[Community-Discuss] AFRINIC and the GDPR

Owen DeLong owen at delong.com
Wed Apr 11 16:31:38 UTC 2018 


> On Apr 11, 2018, at 08:07 , John Walu <walu.john at gmail.com> wrote:
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty extending EU’s legal reach into your sovereignty, such as the stupid congress of the united States, then you can offer the EU a nice big Italian sign language gesture regarding their GDPR and continue on with business as usual.
> 
> @Owen, the above is not entirely true.
> 
> EU regulation/GDPR does affect African countries in general.  Or at least those wishing to remain trade partners  with European Countries.
> 
> Most of Africa has little or no Data Protection/Privacy laws (with a few exception being Ghana, Mauritius, SA, etc). Kenya for example doesn't have one.  
> 
> Should Kenya show the EU the middle finger?
> 
> Yes they could. But essentially, that middle finger will translate into losing money. 
> 
> A European Union Company would for example NOTdare engage (Data-wise/Business wise) with a Kenyan partner/subsidiary that for example sells flowers to European destinations/customers since Kenyan privacy /data protection environment would be suspect. 
> 
> Whereas the EU cannot directly hold the Kenyan company liable for breaches, it will penalize the European company thoroughly. The net effect is that most European companies would review their risk profiles with African partners and basically cut linkages or open new ones -  only with 'compliant' countries in Africa.

Sure… There’s the question of actual jurisdiction vs. voluntary compliance. Any given organization in Africa may find that it wishes to comply with GDPR voluntarily in order to avoid such issues, but my point was that the EU does not automatically have world-wide jurisdiction over other sovereign nations and unless some form of voluntary subjugation is created through treaty or other mechanisms (economic extortion by the EU as you have described, for example), then there are no actual legal consequences to an organization outside of the EU for violating GDPR.

> Unlike US, Africa does need EU Euros ;-). And so we will have to improve our Data protection regimes. Though it would have been good if we did it out of our own volition.

I personally thing that GDPR goes too far and has a number of rather onerous requirements (maintaining a person on staff domiciled in the EU, for example) that should be closely examined by those feeling we should all just roll over and take it from the EU.

> Now more specifically for the Afrinic registry,
> 
> The board  just need to do an impact analysis of the GDPR on the Afrinic Company and share with members.

Yes.

> Just off my head, the data within the registry (IP, Whois, etc) would need to be protected. Essentially, if we have some data sitting in our Mauritius/SA registries and it relates to European citizens/subject then we need to review it in light of the GDPR requirements.  Essentially EU citizens/residents have a whole list of rights to the data (consent, delete, etc) and whoever is hosting it also has some obligations.

IF and only IF they are legally or voluntarily subject to EU jurisdiction. Apparently in the case of MU, due to treaties signed by MU and MU’s own DPA, AfriNIC is legally subject. Due to treaty obligations, US and US Organizations are subject.

Likely, Kenya is not legally subject (as Mike pointed out, there is clarification needed on this), but Kenyan entities may wish to voluntarily subject themselves in order to preserve their ability to do business with certain organizations in EU. This is an individual and voluntary decision which must be made by each entity, however, rather than legal subjugation.

The clarification is that while EU may consider them legally subject, the EU’s ability to enforce EU law upon entities within Kenya is entirely up to the Kenyan government. Just as no US entity would take it seriously if Kenya passed a law requiring all US residents to wear red bandanas. Sure, if we were visiting Kenya, we’d likely wear the bandanas while we’re there, because that’s within Kenyan jurisdiction and we are during that time subject to Kenyan sovereignty. But while we’re home in the US, we’re not subject to Kenyan laws.

US gets creative on some of this subjecting its citizens to certain US laws regardless of location (for example, it’s illegal under US law for a US Citizen to conduct a space launch without authorization from the FAA Office of Space Transportation no matter where in the world said launch is conducted). However, they have no control whatsoever over what Kenyan citizens do in Kenya.

Owen

> 
> That's my 1bitcoin on the matter ;-)
> 
> walu. 
> 
> 
> 
> 
> 
> On Wed, Apr 11, 2018 at 9:08 AM, Owen DeLong <owen at delong.com <mailto:owen at delong.com>> wrote:
> 
> 
>> On Apr 10, 2018, at 22:42 , Andrew Alston <Andrew.Alston at liquidtelecom.com <mailto:Andrew.Alston at liquidtelecom.com>> wrote:
>> 
>> Hi AfriNIC Board,
>>  
>> Can this board please *urgently* inform this community as to what preparations they have made as regards to compliance with the General Data Protection Regulations passed by the European Commision and the board will be in a position to give this community a full and complete report as to their GDPR compliance status and what will be changing before the 25th of May to ensure that when the GDPR comes into force AfriNIC is compliant.
> 
> Is Mauritius signatory to some treaty making them subject to GDPR?
>  
>> Considering that the regulation comes into force on the 25th of May 2018 – and AfriNIC is 100% holding data of EU Citizens, which makes them subject to the regulations irrespective of the fact that they are domiciled in Mauritius – this is an urgent and critical issue.  It has direct impact on the whois database, abuse contact information, handling of data submitted during application process and potentially even the proposed review policy, just to name a few things that I can think of off the top of my head – and cannot be ignored.  I would in fact have liked to have seen discussions by the board in the minutes that have been published about the GDPR long before now – considering the impact – but failing that – the question is now being asked.
> 
> It’s not about EU Citizens. It’s about EU Residents. (Common misconception about GDPR).
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty extending EU’s legal reach into your sovereignty, such as the stupid congress of the united States, then you can offer the EU a nice big Italian sign language gesture regarding their GDPR and continue on with business as usual.
> 
> Owen
> 
> 
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net <mailto:Community-Discuss at afrinic.net>
> https://lists.afrinic.net/mailman/listinfo/community-discuss <https://lists.afrinic.net/mailman/listinfo/community-discuss>
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/1ef18b58/attachment.html>

More information about the Community-Discuss mailing list