<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:0 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Times New Roman \(Cuerpo en alfa";
panose-1:2 2 6 3 5 4 5 2 3 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.EstiloCorreo19
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 3.0cm 70.85pt 3.0cm;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=ES link=blue vlink=purple style='word-wrap:break-word'><div class=WordSection1><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'>Hi Owen,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>Publishing your email in the Internet (by any means, including an archive), according to GDPR, doesn’t authorize *<b>anyone</b>* to use the email for writing you, or to send the data to others, or whatever.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>The GDPR requires *<b>previous and explicit</b>* consent to use or process or store an email (or other personal data), even if collected from public sources.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>I can tell you that for sure, as I won several cases in the Data Protection Agency, as their excuse was, for example “your email was in the RIPE mailing list”, “your email is in your publis slides from presentation at LACNIC”, etc., etc. Just to give you a number, I started sending cases to the Spanish DPA several years before the GDPR, there was a previous law in Spain for “more or less” the same, and I’ve initiated about 2.000 cases, so talking from a very real experience.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>So the “bad” action is not “looking” at the email that “I’ve” published myself or authorized some one (the candidate of the nomination in this case) to publish. The bad action are 2: 1) Record that email in “the bad guy database” AND 2) Use it for spam, illegal actions, etc., etc.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>If a “bad guy” do 1 or 2, and I make a claim to the DPA, the “bad guy” needs to prove that they have got my previous and explicit consent for BOTH (saving my data in their database AND sending me spam). Note also that they need to provide access to all the data they have from me (including the IP address, date and time of forms used to collect my data, other personal data, etc., etc.). So it is not so easy to “fake” my previous and explicit consent. I’ve seen several attemtps by mail-marketing companies and all them failed with me.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>Fines are up to 20 million euros, and they are for real. If you’re not in the EU or one of the countries that signed agreements with the EU, you can get a surprise when you, in the future, step in the EU territory. There have been some cases already.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>In addition to the fine, you can also ask for compensation (damages) for all that. I’ve never tried that, because in the case of Spain is extremely dificult, but I know damages are easier to get in US or UK courts, for example.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>It is the same as if you come to do tourism to the EU, exceed speed limit with your car and don’t pay the fine … until you come back and can be in jail until you pay the fine.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>Of course, that is under my knowledge in the GDPR, but as said, several countries (example Mauritius, Uruguay, I think also Australia – I note the ones related to RIRs - and a few others), had signed agreements and “compatible” Personal Data Protection laws with the EU, for a good reason: If you don’t agree on those regulations, you can’t do many IT related business with EU *<b>if</b>* they can carry personal data.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;color:black;mso-fareast-language:EN-US'>I also agree that probably that is against the AUP, not sure if this has been properly spelled out in the case of the AFRINIC Code of Conduct.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US style='font-size:12.0pt;mso-fareast-language:EN-US'><o:p> </o:p></span></p><div><div><p class=MsoNormal style='margin-left:35.4pt'>El 4/4/21 21:36, "Owen DeLong" <<a href="mailto:owen@delong.com">owen@delong.com</a>> escribió:<o:p></o:p></p></div></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'>On Apr 4, 2021, at 12:14 PM, JORDI PALET MARTINEZ via RPD <<a href="mailto:rpd@afrinic.net">rpd@afrinic.net</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p><div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>Hi Sylvain,</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>I’m not an expert in Mauritius DPA, but I know very well the EU GDPR, which is compatible with the Mauritius one (in fact there is an agreement for that).</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>What I can tell is that Personal Data Protection means that you can publish personal emails if the owners agree to do so, which it is clear in this case, because they agreed to support the candidates, right?</span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>What it is usually against Personal Data Protection will be to *<b>anyone</b>* subscriber or not to the list, to use this data for *<b>anything</b>* without the previous and express consent of the email owners.</span><o:p></o:p></p></div></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>I’m not so sure that’s accurate.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>If you post on a public list that you subscribed to with a well known public web-searchable archive, you consent to the general public disclosure of your email address and have pretty much put it in the public domain. Anyone who has posted to more than one such list with the same address would have a very hard time proving which list was the source of disclosure for such unauthorized use even if they had a valid claim that it wasn’t a permitted use of the information.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:12.0pt'> </span><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>For example, nobody can use *<b>any</b>* emails available thru the list for sending emails requesting support for *<b>any</b>* of the candidates.</span><o:p></o:p></p></div></blockquote><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'>I think that wouldn’t so much be a matter of DPA or GDPR violation as a matter of list AUP violation.<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'>Owen<o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>Regards,</span><o:p></o:p></p></div><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>Jordi</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'>@jordipalet</span><o:p></o:p></p><p class=MsoNormal style='mso-margin-top-alt:0cm;margin-right:0cm;margin-bottom:12.0pt;margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><p class=MsoNormal style='margin-left:35.4pt'><span lang=EN-US style='font-size:12.0pt'> </span><o:p></o:p></p></div><div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>El 4/4/21 20:59, "Sylvain Baya" <<a href="mailto:abscoco@gmail.com">abscoco@gmail.com</a>> escribió:<o:p></o:p></p></div></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>Dear PDWG,<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>...i see email addresses appearing in plain text on RPD for every submission of candidacy for the PDWG's Chairs *selection*.<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>Some of those email addresses might not be subscribed to RPD...<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>Is it in compliance with the Maurician's DPA [1]?<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>__<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>[1]: <<a href="https://dataprotection.govmu.org/">https://dataprotection.govmu.org</a>><o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>...just thinking :-/<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'> <o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>Shalom<o:p></o:p></p></div></div><div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'>--sb.<o:p></o:p></p></div></div><div style='margin-left:35.4pt'><p class=MsoNormal style='margin-left:35.4pt'><br><br>--<span class=apple-converted-space> </span><br>--<br>Best Regards !<br>__<br>baya.sylvain[AT cmNOG DOT cm]|<<a href="http://www.cmnog.cm/dokuwiki">www.cmnog.cm/dokuwiki</a>><br>Subscribe to Mailing List: <<a href="http://lists.cmnog.cm/mailman/listinfo/cmnog/">lists.cmnog.cm/mailman/listinfo/cmnog/</a>><br>__<br>#LASAINTEBIBLE|#Romains15:33«Que LE #DIEU de #Paix soit avec vous tous! #Amen!»<br>#MaPrière est que tu naisses de nouveau. #Chrétiennement<br>«Comme une biche soupire après des courants d’eau, ainsi mon âme soupire après TOI, ô DIEU!»(#Psaumes42:2)<br><br>_______________________________________________ RPD mailing list <a href="mailto:RPD@afrinic.net">RPD@afrinic.net</a> <a href="https://lists.afrinic.net/mailman/listinfo/rpd">https://lists.afrinic.net/mailman/listinfo/rpd</a><span class=apple-converted-space> </span><o:p></o:p></p></div><p class=MsoNormal style='margin-left:35.4pt'><span style='font-size:9.0pt;font-family:Helvetica'><br>**********************************************<br>IPv4 is over<br>Are you ready for the new Internet ?<br></span><a href="http://www.theipv6company.com/"><span style='font-size:9.0pt;font-family:Helvetica'>http://www.theipv6company.com</span></a><span style='font-size:9.0pt;font-family:Helvetica'><br>The IPv6 Company<br><br>This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br><br>_______________________________________________<br>RPD mailing list<br></span><a href="mailto:RPD@afrinic.net"><span style='font-size:9.0pt;font-family:Helvetica'>RPD@afrinic.net</span></a><span style='font-size:9.0pt;font-family:Helvetica'><br></span><a href="https://lists.afrinic.net/mailman/listinfo/rpd"><span style='font-size:9.0pt;font-family:Helvetica'>https://lists.afrinic.net/mailman/listinfo/rpd</span></a><o:p></o:p></p></blockquote></div><p class=MsoNormal style='margin-left:35.4pt'><br><br><o:p></o:p></p></div><br>**********************************************<br>
IPv4 is over<br>
Are you ready for the new Internet ?<br>
http://www.theipv6company.com<br>
The IPv6 Company<br>
<br>
This electronic message contains information which may be privileged or confidential. The information is intended to be for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any disclosure, copying, distribution or use of the contents of this information, even if partially, including attached files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to inform about this communication and delete it.<br>
<br>
</body></html>