[Community-Discuss] AFRINIC Borad Elections
JORDI PALET MARTINEZ
jordi.palet at consulintel.es
Wed Jul 10 08:22:10 UTC 2019
Hi John,
Right, those are the points that most of the people is missing:
Citizens and Residents of the EU are protected, never mind the infringement is committed outside that territory. You may decide not to pay the fine, but then that person/organization will not be able to continue doing business with the EU persons/organizations, and even more, if you at some point come to the EU, you can get detained until you pay the fine.
Mauritius signed an agreement with the EU about GDPR, so all the Mauritius organizations are also bound (Afrinic in our case). The same happened with Uruguay (so it happens the same with LACNIC).
Further, there is no need for a citizen to file a complaint in the courts (of course it can be done and it can claim even damages).
The process is much simpler. Any citizen/resident can file a free complaint, even via a web site if you have a digital certificate or equivalent (or by postal mail if you don’t have it), to the Data Protection Agency (of any EU country or equivalent entity in countries that signed the agreement with the EU). I’ve done that myself (even before GDPR), already about 2.000 times in the last 5 years, and I can tell that it works (and the companies pay fines), so I’m not talking about “smoke”.
The point is that in many cases, the Data Protection Agencies will open the case automatically by themselves. Before GDPR the maximum fine (for almost equivalent data protection breaches and spam) was 600.000 euros. Now is 20 million euros or up to 4% of the worldwide annual revenue of the prior financial year, whichever is higher.
So, just make sure that if you are managing phone numbers or emails from EU citizens, you comply with the GDPR, and don’t provide those data to “others” even to friends or colleagues, unless you have a previous and explicit consent from the owner.
One recent example (this week) about a big fine:
https://www.theverge.com/2019/7/8/20685830/british-airways-data-breach-fine-information-commissioners-office-gdpr
I just hope that Afrinic has already took sufficient measures to comply with GDPR. Those fines aren’t peanuts!
Right now, I just checked the privacy statement in the web site (https://afrinic.net/privacy). Sadly, I don’t think this is consistent with the latest GDPR (even for the Mauritius regulation).
The board meeting on 6th May 2018 talks about that and confirms that it will be resolved before 24th May 2018 (25th was the strict deadline). If that really happened, the web site doesn’t state that. Minutes from the April 2019 still keep talking about that, but nothing clear from my reading.
This needs to be corrected ****immediately****, or Afrinic can be subjected to very high fines.
Regards,
Jordi
@jordipalet
El 10/7/19 9:51, "John Walu" <walu.john at gmail.com> escribió:
@ Owen
GDPR territorial scope extends beyond Europe since its is EU citizen specific rather than geo-specific.
https://gdpr-info.eu/art-3-gdpr/
In other words, anyone (Data controller/processor) handling EU citizen data is automatically subject to the GDPR in the event of a data breach - irrespective of their geo-locality.
Ofcourse the main issue will be if the affected EU citizen will actually file a complaint in the EU Courts or not. The second issue is whether the EU courts will find the data controller guilty and if the fined/penalized entity will to pay up or ignore given their remoteness to EU centers of power. (nb:Facebook and Google have so far been paying up ;-)
Is AfriNIC bound by GDPR?
The simple answer is - it depends.
Do Afrinic processes and systems at any one point collect, store or process data that contains EU citizens?
If the answer is NO. Then they are not bound by GDPR.
If the answer is YES. Then they are potentially bound by GDPR to the extent that if that data is abused/breached, then they potentially face sanctions/penalties from EU courts.
Either way, Mauritius has one of the most comprehensive Data Protection legislation on the continent and any data breach can actually be litigated locally (without the need for GDPR) with penalties to AfriNIC (if for example it is determined that email targets/addresses were harvested from Afrinic digital resources without consent from the data subjects).
walu.
On Wed, Jul 10, 2019 at 8:04 AM Owen DeLong <owen at delong.com> wrote:
> On Jul 5, 2019, at 14:13 , JORDI PALET MARTINEZ via Community-Discuss <community-discuss at afrinic.net> wrote:
>
> Hi Alan,
>
> If the board can't investigate that, we may have a problem, because Afrinic has to comply with GDPR.
Why? AfriNIC is not located in the EU and does not solicit business with EU persons.
AfriNIC is not, by my reading, subject to the GDPR.
Even if they were, AfriNIC did not violate GDPR here. Wafa might have, but I don’t think she is subject to GDPR, either. Last I looked, Tunisia was outside EU jurisdiction.
> I don't know if those emails come from whois or something else, but some logs may tell.
Why is this relevant?
> I my opinion it will be nicer to get a response from Wafa, and I'm sure the community will be happy to forgive her. My intent is not to punish anyone, just to make sure that we find solutions to possible problems and mistakes and avoid repeating them.
I have no issue with the use of the email addresses. I think the far more important issue here is the message sent under color of authority which authority likely was not authorized to Wafa at the time.
Owen
>
> Regards,
> Jordi
> @jordipalet
>
>
>
> El 5/7/19 10:16, "Alan Barrett" <alan.barrett at afrinic.net> escribió:
>
>
>
>> On 3 Jul 2019, at 15:50, JORDI PALET MARTINEZ via Community-Discuss <community-discuss at afrinic.net> wrote:
>>
>> I’m angrier about this as much as I think on it again.
>>
>> Can the board and the staff investigate this?
>>
>> Can all the people that got those emails confirm if they have provided voluntarily their emails or if they have participated in Afrinic lists, or if those emails are part of their Afrinic contacts, in order to understand if this personal data (emails are personal data), have been collected from Afrinic internal databases.
>
> There is no reasonable way for AFRINIC staff to investigate whether the recipients had agreed to receive the messages sent by Wafa Dahmani. There is also no reasonable way for staff to investigate whether email addresses were collected from the public WHOIS database. There is no non-public AFRINIC database that could have been used.
>
> Regards,
> Alan Barrett
>
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
>
>
> **********************************************
> IPv4 is over
> Are you ready for the new Internet ?
> http://www.theipv6company.com
> The IPv6 Company
>
> This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
>
>
>
>
> _______________________________________________
> Community-Discuss mailing list
> Community-Discuss at afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
_______________________________________________
Community-Discuss mailing list
Community-Discuss at afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss
**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/community-discuss/attachments/20190710/0c312456/attachment.html>
More information about the Community-Discuss
mailing list