimited access to the personal data contained in the RIPE Database cannot be justified by the purpose for which that personal data is provided. Mining personal data contained in the RIPE Database does not comply with the database's operational purpose and it would be an inappropriate use of the personal data.
The DPTF estimated the maximum number of possible times somebody would need to access personal data in the RIPE Database in order to report abuse or for troubleshooting purposes, etc. Based on this, the DPTF proposed the drafting of an Acceptable Use Policy (AUP)[13], which clearly defines access limits to the personal data in the RIPE Database. Users exceeding these limits would have their access to further personal data blocked for a period of time.
The AUP also took into account queries made to the RIPE Database through web interfaces hosted by third parties (proxies). In such cases, the access limits are higher because such interfaces are intended to be used by more than one user.
3.3.2. NRTM and Bulk Access service
The DPTF reviewed the RIPE Database-related services offered by the RIPE NCC and determined whether those services complied with the Act.
The Near Real Time Mirroring (NRTM) and Bulk Access services offer the possibility for network operators to have access to all data contained in the RIPE Database in bulk. This would offer the recipients of the service all personal data in the database without the restrictions placed on users of the other interfaces.
The DPTF questioned the need for access to this amount of personal data through these services and specifically examined whether the purpose of this service would justify the bulk provision of personal data.
The DPTF gathered all existing and possible purposes for which bulk access services can be used. These purposes include:
- Security purposes (security companies or Law Enforcement Agencies (LEAs) tracking spammers, viruses and other illegal activity)
- Geolocation purposes (to link IP addresses to specific countries or locations)
- Scientific purposes (by universities or research institutes)
- Internet networking purposes (by other RIRs)
While the first three purposes can justify bulk access to most of the data contained in the RIPE Database, bulk access to personal data cannot be justified because it is not in line with the purpose of processing personal data in the RIPE Database (see above section 3.2.3).
As far as the fourth purpose is concerned, the DPTF highlighted the following issue: If the personal data contained in the RIPE Database is made available through other RIR databases, there is no guarantee that users searching those databases have agreed to the RIPE Database Terms and Conditions. Agreeing to these terms and conditions would oblige users to adhere to lawful use of the personal data as required by the Act (see above section 3.2.3). While other RIR databases serve the same purposes as the RIPE Database, the jurisdictions in which other RIRs operate do not offer the same level of data protection as Dutch law.
Therefore, the DPTF proposed that NRTM and Bulk Access should only be offered without personal data.
3.3.3 Abuse contact information
In order to increase efficiency and accuracy with regards to reporting abusive behavior to the correct network operator, in November 2011 a new policy proposal [14] was introduced to tackle this matter. The Abuse Contact Management Task Force established by the RIPE community was tasked to examine the possibility of introducing a new contact attribute named “abuse-c:” as a standard way of documenting abuse contact details in the RIPE Database. In this way, the maintainers would be assisted in organising their provided information and every interested party would be helped to find the correct abuse contact information more easily.
Since September 2012 when the policy was accepted and the beginning of 2013 when the relevant policy [15] was implemented, the maintainers are responsible for indicating the contact details for the abusive behavior. The email contacts that the proposed attribute will document are available “with no restrictions on bulk access” in order to allow automated abuse reporting processes. This means that these email contacts will not be filtered when the RIPE Database information is made available in a bulk way (e.g., through NRTM, proxy services, etc.).
The new contact attribute “abuse-c:” should not reference personal data. However, if the maintainers do set up the “abuse-c:” attribute to reference email contacts which could be considered to be personal data, it is the maintainers' responsibility to inform the individuals whose contact details will be referenced and obtain their prior consent. Moreover, the individuals need to be informed that their email contacts will be processed in a bulk way and obtain their consent on this kind of use of their data.
4. Implementation of the Legal Framework in Other RIPE NCC Services
Aside from the RIPE Database, the DPTF examined the use of personal data by the RIPE NCC in relation to other RIPE NCC services. The RIPE NCC provides other services and activities that may require the processing of members' personal information. In this case, the RIPE NCC is clearly the responsible party as defined by the Act (see above section 2.1) because it defines the purpose and means of processing personal data.
Under the Act, the purposes for the collection and process of personal data must be clearly defined and made known to the data subject before the submission of their personal data. Therefore the DPTF proposed the drafting of a privacy statement that outlines the purposes of processing personal data by the RIPE NCC and the details of such processing.
4.1. Purposes of processing personal data
Personal data may be asked for and processed by the RIPE NCC for the following purposes:
- Provision of requested RIPE NCC services
The RIPE NCC may request contact details in order to provide requested services. It may also process messages from individuals requesting services or providing information in order to receive services. - Mailing lists
The RIPE NCC operates various mailing lists where individual members of the RIPE community share their personal opinion publicly. In order for the RIPE NCC to subscribe an individual to a mailing list, an email address is requested. The individual can choose to submit an email address that reveals their personal name or not. The messages sent by this email to the mailing lists, including the submitted email address, the name of the sender (if revealed) and the date are published in the mailing lists and mailing list archives to support the open and transparent RIPE Policy Development Process. - Event registration and administration for meetings, training courses and other organised events
The RIPE NCC may publish lists of attendees on a website as part of its commitment to open and transparent policy development. These lists contain the name of the attendee and their organisation, but no contact details or other personal details. The possibility may be given for subscribers to voluntarily add more personal details (such as their email address or picture) for networking purposes. The details and extent of exposure of this data will be made known to the individual before they decide to submit this extra data. - Announcements
The RIPE NCC may use contact details provided for the above purposes in order to send information relevant to the purpose for which the individual submitted their personal data. For example, if an individual submitted their personal data for registration to an event, the RIPE NCC may send that person announcements regarding RIPE Meetings, training courses and other organised events.
The RIPE NCC may also on occasion forward public messages to a particular mailing list if it is relevant and appropriate for that list. If an individual does not wish to receive such messages, they can unsubscribe at any time. There is one mailing list ([email protected]) to which all RIPE NCC members must be subscribed so that they receive information relevant to the activities of the RIPE NCC (such as General Meeting (GM) convocations, GM resolutions, etc.). It is an obligation of the RIPE NCC to inform its members of these activities; therefore, subscription to this mailing list is mandatory.
4.2. Transfer of personal data to third parties
Data collected for the above purposes may be transferred to third parties engaged by the RIPE NCC for the provision of the services requested by the data subject. The information shared in this case is limited to what is required for provision of the service. Personal data is transferred to third party service providers to ensure equivalent levels of security and protection to those provided the RIPE NCC.
In addition to the above, the RIPE NCC may register, process or transfer personal data where such is required pursuant to a statutory duty.
4.3. Accessing and changing personal data
As mentioned above (section 2.3), data subjects have the right to ask the responsible party to correct or delete their personal data. The privacy statement outlines the details for this process.
4.4. Cookies
“Cookies” are small files that a web browser can record after visiting a website. These files are set on a person's computer (or any other device used to visit a website) through the web browser. The use of cookies is regulated by the Dutch Telecommunications Act (Telecommunicatiewet), hereafter “the DTA”[16].
According to the DTA, the installation of or access to cookies (or equivalent technology) on the terminal equipment of a user may take place only if the user:
- Is clearly and sufficiently informed about the purpose of the installation of or access to the cookie, and;
- Has given their consent prior to the installation of or access to the cookie.
The law does not apply to cookies that have as their sole purpose:
- Carrying a communication through the electronic communication network
- Delivery of services requested by the user and that are strictly necessary for the service
Additionally, the European Union Article 29 Working Party[17] has issued an opinion on Cookie Consent Exemption[18] which analyses whether various types of cookies fall under this exemption. Among others, the analysis examines the so-called “first party analytics” type of cookies:
“Analytics are statistical audience measuring tools for websites, which often rely on cookies. These tools are notably used by website owners to estimate the number of unique visitors, to detect the most preeminent search engine keywords that lead to a webpage or to track down website navigation issues […]
While they are often considered as a “strictly necessary” tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user (or subscriber). […] As a consequence, these cookies do not fall under the exemption […].
However the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.” [19]
Websites operated by the RIPE NCC use cookies that:
- Are strictly necessary for the provision of the services that are available through the website and facilitate the use of these services (e.g. to identify when the user is logged in). These types of cookies do not fall under the scope of the DTA.
- Improve the user's experience by recording information about the user's settings (e.g. location). These types of cookies fall under the scope of the DTA and the RIPE NCC must therefore inform the user and obtain their consent.
- Collect anonymous statistical information on the use of the website that helps improve the performance of the RIPE NCC website itself (e.g. the number of visitors to each part of the RIPE NCC's websites and their origin).
- Help study the IPv6 capability of visitors by making sure that the IPv6 capability of a visitor is measured only once
The last two types of cookies are considered "first party analytics", according to the opinion of the Article 29 Working Group. Based on this opinion, the RIPE NCC provides appropriate privacy safeguards[20].
The RIPE NCC does not use cookies for online behavioural advertising purposes, nor does it share information collected via cookies with any third parties.
version 20141218
[1] Article 1 of the Act
[2] In other European national laws, the “responsible party” is referred to as the “data controller”
[3] Articles 6-11 of the Act
[4] Articles 33-34 of the Act
[5] Article 36 of the Act
[6] https://www.ripe.net/participate/ripe/tf/dp
[7] Article 3 of the RIPE Database Terms and Conditions
[8] Article 4 of the RIPE Database Terms and Conditions
[9] https://apps.db.ripe.net/docs/removal-of-personal-data/
[10] More information in the procedural document (see footnote [9] )
[11] More information here: https://apps.db.ripe.net/docs/Database-Support/Clean-up-of-Unreferenced-Data/
[12] More information here: http://www.ripe.net/data-tools/support/documentation/white-pages
[13] The current AUP is available here.
[14] https://www.ripe.net/participate/policies/proposals/2011-06
[15] https://www.ripe.net/publications/docs/ripe-documents/ripe-705
[16] Art 11.7.a of the DTA
[17] The Article 29 Working Party is made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. More information here: http://ec.europa.eu/justice/data-protection/article-29/index_en.htm
[18] Opinion 04/2012 on Cookie Consent Exemption adopted on 7 June 2012 available here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/index_en.htm
[19] Section 4.3 – “First Party Analytics”, Opinion 04/2012 (see footnote [18])
[20] More information available in the RIPE NCC privacy statement