This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
- Previous message (by thread): [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
- Next message (by thread): [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Tore Anderson
tore at fud.no
Thu Jan 11 09:40:16 CET 2024
Hello Denis, On 11/01/24 01:40, denis walker wrote: > So personal data does not always need consent of the data > subject. But you only ever refer to (a) consent. There are indeed other possible lawful bases than consent, and this fact is precisely why I wrote (emphasis added): «Publishing this information requires *a* lawful basis, *e.g.*, consent.» Consent is however the only lawful basis singled out by the RIPE NCC in the RIPE Database Terms and Conditions and in the 2023-04 Impact Analysis, so it seems reasonable to assume that some LIRs will seek consent. Therefore we need to examine what that actually means in practice. You sum it up quite accurately below: > If we take the latest revelation in the IA on 2023-04, ALL PII needs > consent, this has HUGE implications for the RIPE NCC and RIPE policy > generally. We MUST have a good understanding of the legal basis for > entering PII into the RIPE Database. Consent cannot be conditional. So > if a resource holder who is a natural person withdraws their consent > to have their PII in the database, it MUST be removed. That may leave > an allocation and organisation with no identity or contacts. That > would be a policy violation. BUT the resource cannot be reclaimed as > that would have made the consent conditional. Also we have an abuse > policy that requires all resources to have an abuse contact. If that > contact is a natural person and they withdraw their consent their > details must be deleted. Again that creates a policy violation. But > the resource cannot be reclaimed again as that would have made the > contact details consent conditional. Your conclusion that this situation results in a policy violation, is however entirely contingent on your interpretation of the current policy as mandating the publication of the End User's (non-delegated) contact information. Under the RIPE NCC's interpretation of the current policy, on the other hand, this situation is entirely unproblematic. Under their interpretation, the LIR has, quote, «freedom to take over the responsibility as the point of contact for their End User». No PII, no GDPR, no problem. https://www.ripe.net/ripe/mail/archives/address-policy-wg/2023-November/013892.html > Again you have selected just one example that can support your > argument, Farmer Fred. I could have used KPN or Apple Inc as an > example which would negate your argument. KPN or Apple would not be relevant examples, as they (presumably) would use non-personal NOC roles which are not PII, and thus out of scope of the GDPR. There are certainly many End Users whose contact information is not PII, but that does not «negate» the fact that there are also many End Users whose contact information *is* PII. Both types of End Users must be catered to by the address policy. Tore & Jeroen
- Previous message (by thread): [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
- Next message (by thread): [address-policy-wg] 2023-04 Review Phase (Add AGGREGATED-BY-LIR status for IPv4 PA assignments)
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]