Here is the ARIN blog post about it: https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/
Rgds, McTim On Wed, Apr 11, 2018 at 11:00 AM, Dabu Sifiso <[email protected]> wrote: > > Interesting discussion. > > It seems many are not aware of the reality of the European Union's extent > and how RIR divided the world: > > https://www.arin.net/vault/about_us/bot/bot2017_1005.html > "Merike Kaeo indicated that due to General Data Protection Regulations > (GDPR), organizations are going 'dark' with their information because the > fines are so high. The President provided more background on GDPR, and > indicated ARIN was in good shape with regard to GDPR due to its service > region." > > https://www.nro.net/about-the-nro/list-of-country-codes-and- > rirs-ordered-by-country-code/ > Martinique is part of France and EU but is serviced by ARIN, not by RIPE > and there are some more serviced at ARIN. > > If what Mike and Owen are saying is correct, the RIR being outside of EU > is not obliged to be in line with those new rules, but the members from > France (La Reunion, Mayotte) are responsible under French/EU laws? > > The few things I found in regards to GDPR was about exporting private data > to outside of the European Union, does that mean those members will not be > able to make use of the AFRINIC database unless they get confirmation that > AFRINIC is compliant with that GDPR? > > Will AFRINIC move those members and their information to the RIPE where > they will be within the legislation of their own laws? > > > > 11.04.2018, 09:30, "Kris Seeburn" <[email protected]>: > > Mike > > Réunion and Mayotte are the outermost region > <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union> > of > the European Union <https://en.wikipedia.org/wiki/European_Union> and, as > an overseas department of France, part of the Eurozone > <https://en.wikipedia.org/wiki/Eurozone> > > > > > On Apr 11, 2018, at 18:23, Mike Silber <[email protected]> wrote: > > They are not Member States. > > And Owen is not really that accurate in his interpretation. He mixes up > enforcement (real nexus through operations) with some theoretical > applicability which is poorly defined and has no practical expression in > the GDPR and will need national DPAs to provide teeth. > > > On 11 Apr 2018, at 16:19, Andrew Alston <[email protected]> > wrote: > > Owen, > > Would the fact that AfriNIC serves La Réunion and Mayotte not create > such a nexus since both are formally part of the EU? > > In the same way – there are various EU members served by ARIN? > > > Andrew > > > *From:* Owen DeLong [mailto:[email protected] <[email protected]>] > *Sent:* 11 April 2018 17:12 > *To:* Andrew Alston <[email protected]> > *Cc:* Mike Silber <[email protected]>; Abibu R. Ntahigiye < > [email protected]>; General Discussions of AFRINIC < > [email protected]>; AfriNIC Discuss < > [email protected]> > *Subject:* Re: [Community-Discuss] AFRINIC and the GDPR > > Roughly translated: > The ability of EU to inflict GDPR on those operators > outside of EU is predicated on that operator > having some business operation or presence within the EU > which allows them to subject you to their > jurisdiction. Determining that you have said presence > requires a specific determination by the > EU member state where said presence exists. > > I’m pretty sure AfriNIC has no such nexus. > > However, what is left out of Mike’s statement is the potential that any > other country may have signed some > sort of treaty with the EU (or a member state) which subjects them to GDPR > and/or grants additional > extraterritorial rights to the EU. Such is (unfortunately) the case with > the US, for example. > > Another key point is that EU citizens not living in Europe are not covered > by GDPR. Non-EU citizens living > within the EU are covered by GDPR. (At least that is my understanding… > AIUI, GDPR applies to EU residents, > not EU citizens.) > > Owen > > > > > On Apr 11, 2018, at 06:44 , Andrew Alston <[email protected]> > wrote: > > Thanks Mike, > > That’s actually pretty useful in some sense – but can I ask for an English > interpretation of the last sentence for those of us that sadly don’t speak > Lawyer ☺ > > Thanks > > Andrew > > > *From: *Mike Silber <[email protected]> > *Date: *Wednesday, 11 April 2018 at 16:34 > *To: *"Abibu R. Ntahigiye" <[email protected]> > *Cc: *Andrew Alston <[email protected]>, General > Discussions of AFRINIC <[email protected]>, AfriNIC Discuss < > [email protected]> > *Subject: *Re: [Community-Discuss] AFRINIC and the GDPR > > If I can add to this, there is as yet no clear direction from the European > DPAs as a collective on how GDPR affects whois access in general. > > The RIPE NCC approach is premised on their interactions with the Dutch > DPA, rather than a Europe wide approach. > > In addition, I am not sure I concur with Mr Alston’s insistence that > “holding data of EU citizens” automatically places AfriNIC into the > category of data controller in terms of GDPR or imposes any requirements on > AfriNIC, particularly as the GDPR applies to processing of personal data in > the context of the activities of an establishment of a controller or a > processor in the Union. > > The extraterritorial application is premised on a nexus requirement set > out in general terms in Recital 23, but requiring specific determination in > terms of national law by Member States. > > Mike > > > > > > On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <[email protected]> wrote: > > Dear Andrew, Members and the whole Afrinic community, > Andrew has raised a very important issue for Afrinic operations - Thanks > so much Andrew. > The Board would like to inform you that the issue was discussed within the > Board at the Afrinic 27 meeting in Lagos and the Management was tasked to > work on the issue. > The Board has also been made aware that the Mauritius Data Protection Act > 2017 is already in effect and is aligned with the EU GDPR regulations. The > Board believes that these regulations are not a barrier to publication of > the WHOIS data, and it has noted the RIPE NCC study that made such a > finding. The Board further believes that the biggest changes required by > AFRINIC are in documenting how personal data is used, and in informing > people at the time data is collected. > The AFRINIC management will provide further updates on the issues at AIS > 2018 in Senegal. > Further to the above, the Board expects to receive more insights on GDPR > related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned > in Senegal. > > Kind regards > > > > > On 11/04/2018 08:42, Andrew Alston wrote: > > Hi AfriNIC Board, > > Can this board please **urgently** inform this community as to what > preparations they have made as regards to compliance with the General Data > Protection Regulations passed by the European Commision and the board will > be in a position to give this community a full and complete report as to > their GDPR compliance status and what will be changing before the 25th of > May to ensure that when the GDPR comes into force AfriNIC is compliant. > > Considering that the regulation comes into force on the 25th of May 2018 > – and AfriNIC is 100% holding data of EU Citizens, which makes them subject > to the regulations irrespective of the fact that they are domiciled in > Mauritius – this is an urgent and critical issue. It has direct impact on > the whois database, abuse contact information, handling of data submitted > during application process and potentially even the proposed review policy, > just to name a few things that I can think of off the top of my head – and > cannot be ignored. I would in fact have liked to have seen discussions by > the board in the minutes that have been published about the GDPR long > before now – considering the impact – but failing that – the question is > now being asked. > > Andrew > > > > _______________________________________________ > > Community-Discuss mailing list > > [email protected] > > https://lists.afrinic.net/mailman/listinfo/community-discuss > > > > > > -- > > Abibu R. Ntahigiye > > > > CEO, tzNIC / Interim Chairman, Afrinic. > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss > > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss > > > > > Kris Seeburn > [email protected] > > - www.linkedin.com/in/kseeburn/ > > "Life is a Beach, it all depends at how you look at it" > > > , > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss > > _______________________________________________ > Community-Discuss mailing list > [email protected] > https://lists.afrinic.net/mailman/listinfo/community-discuss > >
_______________________________________________ Community-Discuss mailing list [email protected] https://lists.afrinic.net/mailman/listinfo/community-discuss
