Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Internet Number Resources review

Kris Seeburn seeburn.k at
Sun Dec 11 14:55:24 UTC 2016


You may want to note that afrinic staff review already stated these:

The requirement that the review be conducted with "full transparency" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
The requirement to publish a "compliance report" may be in conflict with privacy provisions in NDAs, in the RSA, or in law.
I’ve already voiced that there be a revisit to this policy differently but i think pointing this in the DPA should be noted. Unless the NDA and RSA are modified to state that there is no confidentiality…. If that is the case.

These may help guide all. The data controller is an appointed staff of afrinic. Whether we state Mauritian law or else the NDA. In essence we need to note what is Public information and what is Private and confidential information.

29.            Unlawful disclosure of personal data <> <>
(1) Any data controller who, without lawful excuse, discloses personal data in any manner that is incompatible with the purposes for which such data has been collected shall commit an offence.

(2) Any data processor who, without lawful excuse, discloses personal data processed by him without the prior authority of the data controller on whose behalf such data is or has been processed shall commit an offence.

(3) Subject to subsection (4), any person who -

(a) obtains access to personal data, or obtains any information constituting such data, without prior authority of the data controller or data processor by whom such data is kept; and
(b) discloses the data or information to another person,
                   shall commit an offence.

(4) Subsection (3) shall not apply to a person who is an employee or agent of a data controller or processor and is acting within his mandate.

(5) Any person who offers to sell personal data where such personal data has been obtained in breach of subsection (1) shall commit an offence.

(6) For the purposes of subsection (5), an advertisement indicating that personal data is or may be for sale, constitutes an offer to sell the personal data.

further reading:

31.            Transfer of personal data <> <>
(1)               Subject to subsection (2), no data controller shall, except with the written authorisation of the Commissioner, transfer personal data to another country.
(2)               The Eighth data protection principle specified in the First Schedule shall not apply where –
(a)               the data subject has given his consent to the transfer;
(b)               the transfer is necessary –
(i)                  for the performance of a contract between the data subject and the data controller, or for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller;
(ii)                for the conclusion of a contract between the data controller and a person, other than the data subject, which is entered at the request of the data subject, or is in the interest of the data subject, or for the performance of such a contract;
(iii)               in the public interest, to safeguard public security or national security.
(c)               the transfer is made on such terms as may be approved by the Commissioner as ensuring the adequate safeguards for the protection of the rights of the data subject.
(3)               For the purpose of subsection (2)(c), the adequacy of the level of protection of a country shall be assessed in the light of all the circumstances surrounding the data transfer, having regard in particular to -

(a)               the nature of the data;
(b)               the purpose and duration of the proposed processing;
(c)               the country of origin and country of final destination;
(d)               the rules of law, both general and sectoral, in force in the country in question; and
(e)               any relevant codes of conduct or other rules and security measures which are <> <> <> <> <> <> <> complied with in that country.
Amended by [Act No. 14 of 2009 <>]

We need to see a balance and decide properly. I would like to say that i am not taking sides but we need to understand to what extent things can and cannot be reported. The mauritius DPA takes precedence from the EU Act. But still an NDA binds the resource member and afrinic within the binds of a legal clause of confidentiality that any member can recall and use against afrinic. 

However, i am sure if we keep to a brief as i said X number of applicants received and Y numbers not accepted  may be still fine but category etc., may already lead to guesswork and this may again lead to legal hassle. A compliance report as per the current state of proposal releases too much information already. 

Further the RIPE NCC policy:

If you are referring to RiPE NCC policy:

RIPE NCC Audit Activity

Publication date: 14 Nov 2007

 <>1. Introduction

At the 1996 Contributors Committee Meeting the RIPE NCC was asked to significantly increase its efforts to ensure the validity of registry data. Audit has been a specific activity of the RIPE NCC since that time.

 <>2. Goals

Audit activity is done to ensure fair and neutral application of policies set by the RIPE community, to the general benefit of the Internet.

Auditing can also provide the RIPE community with information about specific policy areas where problems are occurring, helping to ensure the efficient investment of resources in appropriate areas. This can include policy areas that need revision by the RIPE community, or areas where the RIPE NCC can improve compliance through better education and communication with the membership.

 <>3. Principles

Audit evaluation is based on compliance with the RIPE community policies current at the time of the audit. Audits are conducted with the intent to educate RIPE NCC members on how to achieve compliance.

Members that are already working in compliance with the RIPE community policies will have as little disturbance to their operations as possible.

Impartiality and confidentiality are given the highest priority throughout the audit process.

 <>4. Types


The member to be audited is chosen by the RIPE NCC at random.


A member is selected because of an internal report or due to a lack of contact between the RIPE NCC and the member.


The member has requested the audit themselves or there has been a community complaint made against them that requires investigation.

 <>5. Process

The RIPE NCC informs the member that they are in audit and then provides individual assistance in checking LIR data, resource records and validity of RIPE Database records.

 <>6. Compliance Measures

All measures used to ensure compliance with RIPE community policies are based on current policies and on the service agreements signed with RIPE NCC members.

The RIPE NCC will provide audit subjects with individual assistance and education, and will make every effort to help members comply with the policies. If the member is found to be unable to comply with the RIPE community policies, further measures may be necessary. This may include, but is not restricted to, a review of the audited organisation's membership status.

 <>7. Appeals

Audits are carried out in a completely neutral and transparent manner. However, if at any time a RIPE NCC member feels it is appropriate, they may appeal any decision of the auditing team. An appeal is made by applying for arbitration, as described in the RIPE NCC arbitration process: <> <>

You may also want to note that within “ Principles 3: Impartiality and confidentiality are given the highest priority throughout the audit process."

Further reading of RIPE audit types where it is defined as Random but the selection is based on a criteria.

The member to be audited is chosen by the RIPE NCC at random.


A member is selected because of an internal report or due to a lack of contact between the RIPE NCC and the member.


The member has requested the audit themselves or there has been a community complaint made against them that requires investigation.

If the above policy were to be applied there is no where on any RIR site that give details of audits anywhere. We may have to rely on a level of trust to afrinc staff to do their work. When it comes to arbitration RIPE has its rules set as well in such <>

So if we want to apply something again that works in the interest of the community let’s define the infraction and also when the audit can happen etc., and limit anonymize the details we should be coming close to what is required.


> On Dec 11, 2016, at 7:08 PM, serge ilunga <sergekbk at> wrote:
> Hello SM,
> Merci pour le commentaire et aimerions connaitre la source de cette appréhension.
> Pour notre part, en lisant le Feedback légal [1] nous comprenons que le RSA est un document liant les parties signataires et qu’au regard du droit mauricien, il est légal que AfriNIC puisse faire le review/audit des membres et  procéder à la récupération des ressources en cas de non-respect des termes dy RSA.
> Une telle proposition de politique ne contribue qu’à faire ce qui est prescrit dans le RSA  de manière claire et transparente sur base d’un document approuvé par la communauté.
> Les discussions faites lors de la dernière réunion en plus des réponses des autres RIRs sur l’existence de politiques similaires dans leurs régions respectives, nous indiquent que nous sommes dans la bonne direction.
> L’Objection du CEO et les réserves  du légal au sujet du risque de publication des informations confidentielles étaient dues à une incompréhension des détails à produire dans le rapport prescrit par la section 3.6 de la proposition de politique.
> Comme tu peux le constater, il n’y a pas de risque tel que tu l’as évoqué.
> Bien Cordialement..
> [1] <>
> 2016-12-10 12:39 GMT+01:00 <sm+afrinic at <mailto:sm+afrinic at>>:
> Hi Patrick, Wafa,
> At 07:34 30-05-2016, GH.-GNONKOTO Serges PATRICK wrote:
> Ce policy est encourageant etant donne qu'il donne la possibilite a  AFRINIC de contreler le flux et a la communaute de suivre la gestion de ses ressources.
> At 10:32 26-05-2016, wafa at <mailto:wafa at> wrote:
> This is part of RIR mandate so AFRINIC should receive all the support (technical, financial, cooperation,etc) from the membership and community at large to perform his duties.
> Le conseiller juridique d'Afrinic Ltd a explique les risques juridiques qu'encoure l'entreprise et l'article du Code civil qui regit le contract entre les deux parties.  Il revient aux directeurs qui siègent au conseil d’administration de l'entreprise de s'assurer que l'entreprise se conforme a ses obligations legales et de gerer les risques de litige.
> Est-ce que le PDWG peut elaborer une politique qui va a l'encontre du contract de prestation de service?  Ce serait une decision irreflechie si les obligations legales n'ont pas ete prises en compte.
> Regards,
> S. Moonesamy  
> _______________________________________________
> RPD mailing list
> RPD at <mailto:RPD at>
> <>
> -- 
> Skype: sergekbk
> Cell: +243814443160
> _______________________________________________
> RPD mailing list
> RPD at

Kris Seeburn
seeburn.k at <>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the RPD mailing list