Search RPD Archives
[rpd] Staff & Legal Assessements on "Internet Numbers review by AFRINIC"'s Proposal
Arnaud AMELINA
amelnaud at gmail.com
Tue May 9 15:11:05 UTC 2017
Hi Community,
Dear PDPWG, please find bellow The New Staff assessment concerning our
Proposal on "Internet Number Resources Review by AFRINIC" and for your
information the Old assessment follow the new one. Thanks
Regards
Arnaud
*New Assessment : *
===============================================
Staff Assessment for : Internet Number Resources Review by AFRINIC
*Proposal*
AFPUB-2016-GEN-001-DRAFT-04
*Title*
Internet Number Resources Review by AFRINIC
*URL*
https://afrinic.net/en/community/policy-development/policy-proposals/2073-internet-numberresources-review-by-afrinic
*Assessed*
26/April/2017
1.0 Staff Understanding of the Proposal
- AFRINIC to conduct resource utilization reviews (audits) of IPv4, IPv6
and ASN resources randomly, periodically and/or triggered by a
whistleblower to ensure compliance with policy provisions and all terms
of the AFRINIC RSA.
- Non-Compliant resources to be recovered (and can be reallocated).
- An arbitration team (whose decision is final) to be instituted (by
AFRINIC) to handle any complaints by members unsatisfied with the
review/audit report.
- A report of all review/audit activity conducted every year will be
published on the website, contents of which must comply with the
Mauritius Data Protection Act as well as any NDA in place with any AFRINIC
member.
2.0 Staff Comments
- On Sec 13.6 - Our previous concerns that AFRINIC may be legally
exposed regarding what member data can be published in the annual
"Compliance Report" seem to have been addressed by the inclusion of "in
accordance with Mauritius Data Protection Act and NDA with members." The
act however, only concerns personal information. The kind of information
to include in the compliance report should preferably be to the
discretion of AFRINIC.
- Authors to clarify on if the arbitration process can be initiated by
the member anytime during or (only) after the review is completed. There
also needs to be a time limit around when the arbitration process must
complete (for the arbitration team to produce their findings/report).
- On Staff Workload: All review requests shall be handled First in,
First Out (at staff discretion) - in which case, no significant impact
to staff workload is expected.
- On the clause: “The review shall be conducted in full transparency and
neutrality”. Authors need to expound more on what this means - as
AFRINIC cannot disclose details of an ongoing audit/review to the public
while doing the review - if this is what authors meant by "transparency".
- On the Clause: “AFRINIC shall publish the resources to be recovered
for a period of three (3) months; during which the organization may at
any time, seek compliance” - AFRINIC will add “remarks” attributes to
the concerned whois database objects, with information regarding the
ongoing review. We think that this is sufficient to address the
"publish" requirement in this clause.
3.0 Comments from Legal Counsel
*Legal Counsel’s Assessment*
1. In the implementation phase staff will have to deal with evidence
emanating from several jurisdictions. Moreover, staff will face the arduous
task of assessing evidence/information/data from different sources and of
different evidential value. Staff will be burdened with testing the
reliability of this evidence/information/data to assess and weigh theses
evidences and to decide whether same may be used to establish abuse or
wrongful use of Internet Number Resources.
The possibility of collecting evidence/information/data coming from
different sources via affidavits or depositions before Commissioner of Oath
may have to be envisaged to partly ease pressure on staff.
AFRINIC will have to protect itself and act only on reliable, cogent and
admissible evidence before finally revoking allocation of resources which
the investigated member claims has been prejudicial to it and consequently
claims for compensation. This possibility should always be envisaged. The
increasing value of IPv4 resources point in that way.
2. What modus operandi should be put into place to “hear” the investigated
party to ensure fairness? The policy proposal does not provide anything in
this regard and should address it.
3. It will not always be possible to confront the investigated party with
data/documents/evidence coming from third parties who may have disclosed
same in confidence and have expressly refused to be named or referred to.
4. The arbitration referred to in the proposal has to be effected within
the jurisdiction of one country – and the main question is – which would
this country be?
5. Section 13.5 of the proposal states: “the outcome of the arbitration
process is unequivocal”. This is in contradiction of, Articles 1027 to
1027-9 of the Code de Procedure Civile of Mauritius which provides that a
party to an arbitration may seek the “annulation “of an award by seizing
the Supreme Court.
6. The "Mauritius Data Protection Act" only applies to personal
information/data.
*The Old One : *
********************************************************************************************
http://afrinic.net/en/community/policy-development/policy-proposals/1947-internet-number-resources-review-by-afrinic
*Staff & Legal Assessment and Comments*
*Staff Comments:*
- *The proposal appears to be enabling AFRINIC to “enforce” article 4(b)
the Registration Services Agreement, a matter of procedure and process.*
- *We already have the ability to enforce the RSA, and the RSA already
includes a requirement for policy compliance.*
- *We already have the ability, in terms of the RSA, to recover
resources that are not being used for the purpose for which they were
allocated/assigned.*
- *AFRINIC already reviews or audits members when they request
additional resources. We also have the ability to review at other times,
but we do not regularly exercise such ability.*
- *We see no problem in principle with allowing complaints to trigger a
review, but we are concerned about the details.*
- *It's not clear who decides whether a complaint "warrants
investigation". We interpret this part of the proposal as giving AFRINIC
staff the discretion to decide which complaints to investigate or not to
investigate.*
- *Each investigation will have large impact on staff workload, and is
also likely to have a large impact on the organisation being investigated.
We are especially concerned about the impact of unjustified complaints.*
- *AFRINIC staff workload may be greatly increased by a large number of
requests for review or audit. The requirement that the complaint "warrants
investigation" may mitigate this issue, if staff have the ability to decide
that certain complaints do not warrant investigation, but staff resources
will nevertheless be expended on determining whether or not the complaint
warrants investigation.*
- *There is no policy requirement for visibility in the global routing
table. AFRINIC will have no contractual basis for treating "lack of
visibility of the resource on the global routing table" as a problem under
this policy. We suggest that this proposal should focus on policy
violations, and leave the issue of global routing visibility to some other
proposal that might be introduced in future.*
- *There is a reference to "unauthorised transfers". At present, all
transfers (other than under mergers and acquisitions) are unauthorised.
Even under possible future transfer policy, any "unauthorised transfer"
would be in violation of such policy. Accordingly, we suggest that there is
no need to treat unauthorised transfers differently from any other policy
violation.*
- *The requirement that "the records of the previous holder of the
recovered resource shall be removed from AFRINIC databases"is in conflict
with current practice that when a resource is returned or transferred, it
remains possible to find out information about the previous holder of the
resource.*
- *The requirement that the review be conducted with "full transparency"
may be in conflict with privacy provisions in NDAs, in the RSA, or in law.*
-
*The requirement to publish a "compliance report" may be in conflict with
privacy provisions in NDAs, in the RSA, or in law. *
- *There is a requirement for AFRINIC to create and document an appeal
process, and appoint a pool of arbitrators. Creating the process, including
a public comment period and subsequent revisions, would probably take 3 to
6 months. Calling for volunteers and appointing them would probably take
another 2 months.*
*Legal:*
- *TheRSAisacommunityapproveddocument and all members are bound by each
and every clause thereof once they sign the agreement. It
isacontractwherebothpartiessubscribetoclearobligations.*
- *In application of the law of contract of Mauritius as found in
Article 1134 of the Mauritius Civil Code Section 4, the RSA is already
binding,asaresult,onallmemberswhosigntheagreement.*
- *It is perfectly lawful , in terms of the application of the Mauritius
Civil Code , for AFRINIC to act under the said section and reclaim
resourcesfromthosememberswho/whichfailanaudit/reviewexercise.*
- *The policy can do no more than allow AFRINIC to do what it is already
doing in a clear and transparent manner on the basis of a community
approveddocument*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20170509/9a502d5c/attachment.html>
More information about the RPD
mailing list