First, that article is written very much from a US perspective and addresses concerns strictly from the US and in some cases UK perspective.
Second, this paragraph is key: Taking this into account, he advises: “Organisations outside of Europe must first decide if they currently are – or are planning to – conduct business in the region. Once they have answered this question, the next port of call is dissecting their intended business model to understand if they handle citizen data and if so, what that data is.” It’s not clear that AfriNIC “conducts business in the region”. Finally, it’s an EU law. AfriNIC is not an EU subject. If AfriNIC has nexus in the EU, then it could become subject to EU law. If Mauritius has signed a treaty with EU granting EU extraterritorial jurisdiction, it could become subject to EU law. Otherwise, no. Owen > On Apr 11, 2018, at 03:33 , JORDI PALET MARTINEZ <[email protected]> > wrote: > > I think Andrew is right. > > I just found a short article that explains it: > > https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/ > > <https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/> > > If you don’t want to read all the article, this is the key: > > “The short answer is: the regulation will affect firms both inside and > outside of the EU. In fact, any company dealing with EU businesses’, > residents’, or citizens’ data will have to comply with the GDPR.” > > Even more than that, it affects any company that may hold data from EU > citizens, and that includes IP addresses. > > For example, if EU citizens are using a DNS resolver sitting in any AfriNIC > country, then the logs with the IP addresses of the queries are subjected to > the GDPR, if you make business out of those logs, and don’t anonymize them, > you are subjected to fines of up to 4% of your annual turnover, up to a > maximum of 20 million euros. > > In chats with EU lawyers, they basically told that there is a long road with > this regulation in the courts, and ISPs need to be aware that this means that > if their customers do “bad” things with EU citizens personal data, and they > don’t react on those “abuse” cases, you may be at the end of the history, > liable for that. > > Regards, > Jordi > > > De: Andrew Alston <[email protected] > <mailto:[email protected]>> > Fecha: miércoles, 11 de abril de 2018, 12:15 > Para: Owen DeLong <[email protected] <mailto:[email protected]>> > CC: General <[email protected] > <mailto:[email protected]>>, AFRINIC Board of Directors' List > <[email protected] <mailto:[email protected]>> > Asunto: Re: [Community-Discuss] AFRINIC and the GDPR > > Owen, <> > > Firstly – AfriNIC does hold data on EU residents – that is without question – > I know of a couple of cases of EU residents with their data held by AfriNIC > without even thinking of it. > Secondly – irrespective of if they are signatories or not – if AfriNIC > chooses to do any business with RIPE for example, they are doing business > with an EU entity and can be prevented from doing so if they don’t comply is > my understanding. > > Irrespective of this – the AfriNIC board if they believe they do not need to > comply in any way shape or form – needs to state that to this community and > to its members and give reasons as to why not – at that point – the affected > members can then make an informed decision as to their course of action > should they choose one. But – AfriNIC still has an obligation to inform its > community as to its standing in this regard and do so before the legislation > becomes reality. > > Please note clause 3.4.vii of the bylaws: > > (vii) to disseminate among its members information on all matters affecting > the Company and its members and to provide for and be a central channel of > communication for the members of the Company and generally for the > furtherance and promotion of their interests; > > Andrew > > From: Owen DeLong [mailto:[email protected] <mailto:[email protected]>] > Sent: 11 April 2018 09:08 > To: Andrew Alston <[email protected] > <mailto:[email protected]>> > Cc: General <[email protected] > <mailto:[email protected]>>; AFRINIC Board of Directors' List > <[email protected] <mailto:[email protected]>> > Subject: Re: [Community-Discuss] AFRINIC and the GDPR > Importance: High > > > > > >> On Apr 10, 2018, at 22:42 , Andrew Alston <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi AfriNIC Board, >> >> Can this board please *urgently* inform this community as to what >> preparations they have made as regards to compliance with the General Data >> Protection Regulations passed by the European Commision and the board will >> be in a position to give this community a full and complete report as to >> their GDPR compliance status and what will be changing before the 25th of >> May to ensure that when the GDPR comes into force AfriNIC is compliant. > > Is Mauritius signatory to some treaty making them subject to GDPR? > > > >> Considering that the regulation comes into force on the 25th of May 2018 – >> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to >> the regulations irrespective of the fact that they are domiciled in >> Mauritius – this is an urgent and critical issue. It has direct impact on >> the whois database, abuse contact information, handling of data submitted >> during application process and potentially even the proposed review policy, >> just to name a few things that I can think of off the top of my head – and >> cannot be ignored. I would in fact have liked to have seen discussions by >> the board in the minutes that have been published about the GDPR long before >> now – considering the impact – but failing that – the question is now being >> asked. > > It’s not about EU Citizens. It’s about EU Residents. (Common misconception > about GDPR). > > Further, unless your in a silly country that was dumb enough to sign a treaty > extending EU’s legal reach into your sovereignty, such as the stupid congress > of the united States, then you can offer the EU a nice big Italian sign > language gesture regarding their GDPR and continue on with business as usual. > > Owen > > _______________________________________________ Community-Discuss mailing > list [email protected] <mailto:[email protected]> > https://lists.afrinic.net/mailman/listinfo/community-discuss > <https://lists.afrinic.net/mailman/listinfo/community-discuss> > ********************************************** > IPv4 is over > Are you ready for the new Internet ? > http://www.consulintel.es <http://www.consulintel.es/> > The IPv6 Company > > This electronic message contains information which may be privileged or > confidential. The information is intended to be for the exclusive use of the > individual(s) named above and further non-explicilty authorized disclosure, > copying, distribution or use of the contents of this information, even if > partially, including attached files, is strictly prohibited and will be > considered a criminal offense. If you are not the intended recipient be aware > that any disclosure, copying, distribution or use of the contents of this > information, even if partially, including attached files, is strictly > prohibited, will be considered a criminal offense, so you must reply to the > original sender to inform about this communication and delete it.
_______________________________________________ Community-Discuss mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/community-discuss
