Mike Réunion and Mayotte are the outermost region <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union> of the European Union <https://en.wikipedia.org/wiki/European_Union> and, as an overseas department of France, part of the Eurozone <https://en.wikipedia.org/wiki/Eurozone>
> On Apr 11, 2018, at 18:23, Mike Silber <[email protected]> wrote: > > They are not Member States. > > And Owen is not really that accurate in his interpretation. He mixes up > enforcement (real nexus through operations) with some theoretical > applicability which is poorly defined and has no practical expression in the > GDPR and will need national DPAs to provide teeth. > >> On 11 Apr 2018, at 16:19, Andrew Alston <[email protected] >> <mailto:[email protected]>> wrote: >> >> Owen, >> >> Would the fact that AfriNIC serves La Réunion and Mayotte not create such a >> nexus since both are formally part of the EU? >> >> In the same way – there are various EU members served by ARIN? >> >> Andrew >> >> >> From: Owen DeLong [mailto:[email protected] <mailto:[email protected]>] >> Sent: 11 April 2018 17:12 >> To: Andrew Alston <[email protected] >> <mailto:[email protected]>> >> Cc: Mike Silber <[email protected] <mailto:[email protected]>>; >> Abibu R. Ntahigiye <[email protected] <mailto:[email protected]>>; General >> Discussions of AFRINIC <[email protected] >> <mailto:[email protected]>>; AfriNIC Discuss >> <[email protected] <mailto:[email protected]>> >> Subject: Re: [Community-Discuss] AFRINIC and the GDPR >> >> Roughly translated: >> The ability of EU to inflict GDPR on those operators outside >> of EU is predicated on that operator >> having some business operation or presence within the EU >> which allows them to subject you to their >> jurisdiction. Determining that you have said presence >> requires a specific determination by the >> EU member state where said presence exists. >> >> I’m pretty sure AfriNIC has no such nexus. >> >> However, what is left out of Mike’s statement is the potential that any >> other country may have signed some >> sort of treaty with the EU (or a member state) which subjects them to GDPR >> and/or grants additional >> extraterritorial rights to the EU. Such is (unfortunately) the case with the >> US, for example. >> >> Another key point is that EU citizens not living in Europe are not covered >> by GDPR. Non-EU citizens living >> within the EU are covered by GDPR. (At least that is my understanding… AIUI, >> GDPR applies to EU residents, >> not EU citizens.) >> >> Owen >> >> >> >> On Apr 11, 2018, at 06:44 , Andrew Alston <[email protected] >> <mailto:[email protected]>> wrote: >> >> Thanks Mike, >> >> That’s actually pretty useful in some sense – but can I ask for an English >> interpretation of the last sentence for those of us that sadly don’t speak >> Lawyer ☺ >> >> Thanks >> >> Andrew >> >> >> From: Mike Silber <[email protected] <mailto:[email protected]>> >> Date: Wednesday, 11 April 2018 at 16:34 >> To: "Abibu R. Ntahigiye" <[email protected] <mailto:[email protected]>> >> Cc: Andrew Alston <[email protected] >> <mailto:[email protected]>>, General Discussions of AFRINIC >> <[email protected] <mailto:[email protected]>>, >> AfriNIC Discuss <[email protected] >> <mailto:[email protected]>> >> Subject: Re: [Community-Discuss] AFRINIC and the GDPR >> >> If I can add to this, there is as yet no clear direction from the European >> DPAs as a collective on how GDPR affects whois access in general. >> >> The RIPE NCC approach is premised on their interactions with the Dutch DPA, >> rather than a Europe wide approach. >> >> In addition, I am not sure I concur with Mr Alston’s insistence that >> “holding data of EU citizens” automatically places AfriNIC into the category >> of data controller in terms of GDPR or imposes any requirements on AfriNIC, >> particularly as the GDPR applies to processing of personal data in the >> context of the activities of an establishment of a controller or a processor >> in the Union. >> >> The extraterritorial application is premised on a nexus requirement set out >> in general terms in Recital 23, but requiring specific determination in >> terms of national law by Member States. >> >> Mike >> >> >> >> >> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <[email protected] >> <mailto:[email protected]>> wrote: >> >> Dear Andrew, Members and the whole Afrinic community, >> Andrew has raised a very important issue for Afrinic operations - Thanks so >> much Andrew. >> The Board would like to inform you that the issue was discussed within the >> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to >> work on the issue. >> The Board has also been made aware that the Mauritius Data Protection Act >> 2017 is already in effect and is aligned with the EU GDPR regulations. The >> Board believes that these regulations are not a barrier to publication of >> the WHOIS data, and it has noted the RIPE NCC study that made such a >> finding. The Board further believes that the biggest changes required by >> AFRINIC are in documenting how personal data is used, and in informing >> people at the time data is collected. >> The AFRINIC management will provide further updates on the issues at AIS >> 2018 in Senegal. >> Further to the above, the Board expects to receive more insights on GDPR >> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in >> Senegal. >> >> Kind regards >> >> >> >> On 11/04/2018 08:42, Andrew Alston wrote: >> Hi AfriNIC Board, >> >> Can this board please *urgently* inform this community as to what >> preparations they have made as regards to compliance with the General Data >> Protection Regulations passed by the European Commision and the board will >> be in a position to give this community a full and complete report as to >> their GDPR compliance status and what will be changing before the 25th of >> May to ensure that when the GDPR comes into force AfriNIC is compliant. >> >> Considering that the regulation comes into force on the 25th of May 2018 – >> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to >> the regulations irrespective of the fact that they are domiciled in >> Mauritius – this is an urgent and critical issue. It has direct impact on >> the whois database, abuse contact information, handling of data submitted >> during application process and potentially even the proposed review policy, >> just to name a few things that I can think of off the top of my head – and >> cannot be ignored. I would in fact have liked to have seen discussions by >> the board in the minutes that have been published about the GDPR long before >> now – considering the impact – but failing that – the question is now being >> asked. >> >> Andrew >> >> >> _______________________________________________ >> Community-Discuss mailing list >> [email protected] <mailto:[email protected]> >> https://lists.afrinic.net/mailman/listinfo/community-discuss >> <https://lists.afrinic.net/mailman/listinfo/community-discuss> >> >> >> >> -- >> Abibu R. Ntahigiye >> >> CEO, tzNIC / Interim Chairman, Afrinic. >> _______________________________________________ >> Community-Discuss mailing list >> [email protected] <mailto:[email protected]> >> https://lists.afrinic.net/mailman/listinfo/community-discuss >> <https://lists.afrinic.net/mailman/listinfo/community-discuss> >> >> _______________________________________________ >> Community-Discuss mailing list >> [email protected] <mailto:[email protected]> >> https://lists.afrinic.net/mailman/listinfo/community-discuss >> <https://lists.afrinic.net/mailman/listinfo/community-discuss> > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss Kris Seeburn [email protected] www.linkedin.com/in/kseeburn/ <http://www.linkedin.com/in/kseeburn/> "Life is a Beach, it all depends at how you look at it"
_______________________________________________ Community-Discuss mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/community-discuss
