[Community-Discuss] AFRINIC and the GDPR

Wed Apr 11 16:51:46 UTC 2018

Hi McTim,

Thnx for posting the ARIN position.  Obviously very detached - based on the
valid reasons they give ;-)

It may also be nice to read the RIPE position.  I think it would be more
relevant for Afrinic. Have a read.

https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr-the-ripe-database
and
https://labs.ripe.net/Members/Athina/gdpr-legal-grounds-for-lawful-personal-data-processing-and-the-ripe-database

RIPE had to tweak a few things here and there.  Afrinic may borrow useful
lessons there.

Think of a European Telco/ISP with branches/subsidiary in Kenya. The
European Hq  (the Data controllers) may not wish to be penalized by EU
courts for breaches incurred in Kenya by their corresponding subsidiary
(their Data Processor).  Whereas this example may NOT directly apply to the
Afrinic registry/business, it spells out the potential the level of
linkages that need to be analysed.

For example, EU Telcos/ISPs with subsidiaries in Africa may wish to review
the exposure/risk that those subsidiaries present by having their data in
the AfriNIC WHOIS database. They may not want to be caught up in the Data
controller/Data Processor penalties. Whereas they cant force Afrinic to be
compliant (if it is not), they will however chose whether to remain in
Africa and pay penalties - in case of breaches. Iff the feel the risk is
not worth it, the will vote with their feet (divest), is that good for
Afrinic?.

Another  legal route I have observed happening is most Multinationals based
in EU are simply changing ownership, to be domesticated in Africa.
(Barclays, Vodacom?) That way you escape liability. And that is good for
them.

We should also find out what is good for us as Afrinic with respect to this
GDPR business.

walu.

On Wed, Apr 11, 2018 at 6:43 PM, McTim <mctimconsulting at gmail.com> wrote:

> Here is the ARIN blog post about it:
>
> https://teamarin.net/2018/03/20/personal-data-privacy-
> considerations-at-arin/
>
> Rgds,
>
> McTim
>
> On Wed, Apr 11, 2018 at 11:00 AM, Dabu Sifiso <dabu.sifiso at yandex.com>
> wrote:
>
>>
>> Interesting discussion.
>>
>> It seems many are not aware of the reality of the European Union's extent
>> and how RIR divided the world:
>>
>> https://www.arin.net/vault/about_us/bot/bot2017_1005.html
>> "Merike Kaeo indicated that due to General Data Protection Regulations
>> (GDPR), organizations are going 'dark' with their information because the
>> fines are so high. The President provided more background on GDPR, and
>> indicated ARIN was in good shape with regard to GDPR due to its service
>> region."
>>
>> https://www.nro.net/about-the-nro/list-of-country-codes-and-
>> rirs-ordered-by-country-code/
>> Martinique is part of France and EU but is serviced by ARIN, not by RIPE
>> and there are some more serviced at ARIN.
>>
>> If what Mike and Owen are saying is correct, the RIR being outside of EU
>> is not obliged to be in line with those new rules, but the members from
>> France (La Reunion, Mayotte) are responsible under French/EU laws?
>>
>> The few things I found in regards to GDPR was about exporting private
>> data to outside of the European Union, does that mean those members will
>> not be able to make use of the AFRINIC database unless they get
>> confirmation that AFRINIC is compliant with that GDPR?
>>
>> Will AFRINIC move those members and their information to the RIPE where
>> they will be within the legislation of their own laws?
>>
>>
>>
>> 11.04.2018, 09:30, "Kris Seeburn" <seeburn.k at gmail.com>:
>>
>> Mike
>>
>> Réunion and Mayotte are the outermost region
>> <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union> of
>> the European Union <https://en.wikipedia.org/wiki/European_Union> and,
>> as an overseas department of France, part of the Eurozone
>> <https://en.wikipedia.org/wiki/Eurozone>
>>
>>
>>
>>
>> On Apr 11, 2018, at 18:23, Mike Silber <silber.mike at gmail.com> wrote:
>>
>> They are not Member States.
>>
>> And Owen is not really that accurate in his interpretation. He mixes up
>> enforcement (real nexus through operations) with some theoretical
>> applicability which is poorly defined and has no practical expression in
>> the GDPR and will need national DPAs to provide teeth.
>>
>>
>> On 11 Apr 2018, at 16:19, Andrew Alston <Andrew.Alston at liquidtelecom.com>
>> wrote:
>>
>> Owen,
>>
>> Would the fact that AfriNIC serves  La Réunion and Mayotte not create
>> such a nexus since both are formally part of the EU?
>>
>> In the same way – there are various EU members served by ARIN?
>>
>>
>> Andrew
>>
>>
>> *From:* Owen DeLong [mailto:owen at delong.com <owen at delong.com>]
>> *Sent:* 11 April 2018 17:12
>> *To:* Andrew Alston <Andrew.Alston at liquidtelecom.com>
>> *Cc:* Mike Silber <silber.mike at gmail.com>; Abibu R. Ntahigiye <
>> abibu at tznic.or.tz>; General Discussions of AFRINIC <
>> community-discuss at afrinic.net>; AfriNIC Discuss <
>> members-discuss at afrinic.net>
>> *Subject:* Re: [Community-Discuss] AFRINIC and the GDPR
>>
>> Roughly translated:
>>                The ability of EU to inflict GDPR on those operators
>> outside of EU is predicated on that operator
>>                having some business operation or presence within the EU
>> which allows them to subject you to their
>>                jurisdiction. Determining that you have said presence
>> requires a specific determination by the
>>                EU member state where said presence exists.
>>
>> I’m pretty sure AfriNIC has no such nexus.
>>
>> However, what is left out of Mike’s statement is the potential that any
>> other country may have signed some
>> sort of treaty with the EU (or a member state) which subjects them to
>> GDPR and/or grants additional
>> extraterritorial rights to the EU. Such is (unfortunately) the case with
>> the US, for example.
>>
>> Another key point is that EU citizens not living in Europe are not
>> covered by GDPR. Non-EU citizens living
>> within the EU are covered by GDPR. (At least that is my understanding…
>> AIUI, GDPR applies to EU residents,
>> not EU citizens.)
>>
>> Owen
>>
>>
>>
>>
>> On Apr 11, 2018, at 06:44 , Andrew Alston <Andrew.Alston at liquidtelecom.c
>> om> wrote:
>>
>> Thanks Mike,
>>
>> That’s actually pretty useful in some sense – but can I ask for an
>> English interpretation of the last sentence for those of us that sadly
>> don’t speak Lawyer ☺
>>
>> Thanks
>>
>> Andrew
>>
>>
>> *From: *Mike Silber <silber.mike at gmail.com>
>> *Date: *Wednesday, 11 April 2018 at 16:34
>> *To: *"Abibu R. Ntahigiye" <abibu at tznic.or.tz>
>> *Cc: *Andrew Alston <Andrew.Alston at liquidtelecom.com>, General
>> Discussions of AFRINIC <community-discuss at afrinic.net>, AfriNIC Discuss <
>> members-discuss at afrinic.net>
>> *Subject: *Re: [Community-Discuss] AFRINIC and the GDPR
>>
>> If I can add to this, there is as yet no clear direction from the
>> European DPAs as a collective on how GDPR affects whois access in general.
>>
>> The RIPE NCC approach is premised on their interactions with the Dutch
>> DPA, rather than a Europe wide approach.
>>
>> In addition, I am not sure I concur with Mr Alston’s insistence that
>> “holding data of EU citizens” automatically places AfriNIC into the
>> category of data controller in terms of GDPR or imposes any requirements on
>> AfriNIC, particularly as the GDPR applies to processing of personal data in
>> the context of the activities of an establishment of a controller or a
>> processor in the Union.
>>
>> The extraterritorial application is premised on a nexus requirement set
>> out in general terms in Recital 23, but requiring specific determination in
>> terms of national law by Member States.
>>
>> Mike
>>
>>
>>
>>
>>
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <abibu at tznic.or.tz> wrote:
>>
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks
>> so much Andrew.
>> The Board would like to inform you that the issue was discussed within
>> the Board at the Afrinic 27 meeting in Lagos and the Management was tasked
>> to work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The
>> Board believes that these regulations are not a barrier to publication of
>> the WHOIS data, and it has noted the RIPE NCC study that made such a
>> finding.  The Board further believes that the biggest changes required by
>> AFRINIC are in documenting how personal data is used, and in informing
>> people at the time data is collected.
>> The AFRINIC management will provide further updates on the issues at AIS
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned
>> in Senegal.
>>
>> Kind regards
>>
>>
>>
>>
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>
>> Hi AfriNIC Board,
>>
>> Can this board please **urgently** inform this community as to what
>> preparations they have made as regards to compliance with the General Data
>> Protection Regulations passed by the European Commision and the board will
>> be in a position to give this community a full and complete report as to
>> their GDPR compliance status and what will be changing before the 25th of
>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>
>> Considering that the regulation comes into force on the 25th of May 2018
>> – and AfriNIC is 100% holding data of EU Citizens, which makes them subject
>> to the regulations irrespective of the fact that they are domiciled in
>> Mauritius – this is an urgent and critical issue.  It has direct impact on
>> the whois database, abuse contact information, handling of data submitted
>> during application process and potentially even the proposed review policy,
>> just to name a few things that I can think of off the top of my head – and
>> cannot be ignored.  I would in fact have liked to have seen discussions by
>> the board in the minutes that have been published about the GDPR long
>> before now – considering the impact – but failing that – the question is
>> now being asked.
>>
>> Andrew
>>
>>
>>
>> _______________________________________________
>>
>> Community-Discuss mailing list
>>
>> Community-Discuss at afrinic.net
>>
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>>
>>
>>
>>
>> --
>>
>> Abibu R. Ntahigiye
>>
>>
>>
>> CEO, tzNIC / Interim Chairman, Afrinic.
>>
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>>
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>>
>>
>>
>> Kris Seeburn
>> seeburn.k at gmail.com
>>
>>    - www.linkedin.com/in/kseeburn/
>>
>>    "Life is a Beach, it all depends at how you look at it"
>>
>>
>> ,
>>
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>> _______________________________________________
>> Community-Discuss mailing list
>> Community-Discuss at afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>>
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/5ebe82af/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: KeepItOn_Social_animated.gif
Type: image/gif
Size: 51490 bytes
Desc: not available
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20180411/5ebe82af/attachment-0001.gif>