[db-wg] NWI-13 Geofeed Legal Analysis

On 29-07-2022 17:24 +0200, denis walker wrote:
> > The field is not PII. The contents of the geofeed file, which is
> > NOT
> > in the RIPE NCC service might or might not be, but this is at
> > worst,
> > an indirect pointer. The field is about addresses, it contains no
> > necessary PII in abstract. if I publish
> > http://some.where/~ggm/geofeed.csv then the URL has PII, Is that
> > really held to be a problem? Remember, I consented to posting the
> > URL,
> > I had to hold the maintainer password, the NCC didn't make me do
> > it.
> > 
> 
> The legal team will have to answer this question but is facilitating
> a service that leads to the identification of an individual the same
> (in law) as providing the PII directly?

I think this is murky.
GDPR still considers pointers to information to be Personal data. If
you have some personal data (let's say the customer Name) on a tablem
you can't "remove" if by creating a table of Names and storing in the
customer table the id of the name instead of the value. If the url was
hosted by RIPE, I would consider its contents to be part of the
database as well, and covered by it.
However, here the url (which may or may not contain PII) is handled by
the user (ti simplify, as it's unlikely they will not be hosting it
themselves). The RIPE db would contain a pointer, inserted by the user
(if so he wants, as it's optional), to a different database whose
contents and access are handled by the user itself. I think it can be
considered a different db whose controller is the person it might be
identifying. To further complicate things, a person that would already
be identifiable without the geofeed attribute.

So while I completely agree with not requiring any natural person to
reveal where they live (in an accurate way), the process of
implementing restrictions at RIPE whois fo allowing or not this
optional attribute, itself based on some fragile heuristics, seems
overkill. I think we would be better off adding a general purpose of
> * Providing a structural way in which to share additional
> optional information that the Registrant may wish to make available
> to third parties about their entries.


That's extremely broad, but as long as it on optional attributes (that
can be based on user consent) I think it should be fine, and it would
be in line with the actual expectations of the community.
If a group of network operators wanted to make their lyrical tastes in
their person objects, we (the community) should be able to focus on the
merits of the requested feature (how many people want it, how would
that impact the operation of the database, what would be the cost of
implementing it on the server, is this an appropriate place for the
information to be included…), without worrying if a preference for limericks could be considered personal identifying information that -despite the user opting-in to publish that- has not a legal basis that allows RIPE to host it.


Best regards


-- 
INCIBE-CERT - Spanish National CSIRT
https://www.incibe-cert.es/

PGP keys: https://www.incibe-cert.es/en/what-is-incibe-cert/pgp-public-keys

====================================================================

INCIBE-CERT is the Spanish National CSIRT designated for citizens,
private law entities, other entities not included in the subjective
scope of application of the "Ley 40/2015, de 1 de octubre, de Régimen
Jurídico del Sector Público", as well as digital service providers,
operators of essential services and critical operators under the terms
of the "Real Decreto-ley 12/2018, de 7 de septiembre, de seguridad de
las redes y sistemas de información" that transposes the Directive (EU)
2016/1148 of the European Parliament and of the Council of 6 July 2016
concerning measures for a high common level of security of network and
information systems across the Union.

====================================================================

In compliance with the General Data Protection Regulation of the EU
(Regulation EU 2016/679, of 27 April 2016) we inform you that your
personal and corporate data (as well as those included in attached
documents); and e-mail address, may be included in our records 
for the purpose derived from legal, contractual or pre-contractual
obligations or in order to respond to your queries. You may exercise
your rights of access, correction, cancellation, portability,
limitationof processing and opposition under the terms established by
current legislation and free of charge by sending an e-mail to
dpd at incibe.es. The Data Controller is S.M.E. Instituto Nacional de
Ciberseguridad de España, M.P., S.A. More information is available
on our website: https://www.incibe.es/proteccion-datos-personales
and https://www.incibe.es/registro-actividad.

====================================================================