[rpd] Compliance with .MU Data Protection Act

[JORDI PALET MARTINEZ]

Hi Owen,

 

Publishing your email in the Internet (by any means, including an archive), according to GDPR, doesn’t authorize *anyone* to use the email for writing you, or to send the data to others, or whatever.

 

The GDPR requires *previous and explicit* consent to use or process or store an email (or other personal data), even if collected from public sources.

 

I can tell you that for sure, as I won several cases in the Data Protection Agency, as their excuse was, for example “your email was in the RIPE mailing list”, “your email is in your publis slides from presentation at LACNIC”, etc., etc. Just to give you a number, I started sending cases to the Spanish DPA several years before the GDPR, there was a previous law in Spain for “more or less” the same, and I’ve initiated about 2.000 cases, so talking from a very real experience.

 

So the “bad” action is not “looking” at the email that “I’ve” published myself or authorized some one (the candidate of the nomination in this case) to publish. The bad action are 2: 1) Record that email in “the bad guy database” AND 2) Use it for spam, illegal actions, etc., etc.

 

If a “bad guy” do 1 or 2, and I make a claim to the DPA, the “bad guy” needs to prove that they have got my previous and explicit consent for BOTH (saving my data in their database AND sending me spam). Note also that they need to provide access to all the data they have from me (including the IP address, date and time of forms used to collect my data, other personal data, etc., etc.). So it is not so easy to “fake” my previous and explicit consent. I’ve seen several attemtps by mail-marketing companies and all them failed with me.

 

Fines are up to 20 million euros, and they are for real. If you’re not in the EU or one of the countries that signed agreements with the EU, you can get a surprise when you, in the future, step in the EU territory. There have been some cases already.

 

In addition to the fine, you can also ask for compensation (damages) for all that. I’ve never tried that, because in the case of Spain is extremely dificult, but I know damages are easier to get in US or UK courts, for example.

 

It is the same as if you come to do tourism to the EU, exceed speed limit with your car and don’t pay the fine … until you come back and can be in jail until you pay the fine.

 

Of course, that is under my knowledge in the GDPR, but as said, several countries (example Mauritius, Uruguay, I think also Australia – I note the ones related to RIRs - and a few others), had signed agreements and “compatible” Personal Data Protection laws with the EU, for a good reason: If you don’t agree on those regulations, you can’t do many IT related business with EU *if* they can carry personal data.

 

I also agree that probably that is against the AUP, not sure if this has been properly spelled out in the case of the AFRINIC Code of Conduct.

 

 

 

El 4/4/21 21:36, "Owen DeLong" <owen at delong.com> escribió:

 

 



On Apr 4, 2021, at 12:14 PM, JORDI PALET MARTINEZ via RPD <rpd at afrinic.net> wrote:

 

Hi Sylvain,

 

I’m not an expert in Mauritius DPA, but I know very well the EU GDPR, which is compatible with the Mauritius one (in fact there is an agreement for that).

 

What I can tell is that Personal Data Protection means that you can publish personal emails if the owners agree to do so, which it is clear in this case, because they agreed to support the candidates, right?

 

What it is usually against Personal Data Protection will be to *anyone* subscriber or not to the list, to use this data for *anything* without the previous and express consent of the email owners.

 

I’m not so sure that’s accurate.

 

If you post on a public list that you subscribed to with a well known public web-searchable archive, you consent to the general public disclosure of your email address and have pretty much put it in the public domain. Anyone who has posted to more than one such list with the same address would have a very hard time proving which list was the source of disclosure for such unauthorized use even if they had a valid claim that it wasn’t a permitted use of the information.

 

For example, nobody can use *any* emails available thru the list for sending emails requesting support for *any* of the candidates.

 

I think that wouldn’t so much be a matter of DPA or GDPR violation as a matter of list AUP violation.

 

Owen



 

Regards,

Jordi

@jordipalet

 

 

 

El 4/4/21 20:59, "Sylvain Baya" <abscoco at gmail.com> escribió:

 

Dear PDWG,

 

...i see email addresses appearing in plain text on RPD for every submission of candidacy for the PDWG's Chairs *selection*.

 

Some of those email addresses might not be subscribed to RPD...

 

Is it in compliance with the Maurician's DPA [1]?

__

[1]: <https://dataprotection.govmu.org>

 

...just thinking :-/

 

Shalom

--sb.



-- 
--
Best Regards !
__
baya.sylvain[AT cmNOG DOT cm]|<www.cmnog.cm/dokuwiki>
Subscribe to Mailing List: <lists.cmnog.cm/mailman/listinfo/cmnog/>
__
#‎LASAINTEBIBLE|#‎Romains15:33«Que LE ‪#‎DIEU de ‪#‎Paix soit avec vous tous! ‪#‎Amen!»
‪#‎MaPrière est que tu naisses de nouveau. #Chrétiennement
«Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)

_______________________________________________ RPD mailing list RPD at afrinic.net https://lists.afrinic.net/mailman/listinfo/rpd 


**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

_______________________________________________
RPD mailing list
RPD at afrinic.net
https://lists.afrinic.net/mailman/listinfo/rpd






**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.theipv6company.com
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.afrinic.net/pipermail/rpd/attachments/20210404/2421cbc0/attachment-0001.html>