[Community-Discuss] AFRINIC and the GDPR

Mike Silber silber.mike at gmail.com
Wed Apr 11 14:04:10 UTC 2018 

The GDPR language is very broad.

In recital 23 the drafters give some hints about what sorts of non-Union controllers may actually be covered. The full wording indicates:

(23) In order to ensure that natural persons are not deprived of the protection to which they are entitled under this Regulation, the processing of personal data of data subjects who are in the Union by a controller or a processor not established in the Union should be subject to this Regulation where the processing activities are related to offering goods or services to such data subjects irrespective of whether connected to a payment.

In order to determine whether such a controller or processor is offering goods or services to data subjects who are in the Union, it should be ascertained whether it is apparent that the controller or processor envisages offering services to data subjects in one or more Member States in the Union.

Whereas the mere accessibility of the controller's, processor's or an intermediary's website in the Union, of an email address or of other contact details, or the use of a language generally used in the third country where the controller is established, is insufficient to ascertain such intention, factors such as the use of a language or a currency generally used in one or more Member States with the possibility of ordering goods and services in that other language, or the mentioning of customers or users who are in the Union, may make it apparent that the controller envisages offering goods or services to data subjects in the Union.

In “non-lawyer” this means “it depends”.

Given AfriNIC has a regional focus in Africa, makes address space available in Africa and the provision of information by natural persons who are residents, citizens or otherwise located in the Union (on more than a transitory basis) is likely to be ancillary to AfriNIC's purpose: I think there is a very good chance that AfriNIC is not actually covered by the GDPR.

What is really interesting is that the actual consequences (as well as a more detailed definition to assist in determining applicability) will come our in the national law of Member States and not in the GDPR.

Now AfriNIC can go and spend a lot of money on consultants to assist in this determination …. or it can wait for the DPAs to make assessments, issue guidelines (individually or collectively) or make laws and then assess its situation. 

GDPR is the Y2K of this period (except there are more lawyers and consultants and fewer vendors making money this time around).

I think understanding is useful.

I think a call to action when no action may be required is premature.

> On 11 Apr 2018, at 15:44, Andrew Alston <Andrew.Alston at liquidtelecom.com> wrote:
> 
> Thanks Mike,
>  
> That’s actually pretty useful in some sense – but can I ask for an English interpretation of the last sentence for those of us that sadly don’t speak Lawyer ☺
>  
> Thanks
>  
> Andrew
>  
>  
> From: Mike Silber <silber.mike at gmail.com>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <abibu at tznic.or.tz>
> Cc: Andrew Alston <Andrew.Alston at liquidtelecom.com>, General Discussions of AFRINIC <community-discuss at afrinic.net>, AfriNIC Discuss <members-discuss at afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding data of EU citizens” automatically places AfriNIC into the category of data controller in terms of GDPR or imposes any requirements on AfriNIC, particularly as the GDPR applies to processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union.
>  
> The extraterritorial application is premised on a nexus requirement set out in general terms in Recital 23, but requiring specific determination in terms of national law by Member States.
>  
> Mike
>  
> 
> 
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <abibu at tznic.or.tz <mailto:abibu at tznic.or.tz>> wrote:
>>  
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so much Andrew.
>> The Board would like to inform you that the issue was discussed within the Board at the Afrinic 27 meeting in Lagos and the Management was tasked to work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 2017 is already in effect and is aligned with the EU GDPR regulations.  The Board believes that these regulations are not a barrier to publication of the WHOIS data, and it has noted the RIPE NCC study that made such a finding.  The Board further believes that the biggest changes required by AFRINIC are in documenting how personal data is used, and in informing people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in Senegal.
>> 
>> Kind regards
>> 
>> 
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>>  
>>> Can this board please *urgently* inform this community as to what preparations they have made as regards to compliance with the General Data Protection Regulations passed by the European Commision and the board will be in a position to give this community a full and complete report as to their GDPR compliance status and what will be changing before the 25th of May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>>  
>>> Considering that the regulation comes into force on the 25th of May 2018 – and AfriNIC is 100% holding data of EU Citizens, which makes them subject to the regulations irrespective of the fact that they are domiciled in Mauritius – this is an urgent and critical issue.  It has direct impact on the whois database, abuse contact information, handling of data submitted during application process and potentially even the proposed review policy, just to name a few things that I can think of off the top of my head – and cannot be ignored.  I would in fact have liked to have seen discussions by the board in the minutes that have been published about the GDPR long before now – considering the impact – but failing that – the question is now being asked.
>>>  
>>> Andrew
>>>  
>>>  
>>> _______________________________________________
>>> Community-Discuss mailing list
>>> Community-Discuss at afrinic.net <mailto:Community-Discuss at afrinic.net>
>>> https://lists.afrinic.net/mailman/listinfo/community-discuss <https://lists.afrinic.net/mailman/listinfo/community-discuss>
>> 
>> -- 
>> Abibu R. Ntahigiye
>>  
>> CEO, tzNIC / Interim Chairman, Afrinic.
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net <mailto:Community-Discuss at afrinic.net>
>> https://lists.afrinic.net/mailman/listinfo/community-discuss <https://lists.afrinic.net/mailman/listinfo/community-discuss>
>  

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/01408dc3/attachment.html>

More information about the Community-Discuss mailing list