[db-wg] 2022-01 New Version Policy Proposal (Personal Data in the RIPE Database)

In message <YrEaVc7diIKX61MB at jima.tpb.net>, 
Niels Bakker <niels=dbwg at bakker.net> wrote:

>* Ronald F. Guilmette [Mon 20 Jun 2022, 07:03 CEST]:
>[..]
>>Consider an analogy: I run a dry cleaning shop in Hamburg.  You are 
>>my friend.  One day I let you into my back office and let you copy 
>>down the names and addresses of many, most, or all of my customers. 
>>You then go back home to the U.S.A. or to Zimbabwe, or at any rate 
>>to some jurisdiction where GDPR does not apply.  You then put all 
>>those names and address on your public web site?  Who is liable for 
>>this "leak" of PII, under GDPR?  Me or you?
>
>You are. If this is an open question for you then in practice you 
>don't know nearly enough about how GDPR works to have an opinion 
>worth listening to in this matter.

THANK YOU!  You have confirmed the exact point about GDPR that I was
attempting to make.

According to denis, there exist "some" (presumably that means more than
one) telecom companies in the RIPE region who are in the inexplicable
and unjustifiable habit of directly copying substantial amounts of the
Personally Identifiable Information (PII) relating to their own customers
directly into the RIPE WHOIS data base.  (Note however that we are still
waiting for denis to identify these alleged telecom companies.  Until he
does so, I personally will continue to question even the mere existance
of any such reckless and profligate telecoms.)

In any case, as denis would have us all believe, once these companies
copy their customer PII into the RIPE WHOIS data base, then RIPE does
exactly what it normally does, as a matter of routine, all day every day.
It publishes its WHOIS data base in such a way that the entire world can
view it, and thus the whole world becomes privy to the PII of the customers
of these (alleged) telecom companies.

denis contends that this makes RIPE responsible in some way, presumably
legally, for the publication of the relevant PII and that thus it is RIPE
that is violating GDPR... and on a grand scale.

I disagree entirely, and apparently you do also.

In such a scenario... even assuming that it actually exists at all, which
itself requires a great leap of faith...  it makes no sense at all to claim
that RIPE would be in any way, legally, ethically, or morally, responsible
for the GDPR violations represented by the publication of the telecom
customers' PII in the RIPE data base.  Rather, it would be the telecom
companies that, in the first instance, "leaked" the PII (in an unnecessary
and unjustifiable way) that would be the -only- parties that could, would,
or should ever be held responsible for the unnecessary leakage/publication
of their own customer PII.

I thank you for confirming that anyone holding a different view on this
rather simple and obvious point self-evidentally lacks a clear-eyed
understanding of how GDPR actually works.


Regards,
rfg


P.S.  See also:

     *)  "The Single-Publication Rule", and
     *)  47 USC 230(c)(1)

Although both of the above are quite clearly applicable only in relation to
U.S. litigation, I feel quite certain that GDPR also and similarly avoids
unfairly assigning legal responsibility for any and all improper leakage
of private and personal information to anyone other than the party or parties
responsible for the leak in the first instance.  Any other rule would make
no sense and would result in endless floods of litigation against innocent
third parties.

Furthermore, my reading of GDPR suggests to me that (using GDPR terminology)
in the scenario postulated by denis, the telecom companies would properly
be construed to be the data "controller" and perhaps even the "processor",
whereas RIPE could not reasonably be classified as being -either- a
"controller" -or- even a "processor" of the telecoms' customers' PII,
since it (RIPE) has not been explicitly or specifically contracted or
directed by the telecoms for, or in relation to the processing of the
customer PII at issue.