Search RPD Archives
Limit search to: Subject & Body Subject Author
Sort by:

[rpd] Staff & Legal Assessements on "Internet Numbers review by AFRINIC"'s Proposal

Arnaud AMELINA amelnaud at
Tue May 9 15:11:05 UTC 2017

Hi Community,
Dear PDPWG, please find bellow The New Staff assessment concerning our
Proposal on "Internet Number Resources Review by AFRINIC" and for your
information the Old assessment follow the new one. Thanks



*New Assessment : *
Staff Assessment for : Internet Number Resources Review by AFRINIC


 Internet Number Resources Review by AFRINIC


1.0 Staff Understanding of the Proposal

   - AFRINIC to conduct resource utilization reviews (audits) of IPv4, IPv6
   and ASN resources randomly, periodically and/or triggered by a
   whistleblower to ensure compliance with policy provisions and all terms
   of the AFRINIC RSA.
   - Non-Compliant resources to be recovered (and can be reallocated).
   - An arbitration team (whose decision is final) to be instituted (by
   AFRINIC) to handle any complaints by members unsatisfied with the
   review/audit report.
   - A report of all review/audit activity conducted every year will be
   published on the website, contents of which must comply with the
   Mauritius Data Protection Act as well as any NDA in place with any AFRINIC

2.0 Staff Comments

   - On Sec 13.6 - Our previous concerns that AFRINIC may be legally
   exposed regarding what member data can be published in the annual
   "Compliance Report" seem to have been addressed by the inclusion of "in
   accordance with Mauritius Data Protection Act and NDA with members." The
   act however, only concerns personal information. The kind of information
   to include in the compliance report should preferably be to the
   discretion of AFRINIC.
   - Authors to clarify on if the arbitration process can be initiated by
   the member anytime during or (only) after the review is completed. There
   also needs to be a time limit around when the arbitration process must
   complete (for the arbitration team to produce their findings/report).
   - On Staff Workload: All review requests shall be handled First in,
   First Out (at staff discretion) - in which case, no significant impact
   to staff workload is expected.
   - On the clause: “The review shall be conducted in full transparency and
   neutrality”. Authors need to expound more on what this means - as
   AFRINIC cannot disclose details of an ongoing audit/review to the public
   while doing the review - if this is what authors meant by "transparency".
   - On the Clause: “AFRINIC shall publish the resources to be recovered
   for a period of three (3) months; during which the organization may at
   any time, seek compliance” - AFRINIC will add “remarks” attributes to
   the concerned whois database objects, with information regarding the
   ongoing review. We think that this is sufficient to address the
   "publish" requirement in this clause.

3.0 Comments from Legal Counsel

*Legal Counsel’s Assessment*

1. In the implementation phase staff will have to deal with evidence
emanating from several jurisdictions. Moreover, staff will face the arduous
task of assessing evidence/information/data from different sources and of
different evidential value. Staff will be burdened with testing the
reliability of this evidence/information/data to assess and weigh theses
evidences and to decide whether same may be used to establish abuse or
wrongful use of Internet Number Resources.

The possibility of collecting evidence/information/data coming from
different sources via affidavits or depositions before Commissioner of Oath
may have to be envisaged to partly ease pressure on staff.

AFRINIC will have to protect itself and act only on reliable, cogent and
admissible evidence before finally revoking allocation of resources which
the investigated member claims has been prejudicial to it and consequently
claims for compensation. This possibility should always be envisaged. The
increasing value of IPv4 resources point in that way.

2. What modus operandi should be put into place to “hear” the investigated
party to ensure fairness? The policy proposal does not provide anything in
this regard and should address it.

3. It will not always be possible to confront the investigated party with
data/documents/evidence coming from third parties who may have disclosed
same in confidence and have expressly refused to be named or referred to.

4. The arbitration referred to in the proposal has to be effected within
the jurisdiction of one country – and the main question is – which would
this country be?

5. Section 13.5 of the proposal states: “the outcome of the arbitration
process is unequivocal”. This is in contradiction of, Articles 1027 to
1027-9 of the Code de Procedure Civile of Mauritius which provides that a
party to an arbitration may seek the “annulation “of an award by seizing
the Supreme Court.

6. The "Mauritius Data Protection Act" only applies to personal

*The Old One : *

*Staff & Legal Assessment and Comments*

*Staff Comments:*

   - *The proposal appears to be enabling AFRINIC to “enforce” article 4(b)
   the Registration Services Agreement, a matter of procedure and process.*
   - *We already have the ability to enforce the RSA, and the RSA already
   includes a requirement for policy compliance.*
   - *We already have the ability, in terms of the RSA, to recover
   resources that are not being used for the purpose for which they were
   - *AFRINIC already reviews or audits members when they request
   additional resources. We also have the ability to review at other times,
   but we do not regularly exercise such ability.*
   - *We see no problem in principle with allowing complaints to trigger a
   review, but we are concerned about the details.*
   - *It's not clear who decides whether a complaint "warrants
   investigation". We interpret this part of the proposal as giving AFRINIC
   staff the discretion to decide which complaints to investigate or not to
   - *Each investigation will have large impact on staff workload, and is
   also likely to have a large impact on the organisation being investigated.
   We are especially concerned about the impact of unjustified complaints.*
   - *AFRINIC staff workload may be greatly increased by a large number of
   requests for review or audit. The requirement that the complaint "warrants
   investigation" may mitigate this issue, if staff have the ability to decide
   that certain complaints do not warrant investigation, but staff resources
   will nevertheless be expended on determining whether or not the complaint
   warrants investigation.*
   - *There is no policy requirement for visibility in the global routing
   table. AFRINIC will have no contractual basis for treating "lack of
   visibility of the resource on the global routing table" as a problem under
   this policy. We suggest that this proposal should focus on policy
   violations, and leave the issue of global routing visibility to some other
   proposal that might be introduced in future.*
   - *There is a reference to "unauthorised transfers". At present, all
   transfers (other than under mergers and acquisitions) are unauthorised.
   Even under possible future transfer policy, any "unauthorised transfer"
   would be in violation of such policy. Accordingly, we suggest that there is
   no need to treat unauthorised transfers differently from any other policy
   - *The requirement that "the records of the previous holder of the
   recovered resource shall be removed from AFRINIC databases"is in conflict
   with current practice that when a resource is returned or transferred, it
   remains possible to find out information about the previous holder of the
   - *The requirement that the review be conducted with "full transparency"
   may be in conflict with privacy provisions in NDAs, in the RSA, or in law.*
*The requirement to publish a "compliance report" may be in conflict with
   privacy provisions in NDAs, in the RSA, or in law. *
   - *There is a requirement for AFRINIC to create and document an appeal
   process, and appoint a pool of arbitrators. Creating the process, including
   a public comment period and subsequent revisions, would probably take 3 to
   6 months. Calling for volunteers and appointing them would probably take
   another 2 months.*


   - *TheRSAisacommunityapproveddocument and all members are bound by each
   and every clause thereof once they sign the agreement. It
   - *In application of the law of contract of Mauritius as found in
   Article 1134 of the Mauritius Civil Code Section 4, the RSA is already
   - *It is perfectly lawful , in terms of the application of the Mauritius
   Civil Code , for AFRINIC to act under the said section and reclaim
   - *The policy can do no more than allow AFRINIC to do what it is already
   doing in a clear and transparent manner on the basis of a community
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the RPD mailing list