No issue with doing a proper information audit (what there is, where it is 
stored, how it can be accessed and by whom). That is just good information 
security practice.

However I am still not certain that holding any of that information actually 
makes AfriNIC a controller in terms of the GDPR.

> On 11 Apr 2018, at 15:47, Andrew Alston <> 
> wrote:
> Mike,
> Also just to clarify – I believe this goes beyond whois data – there is far 
> more data that AfriNIC holds than just the whois data that could be affected 
> by this.  I concede the whois portion I may well be wrong on that – the rest 
> of it – as I said – I simply want to see from AfriNIC a report on that they 
> are doing and where they aren’t in compliance to present that to this 
> community – mindful of the time frames involved – the situation the current 
> board finds facing – and the dictates of section 3.4.iiv of the bylaws
> Andrew
> From: Mike Silber <>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <>
> Cc: Andrew Alston <>, General Discussions of 
> AFRINIC <>, AfriNIC Discuss 
> <>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
> Mike
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye < 
>> <>> wrote:
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so 
>> much Andrew.
>> The Board would like to inform you that the issue was discussed within the 
>> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
>> work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
>> Board believes that these regulations are not a barrier to publication of 
>> the WHOIS data, and it has noted the RIPE NCC study that made such a 
>> finding.  The Board further believes that the biggest changes required by 
>> AFRINIC are in documenting how personal data is used, and in informing 
>> people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
>> Senegal.
>> Kind regards
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of the fact that they are domiciled in 
>>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>>> the whois database, abuse contact information, handling of data submitted 
>>> during application process and potentially even the proposed review policy, 
>>> just to name a few things that I can think of off the top of my head – and 
>>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>>> the board in the minutes that have been published about the GDPR long 
>>> before now – considering the impact – but failing that – the question is 
>>> now being asked.
>>> Andrew
>>> _______________________________________________
>>> Community-Discuss mailing list
>>> <>
>>> <>
>> -- 
>> Abibu R. Ntahigiye
>> CEO, tzNIC / Interim Chairman, Afrinic.
>> _______________________________________________
>> Community-Discuss mailing list
>> <>
>> <>

Community-Discuss mailing list

Reply via email to