Yes… And even WRT whois, if you’re stuck going down the GDPR road, then it’s 
also about the data collected, the “voluntary” nature of the submission of the 
data, etc. It’s much more far-reaching than what is published.


> On Apr 11, 2018, at 06:47 , Andrew Alston <> 
> wrote:
> Mike,
> Also just to clarify – I believe this goes beyond whois data – there is far 
> more data that AfriNIC holds than just the whois data that could be affected 
> by this.  I concede the whois portion I may well be wrong on that – the rest 
> of it – as I said – I simply want to see from AfriNIC a report on that they 
> are doing and where they aren’t in compliance to present that to this 
> community – mindful of the time frames involved – the situation the current 
> board finds facing – and the dictates of section 3.4.iiv of the bylaws
> Andrew
> From: Mike Silber <>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <>
> Cc: Andrew Alston <>, General Discussions of 
> AFRINIC <>, AfriNIC Discuss 
> <>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
> Mike
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye < 
>> <>> wrote:
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so 
>> much Andrew.
>> The Board would like to inform you that the issue was discussed within the 
>> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
>> work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
>> Board believes that these regulations are not a barrier to publication of 
>> the WHOIS data, and it has noted the RIPE NCC study that made such a 
>> finding.  The Board further believes that the biggest changes required by 
>> AFRINIC are in documenting how personal data is used, and in informing 
>> people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
>> Senegal.
>> Kind regards
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of the fact that they are domiciled in 
>>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>>> the whois database, abuse contact information, handling of data submitted 
>>> during application process and potentially even the proposed review policy, 
>>> just to name a few things that I can think of off the top of my head – and 
>>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>>> the board in the minutes that have been published about the GDPR long 
>>> before now – considering the impact – but failing that – the question is 
>>> now being asked.
>>> Andrew
>>> _______________________________________________
>>> Community-Discuss mailing list
>>> <>
>>> <>
>> -- 
>> Abibu R. Ntahigiye
>> CEO, tzNIC / Interim Chairman, Afrinic.
>> _______________________________________________
>> Community-Discuss mailing list
>> <>
>> <>
> _______________________________________________
> Community-Discuss mailing list

Community-Discuss mailing list

Reply via email to