[ncc-services-wg] Personal Data and Database Proxy services

On 3 Jan 2013, at 11:53, Andrey Semenchuk <andrey at trifle.net> wrote:

> Jim Reid wrote:
>> On 2 Jan 2013, at 18:43, Andrey Semenchuk <andrey at trifle.net> wrote:
>>  
>>> the phone number is not the personal information    
>> Sorry Andrey, it is.
>> 
>> In the context of EU Data Protection legislation, ANY data identifying a Living Person is Personal Data. 
> "Person" object intended to identify employer of the organisation that holds objects in the RIPE database (aut-num, domain, inet-num, etc).

Nope. Well, not always. The name of this object is a massive hint about the thing it identifies. :-) And not all objects in the database are held by organisations either. Sometimes IP resources are held by individuals. [An ISP added me to the database (without my consent or knowledge) when they gave me a /29. They later deleted that when I handed the space back. The ISP's policy was to populate the database with the contact details for every customer assignment they made. They buried a consent clause in the very small print of their customer contract.] Some organisations will be sole traders or one-person companies. In those cases pretty much all of the data about one of those organisations is Personal Data because they identify the individual who operates or owns that organisation.

> In this case the phone int person object is not the personal phone but the phone provided by employer. ...

> If we wants to make data protection safer - ok, let's strip phone information from the database output of the person object.

Andrey, you're focusing on unimportant detail and missing the bigger picture. This is not about phone numbers or what they might be used for in some contexts. If you want to discuss that, take it elsewhere. Deleting these (or email addresses or....) from contact objects will not solve anything. [And good luck getting consensus for a revised person object which also satisfies contradictory international requirements for Data Protection, privacy and Law Enforcement.] There will still be Personal Data in the database which has to be protected even if phone numbers are removed. Your name is Personal Data.

Your DPA might well say the organisation field of a contact object is not Personal Data. Mine may well say the exact opposite. Or, worse, both say it depends on the context in which the Personal Data get used. ie: It might be OK for Hollywood's lawyers to mine whois for chasing down copyright violation but not OK for spammers to harvest email addresses from whois.

This gets very murky very quickly. The subject is about levels of greyness and there's very little that lends itself to a clear black/white or yes/no decision.

> Is there any chance to identify Data Processor systems? Not the person who queries RIPE database search but any type of Data Processor system? It's not. Any data processor system can make a single request from IP address in a day (in IPv6 address space it's not a problem) and none system will tell this data processor system from the user who queries the database

You seem to be focusing on detail and missing the bigger picture again. The terms Data Controller and Data Processor have specific definitions in Data Protection legislation. [I capitalise these terms to make it clear the formal definitions apply instead of a more generic or informal use.] These terms apply to roles. The specifics of the systems or procedures that someone/something in one of those roles may use don't matter: that's implementation detail. If you want a detailed explanation I suggest you consult the EU Directives, prevailing national law and a competent lawyer who understands this field. I am not a lawyer.

Broadly speaking, the NCC is the Data Controller for the database. They are the legal entity responsible for it and how it gets used. Anyone or anything manipulating that database or extracting data from it (or possibly even just doing a lookup on it) is a Data Processor. As a Data Controller the NCC must ensure that the Data Processor does so in accordance with the EU Directive and Dutch law.

You also seem to be more concerned about the identify of whatever is making a database lookup. That's not the issue. It's about the data which is provided as a result of that lookup. For regular whois lookups, there's usually a pile of legalese in the response which says what the data can and can't be used for. That's usually enough to keep the DPA happy. However if there's a bulk export of some database for a Data Processor to use for something else, the DPA will almost certainly insist on a paper contract between the Data Processor and the Data Controller.

> The current question with data protection exists because the database provide personal data. And all we should do - is to cut personal data from the output.

A discussion about how or if Personal Data about IP resource holders get published will go round in circles forever and quickly degenerate into a screaming match. So I suggest we don't start that.

> As soon we provide access to personal data that are stored (or may be stored) in RIPE database on any basis - the first question should be not about relations between RIPE and third parties that may collect and process that data. The first question should be: is every person who stores personal data in the RIPE database agrees with this situation and allow to collect/process his/her data by any organisation except RIPE?

That's a good question. But the wrong one. For one thing, many people don't know about the RIPE database, let alone that their details might be in it. I expect the current setup satisfies the Dutch authorities. So provided they're happy, it's best not to (re)open the whois can of worms. A better question would be "is there consensus that the RIPE database provides satisfactory mechanisms for individuals to protect or conceal their Personal Data and publishes information on how to use those mechanisms?

> If the person wished to provide free access to his/her personal data - RIPE should provide this access without any limitation. All data protection RIPE should provide - is a storage protection. If the person wishes to provide this information to RIPE only - no personal data should be displayed to any other third party. It's so simple!

It's not. Anyone who thinks it is that simple does not understand the problem space. Sorry.

> We're trying to answer to question that is not the main question by itself. The main question is: provide or do not provide personal information to third parties?

It's not that simple. It depends on what the third party wants the data for. As an example, you might think it's a no-brainer to provide that third party access to law enforcement. We all want to prevent crime and help the police catch bad guys. But suppose the cops are hunting whoever's hosting Wikileaks this week or Mugabe's goons want to arrest human rights campaigners. What then? OK, Zimbabwe's not in our service region but you get the general idea.