[Community-Discuss] AFRINIC and the GDPR

McTim mctimconsulting at gmail.com
Wed Apr 11 15:43:37 UTC 2018 

Here is the ARIN blog post about it:

https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/

Rgds,

McTim

On Wed, Apr 11, 2018 at 11:00 AM, Dabu Sifiso <dabu.sifiso at yandex.com>
wrote:

>
> Interesting discussion.
>
> It seems many are not aware of the reality of the European Union's extent
> and how RIR divided the world:
>
> https://www.arin.net/vault/about_us/bot/bot2017_1005.html
> "Merike Kaeo indicated that due to General Data Protection Regulations
> (GDPR), organizations are going 'dark' with their information because the
> fines are so high. The President provided more background on GDPR, and
> indicated ARIN was in good shape with regard to GDPR due to its service
> region."
>
> https://www.nro.net/about-the-nro/list-of-country-codes-and-
> rirs-ordered-by-country-code/
> Martinique is part of France and EU but is serviced by ARIN, not by RIPE
> and there are some more serviced at ARIN.
>
> If what Mike and Owen are saying is correct, the RIR being outside of EU
> is not obliged to be in line with those new rules, but the members from
> France (La Reunion, Mayotte) are responsible under French/EU laws?
>
> The few things I found in regards to GDPR was about exporting private data
> to outside of the European Union, does that mean those members will not be
> able to make use of the AFRINIC database unless they get confirmation that
> AFRINIC is compliant with that GDPR?
>
> Will AFRINIC move those members and their information to the RIPE where
> they will be within the legislation of their own laws?
>
>
>
> 11.04.2018, 09:30, "Kris Seeburn" <seeburn.k at gmail.com>:
>
> Mike
>
> Réunion and Mayotte are the outermost region
> <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union> of
> the European Union <https://en.wikipedia.org/wiki/European_Union> and, as
> an overseas department of France, part of the Eurozone
> <https://en.wikipedia.org/wiki/Eurozone>
>
>
>
>
> On Apr 11, 2018, at 18:23, Mike Silber <silber.mike at gmail.com> wrote:
>
> They are not Member States.
>
> And Owen is not really that accurate in his interpretation. He mixes up
> enforcement (real nexus through operations) with some theoretical
> applicability which is poorly defined and has no practical expression in
> the GDPR and will need national DPAs to provide teeth.
>
>
> On 11 Apr 2018, at 16:19, Andrew Alston <Andrew.Alston at liquidtelecom.com>
> wrote:
>
> Owen,
>
> Would the fact that AfriNIC serves  La Réunion and Mayotte not create
> such a nexus since both are formally part of the EU?
>
> In the same way – there are various EU members served by ARIN?
>
>
> Andrew
>
>
> *From:* Owen DeLong [mailto:owen at delong.com <owen at delong.com>]
> *Sent:* 11 April 2018 17:12
> *To:* Andrew Alston <Andrew.Alston at liquidtelecom.com>
> *Cc:* Mike Silber <silber.mike at gmail.com>; Abibu R. Ntahigiye <
> abibu at tznic.or.tz>; General Discussions of AFRINIC <
> community-discuss at afrinic.net>; AfriNIC Discuss <
> members-discuss at afrinic.net>
> *Subject:* Re: [Community-Discuss] AFRINIC and the GDPR
>
> Roughly translated:
>                The ability of EU to inflict GDPR on those operators
> outside of EU is predicated on that operator
>                having some business operation or presence within the EU
> which allows them to subject you to their
>                jurisdiction. Determining that you have said presence
> requires a specific determination by the
>                EU member state where said presence exists.
>
> I’m pretty sure AfriNIC has no such nexus.
>
> However, what is left out of Mike’s statement is the potential that any
> other country may have signed some
> sort of treaty with the EU (or a member state) which subjects them to GDPR
> and/or grants additional
> extraterritorial rights to the EU. Such is (unfortunately) the case with
> the US, for example.
>
> Another key point is that EU citizens not living in Europe are not covered
> by GDPR. Non-EU citizens living
> within the EU are covered by GDPR. (At least that is my understanding…
> AIUI, GDPR applies to EU residents,
> not EU citizens.)
>
> Owen
>
>
>
>
> On Apr 11, 2018, at 06:44 , Andrew Alston <Andrew.Alston at liquidtelecom.com>
> wrote:
>
> Thanks Mike,
>
> That’s actually pretty useful in some sense – but can I ask for an English
> interpretation of the last sentence for those of us that sadly don’t speak
> Lawyer ☺
>
> Thanks
>
> Andrew
>
>
> *From: *Mike Silber <silber.mike at gmail.com>
> *Date: *Wednesday, 11 April 2018 at 16:34
> *To: *"Abibu R. Ntahigiye" <abibu at tznic.or.tz>
> *Cc: *Andrew Alston <Andrew.Alston at liquidtelecom.com>, General
> Discussions of AFRINIC <community-discuss at afrinic.net>, AfriNIC Discuss <
> members-discuss at afrinic.net>
> *Subject: *Re: [Community-Discuss] AFRINIC and the GDPR
>
> If I can add to this, there is as yet no clear direction from the European
> DPAs as a collective on how GDPR affects whois access in general.
>
> The RIPE NCC approach is premised on their interactions with the Dutch
> DPA, rather than a Europe wide approach.
>
> In addition, I am not sure I concur with Mr Alston’s insistence that
> “holding data of EU citizens” automatically places AfriNIC into the
> category of data controller in terms of GDPR or imposes any requirements on
> AfriNIC, particularly as the GDPR applies to processing of personal data in
> the context of the activities of an establishment of a controller or a
> processor in the Union.
>
> The extraterritorial application is premised on a nexus requirement set
> out in general terms in Recital 23, but requiring specific determination in
> terms of national law by Member States.
>
> Mike
>
>
>
>
>
> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <abibu at tznic.or.tz> wrote:
>
> Dear Andrew, Members and the whole Afrinic community,
> Andrew has raised a very important issue for Afrinic operations - Thanks
> so much Andrew.
> The Board would like to inform you that the issue was discussed within the
> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to
> work on the issue.
> The Board has also been made aware that the Mauritius Data Protection Act
> 2017 is already in effect and is aligned with the EU GDPR regulations.  The
> Board believes that these regulations are not a barrier to publication of
> the WHOIS data, and it has noted the RIPE NCC study that made such a
> finding.  The Board further believes that the biggest changes required by
> AFRINIC are in documenting how personal data is used, and in informing
> people at the time data is collected.
> The AFRINIC management will provide further updates on the issues at AIS
> 2018 in Senegal.
> Further to the above, the Board expects to receive more insights on GDPR
> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned
> in Senegal.
>
> Kind regards
>
>
>
>
> On 11/04/2018 08:42, Andrew Alston wrote:
>
> Hi AfriNIC Board,
>
> Can this board please **urgently** inform this community as to what
> preparations they have made as regards to compliance with the General Data
> Protection Regulations passed by the European Commision and the board will
> be in a position to give this community a full and complete report as to
> their GDPR compliance status and what will be changing before the 25th of
> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>
> Considering that the regulation comes into force on the 25th of May 2018
> – and AfriNIC is 100% holding data of EU Citizens, which makes them subject
> to the regulations irrespective of the fact that they are domiciled in
> Mauritius – this is an urgent and critical issue.  It has direct impact on
> the whois database, abuse contact information, handling of data submitted
> during application process and potentially even the proposed review policy,
> just to name a few things that I can think of off the top of my head – and
> cannot be ignored.  I would in fact have liked to have seen discussions by
> the board in the minutes that have been published about the GDPR long
> before now – considering the impact – but failing that – the question is
> now being asked.
>
> Andrew
>
>
>
> _______________________________________________
>
> Community-Discuss mailing list
>
> Community-Discuss at afrinic.net
>
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
>
>
>
> --
>
> Abibu R. Ntahigiye
>
>
>
> CEO, tzNIC / Interim Chairman, Afrinic.
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
>
>
> Kris Seeburn
> seeburn.k at gmail.com
>
>    - www.linkedin.com/in/kseeburn/
>
>    "Life is a Beach, it all depends at how you look at it"
>
>
> ,
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/2f2a543e/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KeepItOn_Social_animated.gif
Type: image/gif
Size: 51490 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/2f2a543e/attachment.gif>

More information about the Community-Discuss mailing list