Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread Arsène Tungali
Thanks Alan.

Wish you all very good discussions and deliberations at the upcoming AIS
that i will miss.
So many things to be discussed there.

Regards,
Arsene


**Arsène Tungali* *
Co-Founder & Executive Director, *Rudi international
*,
CEO,* Smart Services Sarl *, *Mabingwa Forum
*
Tel: +243 993810967
GPG: 523644A0
*Goma, Democratic Republic of Congo*

2015 Mandela Washington Felllow

(YALI) - ISOC Ambassador (IGF Brazil

& Mexico
)
- AFRISIG 2016  - Blogger
 - ICANN's GNSO Council
 Member. AFRINIC Fellow (
Mauritius
)*
- *IGFSA Member  - Internet Governance - Internet
Freedom.

Check the *2016 State of Internet Freedom in DRC* report (English
) and (French
)

2018-04-17 10:52 GMT+02:00 Alan Barrett :

>
>
> > On 16 Apr 2018, at 12:39, Arsène Tungali  wrote:
> > Please consider my message on this as a request from a community member
> to be assured that we are okay and have nothing to worry about.
>
> Please refer to the message already provided by the Chair of the Board at <
> https://lists.afrinic.net/pipermail/community-discuss/
> 2018-April/002093.html>.
>
> Alan Barrett
> CEO, AFRINIC
>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread Arsène Tungali
Thanks Alan.

Wish you all very good discussions and deliberations at the upcoming AIS
that i will miss.
So many things to be discussed there.

Regards,
Arsene


**Arsène Tungali* *
Co-Founder & Executive Director, *Rudi international
*,
CEO,* Smart Services Sarl *, *Mabingwa Forum
*
Tel: +243 993810967
GPG: 523644A0
*Goma, Democratic Republic of Congo*

2015 Mandela Washington Felllow

(YALI) - ISOC Ambassador (IGF Brazil

& Mexico
)
- AFRISIG 2016  - Blogger
 - ICANN's GNSO Council
 Member. AFRINIC Fellow (
Mauritius
)*
- *IGFSA Member  - Internet Governance - Internet
Freedom.

Check the *2016 State of Internet Freedom in DRC* report (English
) and (French
)

2018-04-17 10:52 GMT+02:00 Alan Barrett :

>
>
> > On 16 Apr 2018, at 12:39, Arsène Tungali  wrote:
> > Please consider my message on this as a request from a community member
> to be assured that we are okay and have nothing to worry about.
>
> Please refer to the message already provided by the Chair of the Board at <
> https://lists.afrinic.net/pipermail/community-discuss/
> 2018-April/002093.html>.
>
> Alan Barrett
> CEO, AFRINIC
>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread Alan Barrett


> On 16 Apr 2018, at 12:39, Arsène Tungali  wrote:
> Please consider my message on this as a request from a community member to be 
> assured that we are okay and have nothing to worry about.

Please refer to the message already provided by the Chair of the Board at 
.

Alan Barrett
CEO, AFRINIC


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread Seun Ojedeji
Indeed! The interconnectivity of networks that makes up the Internet would
make a literal interpretation of GDPR impractical or at least
unimplementable hence a more focused scope of interpretation/application is
required which only the DPAs can provide.

Regards
Sent from my mobile
Kindly excuse brevity and typos

On Tue, Apr 17, 2018, 8:37 AM Mike Silber <silber.m...@gmail.com> wrote:

> EU citizens, EU residents, potentially even visitors to the EU (on
> anything more than a transitory basis).
>
> Still waiting for DPAs to make specific rules.
>
> In the absence of those specific rules - everything else is conjecture.
>
> > On 16 Apr 2018, at 22:34, Jordi Palet Martinez via Community-Discuss <
> community-discuss@afrinic.net> wrote:
> >
> > Even simpler than that. The registration of emails of EU citizens in
> this exploder or in the next AfriNIC meeting.
> >
> > Emails are personal data.
> >
> >
> >> El 16 abr 2018, a las 21:15, ze...@auladin.com escribió:
> >>
> >> Hi Arsene,
> >>
> >> The GDPR applies for data protection for all EU citizens.
> >>
> >> If, for example an EU citizen is the  contact person for a range of IP
> >> addresses provided by Afrinic, then Afrinic needs to ensure this data (
> >> contact details of EU person) meet GDPR obligations, namely, that is has
> >> taken measures to safeguard access to the data and that the data is kept
> >> encrypted.
> >>
> >> If it can prove those 2 processes, then it cannot be fined.
> >>
> >> This is my understanding of the GDPR changes.
> >>
> >>
> >> Best regards,
> >> Zeimm.
> >>
> >>> --
> >>>
> >>> Message: 1
> >>> Date: Mon, 16 Apr 2018 10:39:35 +0200
> >>> From: Ars?ne Tungali <arsenebag...@gmail.com>
> >>> To: wafa DAHMANI <w...@ati.tn>
> >>> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
> >>>   AFRINIC <community-discuss@afrinic.net>
> >>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
> >>> Message-ID:
> >>>   <cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
> >>> Content-Type: text/plain; charset="utf-8"
> >>>
> >>> Hi,
> >>>
> >>> My apologies if i am too alarmant on this or if i am misunderstanding
> this
> >>> issue.
> >>>
> >>> Please consider my message on this as a request from a community
> member to
> >>> be assured that we are okay and have nothing to worry about.
> >>>> From your message, Wafa, i hope i can be at peace with regards to
> Afrinic
> >>> and the GDPR because it is that simple from your perspective.
> >>>
> >>> Regards,
> >>> Arsene
> >>>
> >>> 
> >>> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
> >>> Co-Founder & Executive Director, *Rudi international
> >>> <http://www.rudiinternational.org>*,
> >>> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
> >>> Forum
> >>> <http://www.mabingwa-forum.com>*
> >>> Tel: +243 993810967
> >>> GPG: 523644A0
> >>> *Goma, Democratic Republic of Congo*
> >>>
> >>> 2015 Mandela Washington Felllow
> >>> <
> http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html
> >
> >>> (YALI) - ISOC Ambassador (IGF Brazil
> >>> <
> http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors
> >
> >>> & Mexico
> >>> <
> http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors
> >)
> >>> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> -
> Blogger
> >>> <http://tungali.blogspot.com> - ICANN's GNSO Council
> >>> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC
> Fellow
> >>> (
> >>> Mauritius
> >>> <
> http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners
> >)*
> >>> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance -
> Internet
> >>> Freedom.
> >>>
> >>> Chec

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread JORDI PALET MARTINEZ via Community-Discuss
I don't think so. Meanwhile, previous Data Protection laws apply, at least 
that's what the Spanish Data Protection Agency say.

If you apply that (LOPD and LSSI laws in Spain) in conjunction to GDPR, you get 
what I told. So at least for Spanish citizens, this is clear.

Regards,
Jordi
 
 
-Mensaje original-
De: Mike Silber <silber.m...@gmail.com>
Fecha: martes, 17 de abril de 2018, 9:36
Para: Jordi Palet Martinez <jordi.pa...@consulintel.es>
CC: <ze...@auladin.com>, <community-discuss@afrinic.net>
Asunto: Re: [Community-Discuss] AFRINIC and the GDPR

EU citizens, EU residents, potentially even visitors to the EU (on anything 
more than a transitory basis).

Still waiting for DPAs to make specific rules.

In the absence of those specific rules - everything else is conjecture.

> On 16 Apr 2018, at 22:34, Jordi Palet Martinez via Community-Discuss 
<community-discuss@afrinic.net> wrote:
> 
> Even simpler than that. The registration of emails of EU citizens in this 
exploder or in the next AfriNIC meeting.
> 
> Emails are personal data.
> 
> 
>> El 16 abr 2018, a las 21:15, ze...@auladin.com escribió:
>> 
>> Hi Arsene,
>> 
>> The GDPR applies for data protection for all EU citizens.
>> 
>> If, for example an EU citizen is the  contact person for a range of IP
>> addresses provided by Afrinic, then Afrinic needs to ensure this data (
>> contact details of EU person) meet GDPR obligations, namely, that is has
>> taken measures to safeguard access to the data and that the data is kept
>> encrypted.
>> 
>> If it can prove those 2 processes, then it cannot be fined.
>> 
>> This is my understanding of the GDPR changes.
>> 
>> 
>> Best regards,
>> Zeimm.
>> 
>>> --
>>> 
>>> Message: 1
>>> Date: Mon, 16 Apr 2018 10:39:35 +0200
>>> From: Ars?ne Tungali <arsenebag...@gmail.com>
    >>> To: wafa DAHMANI <w...@ati.tn>
>>> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
>>>   AFRINIC <community-discuss@afrinic.net>
>>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>> Message-ID:
>>>   <cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>> 
>>> Hi,
>>> 
>>> My apologies if i am too alarmant on this or if i am misunderstanding 
this
>>> issue.
>>> 
>>> Please consider my message on this as a request from a community member 
to
>>> be assured that we are okay and have nothing to worry about.
>>>> From your message, Wafa, i hope i can be at peace with regards to 
Afrinic
>>> and the GDPR because it is that simple from your perspective.
>>> 
>>> Regards,
>>> Arsene
>>> 
>>> 
>>> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
>>> Co-Founder & Executive Director, *Rudi international
>>> <http://www.rudiinternational.org>*,
>>> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
>>> Forum
>>> <http://www.mabingwa-forum.com>*
>>> Tel: +243 993810967
>>> GPG: 523644A0
>>> *Goma, Democratic Republic of Congo*
>>> 
>>> 2015 Mandela Washington Felllow
>>> 
<http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
>>> (YALI) - ISOC Ambassador (IGF Brazil
>>> 
<http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
>>> & Mexico
>>> 
<http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
>>> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - 
Blogger
>>> <http://tungali.blogspot.com> - ICANN's GNSO Council
>>> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC 
Fellow
>>> (
>>> Mauritius
>>> 
<http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
>>> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
>>

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread Mike Silber
EU citizens, EU residents, potentially even visitors to the EU (on anything 
more than a transitory basis).

Still waiting for DPAs to make specific rules.

In the absence of those specific rules - everything else is conjecture.

> On 16 Apr 2018, at 22:34, Jordi Palet Martinez via Community-Discuss 
> <community-discuss@afrinic.net> wrote:
> 
> Even simpler than that. The registration of emails of EU citizens in this 
> exploder or in the next AfriNIC meeting.
> 
> Emails are personal data.
> 
> 
>> El 16 abr 2018, a las 21:15, ze...@auladin.com escribió:
>> 
>> Hi Arsene,
>> 
>> The GDPR applies for data protection for all EU citizens.
>> 
>> If, for example an EU citizen is the  contact person for a range of IP
>> addresses provided by Afrinic, then Afrinic needs to ensure this data (
>> contact details of EU person) meet GDPR obligations, namely, that is has
>> taken measures to safeguard access to the data and that the data is kept
>> encrypted.
>> 
>> If it can prove those 2 processes, then it cannot be fined.
>> 
>> This is my understanding of the GDPR changes.
>> 
>> 
>> Best regards,
>> Zeimm.
>> 
>>> --
>>> 
>>> Message: 1
>>> Date: Mon, 16 Apr 2018 10:39:35 +0200
>>> From: Ars?ne Tungali <arsenebag...@gmail.com>
>>> To: wafa DAHMANI <w...@ati.tn>
>>> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
>>>   AFRINIC <community-discuss@afrinic.net>
>>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>> Message-ID:
>>>   <cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>> 
>>> Hi,
>>> 
>>> My apologies if i am too alarmant on this or if i am misunderstanding this
>>> issue.
>>> 
>>> Please consider my message on this as a request from a community member to
>>> be assured that we are okay and have nothing to worry about.
>>>> From your message, Wafa, i hope i can be at peace with regards to Afrinic
>>> and the GDPR because it is that simple from your perspective.
>>> 
>>> Regards,
>>> Arsene
>>> 
>>> 
>>> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
>>> Co-Founder & Executive Director, *Rudi international
>>> <http://www.rudiinternational.org>*,
>>> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
>>> Forum
>>> <http://www.mabingwa-forum.com>*
>>> Tel: +243 993810967
>>> GPG: 523644A0
>>> *Goma, Democratic Republic of Congo*
>>> 
>>> 2015 Mandela Washington Felllow
>>> <http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
>>> (YALI) - ISOC Ambassador (IGF Brazil
>>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
>>> & Mexico
>>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
>>> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - Blogger
>>> <http://tungali.blogspot.com> - ICANN's GNSO Council
>>> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC Fellow
>>> (
>>> Mauritius
>>> <http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
>>> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
>>> Freedom.
>>> 
>>> Check the *2016 State of Internet Freedom in DRC* report (English
>>> <http://cipesa.org/?wpfb_dl=234>) and (French
>>> <http://cipesa.org/?wpfb_dl=242>)
>>> 
>>> 2018-04-15 9:37 GMT+02:00 wafa DAHMANI <w...@ati.tn>:
>>> 
>>>> Dear all,
>>>> 
>>>> I think there are some misunderstandings of the issue
>>>> By the way under which laws there will be fines imposed on AFRINIC after
>>>> the 25th  does AFRINIC have subsidiary company in EU area ??
>>>> I think things are more simplier for AFRINIC
>>>> AFRINIC has just to declare that as company is fully respecting  data
>>>> privacy and should appoint a senior responsible for assuring that all
>>>> mecanisms implemebted treating personal
>>>> d

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-17 Thread JORDI PALET MARTINEZ via Community-Discuss
In a recent presentation, 9.9.9.9, confirmed that they have taken the measures 
to fulfill with GDPR. I'm not sure about the others.

Obviously is something that each service provider, web site owner, etc., need 
to tackle in a case by case basis.

Regards,
Jordi
 
 
-Mensaje original-
De: S Moonesamy <sm+afri...@elandsys.com>
Fecha: martes, 17 de abril de 2018, 7:43
Para: Jordi Palet Martinez <jordi.pa...@consulintel.es>, 
<community-discuss@afrinic.net>
Asunto: Re: [Community-Discuss] AFRINIC and the GDPR

Hi Jordi,
At 01:40 PM 16-04-2018, Jordi Palet Martinez via Community-Discuss wrote:
>And forgot to say that IP addresses are also personal data, so the 
>logs when visiting AfriNIC websites or the registration forms, etc., 
>have the same issue :-) DNS servers logs as well ... and so on ...

   PING 1.1.1.1 (1.1.1.1): 56 data bytes
   64 bytes from 1.1.1.1: icmp_seq=0 ttl=61 time=1.592 ms

   PING 8.8.8.8 (8.8.8.8): 56 data bytes
   64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=37.581 ms

   PING 9.9.9.9 (9.9.9.9): 56 data bytes
   64 bytes from 9.9.9.9: icmp_seq=0 ttl=61 time=2.817 ms

Two of those DNS services are local.  It is not easy [1] to prove 
that there is a data protection issue.

Regards,
S. Moonesamy

1. Please see the success rate for data protection cases. 





**
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or 
confidential. The information is intended to be for the exclusive use of the 
individual(s) named above and further non-explicilty authorized disclosure, 
copying, distribution or use of the contents of this information, even if 
partially, including attached files, is strictly prohibited and will be 
considered a criminal offense. If you are not the intended recipient be aware 
that any disclosure, copying, distribution or use of the contents of this 
information, even if partially, including attached files, is strictly 
prohibited, will be considered a criminal offense, so you must reply to the 
original sender to inform about this communication and delete it.




___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-16 Thread S Moonesamy

Hi Jordi,
At 01:40 PM 16-04-2018, Jordi Palet Martinez via Community-Discuss wrote:
And forgot to say that IP addresses are also personal data, so the 
logs when visiting AfriNIC websites or the registration forms, etc., 
have the same issue :-) DNS servers logs as well ... and so on ...


  PING 1.1.1.1 (1.1.1.1): 56 data bytes
  64 bytes from 1.1.1.1: icmp_seq=0 ttl=61 time=1.592 ms

  PING 8.8.8.8 (8.8.8.8): 56 data bytes
  64 bytes from 8.8.8.8: icmp_seq=0 ttl=59 time=37.581 ms

  PING 9.9.9.9 (9.9.9.9): 56 data bytes
  64 bytes from 9.9.9.9: icmp_seq=0 ttl=61 time=2.817 ms

Two of those DNS services are local.  It is not easy [1] to prove 
that there is a data protection issue.


Regards,
S. Moonesamy

1. Please see the success rate for data protection cases. 



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-16 Thread Jordi Palet Martinez via Community-Discuss
And forgot to say that IP addresses are also personal data, so the logs when 
visiting AfriNIC websites or the registration forms, etc., have the same issue 
:-) DNS servers logs as well ... and so on ...


> El 16 abr 2018, a las 22:34, Jordi Palet Martinez via Community-Discuss 
> <community-discuss@afrinic.net> escribió:
> 
> Even simpler than that. The registration of emails of EU citizens in this 
> exploder or in the next AfriNIC meeting.
> 
> Emails are personal data.
> 
> 
>> El 16 abr 2018, a las 21:15, ze...@auladin.com escribió:
>> 
>> Hi Arsene,
>> 
>> The GDPR applies for data protection for all EU citizens.
>> 
>> If, for example an EU citizen is the  contact person for a range of IP
>> addresses provided by Afrinic, then Afrinic needs to ensure this data (
>> contact details of EU person) meet GDPR obligations, namely, that is has
>> taken measures to safeguard access to the data and that the data is kept
>> encrypted.
>> 
>> If it can prove those 2 processes, then it cannot be fined.
>> 
>> This is my understanding of the GDPR changes.
>> 
>> 
>> Best regards,
>> Zeimm.
>> 
>>> --
>>> 
>>> Message: 1
>>> Date: Mon, 16 Apr 2018 10:39:35 +0200
>>> From: Ars?ne Tungali <arsenebag...@gmail.com>
>>> To: wafa DAHMANI <w...@ati.tn>
>>> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
>>>   AFRINIC <community-discuss@afrinic.net>
>>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>> Message-ID:
>>>   <cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
>>> Content-Type: text/plain; charset="utf-8"
>>> 
>>> Hi,
>>> 
>>> My apologies if i am too alarmant on this or if i am misunderstanding this
>>> issue.
>>> 
>>> Please consider my message on this as a request from a community member to
>>> be assured that we are okay and have nothing to worry about.
>>>> From your message, Wafa, i hope i can be at peace with regards to Afrinic
>>> and the GDPR because it is that simple from your perspective.
>>> 
>>> Regards,
>>> Arsene
>>> 
>>> 
>>> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
>>> Co-Founder & Executive Director, *Rudi international
>>> <http://www.rudiinternational.org>*,
>>> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
>>> Forum
>>> <http://www.mabingwa-forum.com>*
>>> Tel: +243 993810967
>>> GPG: 523644A0
>>> *Goma, Democratic Republic of Congo*
>>> 
>>> 2015 Mandela Washington Felllow
>>> <http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
>>> (YALI) - ISOC Ambassador (IGF Brazil
>>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
>>> & Mexico
>>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
>>> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - Blogger
>>> <http://tungali.blogspot.com> - ICANN's GNSO Council
>>> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC Fellow
>>> (
>>> Mauritius
>>> <http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
>>> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
>>> Freedom.
>>> 
>>> Check the *2016 State of Internet Freedom in DRC* report (English
>>> <http://cipesa.org/?wpfb_dl=234>) and (French
>>> <http://cipesa.org/?wpfb_dl=242>)
>>> 
>>> 2018-04-15 9:37 GMT+02:00 wafa DAHMANI <w...@ati.tn>:
>>> 
>>>> Dear all,
>>>> 
>>>> I think there are some misunderstandings of the issue
>>>> By the way under which laws there will be fines imposed on AFRINIC after
>>>> the 25th  does AFRINIC have subsidiary company in EU area ??
>>>> I think things are more simplier for AFRINIC
>>>> AFRINIC has just to declare that as company is fully respecting  data
>>>> privacy and should appoint a senior responsible for assuring that all
>>>> mecanisms implemebted treating personal
>>>> data comply 

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-16 Thread Jordi Palet Martinez via Community-Discuss
Even simpler than that. The registration of emails of EU citizens in this 
exploder or in the next AfriNIC meeting.

Emails are personal data.


> El 16 abr 2018, a las 21:15, ze...@auladin.com escribió:
> 
> Hi Arsene,
> 
> The GDPR applies for data protection for all EU citizens.
> 
> If, for example an EU citizen is the  contact person for a range of IP
> addresses provided by Afrinic, then Afrinic needs to ensure this data (
> contact details of EU person) meet GDPR obligations, namely, that is has
> taken measures to safeguard access to the data and that the data is kept
> encrypted.
> 
> If it can prove those 2 processes, then it cannot be fined.
> 
> This is my understanding of the GDPR changes.
> 
> 
> Best regards,
> Zeimm.
> 
>> --
>> 
>> Message: 1
>> Date: Mon, 16 Apr 2018 10:39:35 +0200
>> From: Ars?ne Tungali <arsenebag...@gmail.com>
>> To: wafa DAHMANI <w...@ati.tn>
>> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
>>AFRINIC <community-discuss@afrinic.net>
>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>> Message-ID:
>><cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
>> Content-Type: text/plain; charset="utf-8"
>> 
>> Hi,
>> 
>> My apologies if i am too alarmant on this or if i am misunderstanding this
>> issue.
>> 
>> Please consider my message on this as a request from a community member to
>> be assured that we are okay and have nothing to worry about.
>>> From your message, Wafa, i hope i can be at peace with regards to Afrinic
>> and the GDPR because it is that simple from your perspective.
>> 
>> Regards,
>> Arsene
>> 
>> 
>> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
>> Co-Founder & Executive Director, *Rudi international
>> <http://www.rudiinternational.org>*,
>> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
>> Forum
>> <http://www.mabingwa-forum.com>*
>> Tel: +243 993810967
>> GPG: 523644A0
>> *Goma, Democratic Republic of Congo*
>> 
>> 2015 Mandela Washington Felllow
>> <http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
>> (YALI) - ISOC Ambassador (IGF Brazil
>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
>> & Mexico
>> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
>> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - Blogger
>> <http://tungali.blogspot.com> - ICANN's GNSO Council
>> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC Fellow
>> (
>> Mauritius
>> <http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
>> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
>> Freedom.
>> 
>> Check the *2016 State of Internet Freedom in DRC* report (English
>> <http://cipesa.org/?wpfb_dl=234>) and (French
>> <http://cipesa.org/?wpfb_dl=242>)
>> 
>> 2018-04-15 9:37 GMT+02:00 wafa DAHMANI <w...@ati.tn>:
>> 
>>> Dear all,
>>> 
>>> I think there are some misunderstandings of the issue
>>> By the way under which laws there will be fines imposed on AFRINIC after
>>> the 25th  does AFRINIC have subsidiary company in EU area ??
>>> I think things are more simplier for AFRINIC
>>> AFRINIC has just to declare that as company is fully respecting  data
>>> privacy and should appoint a senior responsible for assuring that all
>>> mecanisms implemebted treating personal
>>> data comply with data privacy issues for example AFRINIC should
>>> ISO27001
>>> certified and had a Security Officer (which is mandatory to be ISO27001
>>> certified).
>>> 
>>> 
>>> Best
>>> Wafa
>>> 
>>> 
>>> 
>>> 
>>> --
>>> *De: *"Ars?ne Tungali" <arsenebag...@gmail.com>
>>> *?: *"Mike Silber" <silber.m...@gmail.com>
>>> *Cc: *"S Moonesamy" <sm+afri...@elandsys.com>,
>>> community-discuss@afrinic.net
>>> *Envoy?: *Samedi 14 Avril 2018 11:18:22
>>> *Objet: *Re: [Community-Discuss] AFRINIC an

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-16 Thread zeimm
Hi Arsene,

The GDPR applies for data protection for all EU citizens.

If, for example an EU citizen is the  contact person for a range of IP
addresses provided by Afrinic, then Afrinic needs to ensure this data (
contact details of EU person) meet GDPR obligations, namely, that is has
taken measures to safeguard access to the data and that the data is kept
encrypted.

If it can prove those 2 processes, then it cannot be fined.

This is my understanding of the GDPR changes.


Best regards,
Zeimm.

> --
>
> Message: 1
> Date: Mon, 16 Apr 2018 10:39:35 +0200
> From: Ars?ne Tungali <arsenebag...@gmail.com>
> To: wafa DAHMANI <w...@ati.tn>
> Cc: S Moonesamy <sm+afri...@elandsys.com>, General Discussions of
>   AFRINIC <community-discuss@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
> Message-ID:
>   <cabdxvwo+ocetzo0scqcp9dyqfd2fiyelr6gxkcku7ouac6m...@mail.gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> Hi,
>
> My apologies if i am too alarmant on this or if i am misunderstanding this
> issue.
>
> Please consider my message on this as a request from a community member to
> be assured that we are okay and have nothing to worry about.
>>From your message, Wafa, i hope i can be at peace with regards to Afrinic
> and the GDPR because it is that simple from your perspective.
>
> Regards,
> Arsene
>
> 
> **Ars?ne Tungali* <http://about.me/ArseneTungali>*
> Co-Founder & Executive Director, *Rudi international
> <http://www.rudiinternational.org>*,
> CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa
> Forum
> <http://www.mabingwa-forum.com>*
> Tel: +243 993810967
> GPG: 523644A0
> *Goma, Democratic Republic of Congo*
>
> 2015 Mandela Washington Felllow
> <http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
> (YALI) - ISOC Ambassador (IGF Brazil
> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
> & Mexico
> <http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
> - AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - Blogger
> <http://tungali.blogspot.com> - ICANN's GNSO Council
> <https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC Fellow
> (
> Mauritius
> <http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
> - *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
> Freedom.
>
> Check the *2016 State of Internet Freedom in DRC* report (English
> <http://cipesa.org/?wpfb_dl=234>) and (French
> <http://cipesa.org/?wpfb_dl=242>)
>
> 2018-04-15 9:37 GMT+02:00 wafa DAHMANI <w...@ati.tn>:
>
>> Dear all,
>>
>> I think there are some misunderstandings of the issue
>> By the way under which laws there will be fines imposed on AFRINIC after
>> the 25th  does AFRINIC have subsidiary company in EU area ??
>> I think things are more simplier for AFRINIC
>> AFRINIC has just to declare that as company is fully respecting  data
>> privacy and should appoint a senior responsible for assuring that all
>> mecanisms implemebted treating personal
>> data comply with data privacy issues for example AFRINIC should
>> ISO27001
>> certified and had a Security Officer (which is mandatory to be ISO27001
>> certified).
>>
>>
>> Best
>> Wafa
>>
>>
>>
>>
>> --
>> *De: *"Ars?ne Tungali" <arsenebag...@gmail.com>
>> *?: *"Mike Silber" <silber.m...@gmail.com>
>> *Cc: *"S Moonesamy" <sm+afri...@elandsys.com>,
>> community-discuss@afrinic.net
>> *Envoy?: *Samedi 14 Avril 2018 11:18:22
>> *Objet: *Re: [Community-Discuss] AFRINIC and the GDPR
>>
>>
>> On Apr 14, 2018, at 7:45 AM, Mike Silber <silber.m...@gmail.com> wrote:
>>
>>
>> My expectation is that the org confirms that is has performed a thorough
>> evaluation and believe any risks have been mitigated.
>>
>> Exactly!
>>
>> If fines are to be imposed on AFRINIC (past May 25th) simply because
>> there
>> was less care taken upfront in dealing with this issue, then it will be
>> a
>> total mess.
>>
>> AFRINIC members need to look closely at this since they might be the
>> ones
>> paying!
>>
>>
>> On Sa

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-16 Thread Arsène Tungali
Hi,

My apologies if i am too alarmant on this or if i am misunderstanding this
issue.

Please consider my message on this as a request from a community member to
be assured that we are okay and have nothing to worry about.
>From your message, Wafa, i hope i can be at peace with regards to Afrinic
and the GDPR because it is that simple from your perspective.

Regards,
Arsene


**Arsène Tungali* <http://about.me/ArseneTungali>*
Co-Founder & Executive Director, *Rudi international
<http://www.rudiinternational.org>*,
CEO,* Smart Services Sarl <https://www.smart-kitoko.com/>*, *Mabingwa Forum
<http://www.mabingwa-forum.com>*
Tel: +243 993810967
GPG: 523644A0
*Goma, Democratic Republic of Congo*

2015 Mandela Washington Felllow
<http://tungali.blogspot.com/2015/06/selected-for-2015-mandela-washington.html>
(YALI) - ISOC Ambassador (IGF Brazil
<http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/igf-ambassadors-programme/Past-Ambassadors>
& Mexico
<http://www.internetsociety.org/what-we-do/education-and-leadership-programmes/next-generation-leaders/Current-Ambassadors>)
- AFRISIG 2016 <http://afrisig.org/afrisig-2016/class-of-2016/> - Blogger
<http://tungali.blogspot.com> - ICANN's GNSO Council
<https://gnso.icann.org/en/about/gnso-council.htm> Member. AFRINIC Fellow (
Mauritius
<http://www.afrinic.net/en/library/news/1907-afrinic-25-fellowship-winners>)*
- *IGFSA Member <http://www.igfsa.org/> - Internet Governance - Internet
Freedom.

Check the *2016 State of Internet Freedom in DRC* report (English
<http://cipesa.org/?wpfb_dl=234>) and (French
<http://cipesa.org/?wpfb_dl=242>)

2018-04-15 9:37 GMT+02:00 wafa DAHMANI <w...@ati.tn>:

> Dear all,
>
> I think there are some misunderstandings of the issue
> By the way under which laws there will be fines imposed on AFRINIC after
> the 25th  does AFRINIC have subsidiary company in EU area ??
> I think things are more simplier for AFRINIC
> AFRINIC has just to declare that as company is fully respecting  data
> privacy and should appoint a senior responsible for assuring that all
> mecanisms implemebted treating personal
> data comply with data privacy issues for example AFRINIC should  ISO27001
> certified and had a Security Officer (which is mandatory to be ISO27001
> certified).
>
>
> Best
> Wafa
>
>
>
>
> --
> *De: *"Arsène Tungali" <arsenebag...@gmail.com>
> *À: *"Mike Silber" <silber.m...@gmail.com>
> *Cc: *"S Moonesamy" <sm+afri...@elandsys.com>,
> community-discuss@afrinic.net
> *Envoyé: *Samedi 14 Avril 2018 11:18:22
> *Objet: *Re: [Community-Discuss] AFRINIC and the GDPR
>
>
> On Apr 14, 2018, at 7:45 AM, Mike Silber <silber.m...@gmail.com> wrote:
>
>
> My expectation is that the org confirms that is has performed a thorough
> evaluation and believe any risks have been mitigated.
>
> Exactly!
>
> If fines are to be imposed on AFRINIC (past May 25th) simply because there
> was less care taken upfront in dealing with this issue, then it will be a
> total mess.
>
> AFRINIC members need to look closely at this since they might be the ones
> paying!
>
>
> On Sat, 14 Apr 2018 at 00:18, S Moonesamy <sm+afri...@elandsys.com> wrote:
>
>> Hi Arsene,
>> At 07:48 AM 13-04-2018, Arsene Tungali wrote:
>> >Reading this thread, I am still awaiting an official statement from
>> >the Board telling us that AFRINIC is safe and at this stage is in
>> >compliance with GDPR when it gets into enforcement next month. Or
>> >maybe did i miss that one?
>>
>> There was a message at
>> https://lists.afrinic.net/pipermail/community-discuss/
>> 2018-April/002093.html
>>
>> >I am not a EU citizen nor do I live in any EU country but i do care
>> >very much about privacy issues in terms of the way WHOIS handles
>> personal data.
>>
>> I suggest sending an email to cont...@afrinic.net if you have
>> questions about the above as I would not know how that works for you
>> given that we do not reside in the same country.
>>
>> Regards,
>> S. Moonesamy
>>
>>
>> ___
>> Community-Discuss mailing list
>> Community-Discuss@afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread wafa DAHMANI
Hi S.Moonesamy ,

I know :) it was just to make things clearer 

Best

Wafa

- Mail original -
De: "S Moonesamy" <sm+afri...@elandsys.com>
À: "wafa DAHMANI" <w...@ati.tn>, community-discuss@afrinic.net
Cc: "Arsene Tungali" <arsenebag...@gmail.com>
Envoyé: Dimanche 15 Avril 2018 09:26:37
Objet: Re: [Community-Discuss] AFRINIC and the GDPR

Hi Wafa,
At 12:37 AM 15-04-2018, wafa DAHMANI wrote:
>  does AFRINIC have subsidiary company in EU area ??

As far as I am aware [1] Afrinic Ltd does not have any subsidiary 
company in a country in the European Union.

Regards,
S. Moonesamy

1. https://www.afrinic.net/images/stories/Library/corp/annual-report-2016.pdf

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread wafa DAHMANI

just to correct not a security officer but a chief information security officer 


Best 

Wafa 

De: "wafa DAHMANI" <w...@ati.tn> 
À: "Arsène Tungali" <arsenebag...@gmail.com> 
Cc: "S Moonesamy" <sm+afri...@elandsys.com>, community-discuss@afrinic.net 
Envoyé: Dimanche 15 Avril 2018 08:37:03 
Objet: Re: [Community-Discuss] AFRINIC and the GDPR 

Dear all, 

I think there are some misunderstandings of the issue 
By the way under which laws there will be fines imposed on AFRINIC after the 
25th  does AFRINIC have subsidiary company in EU area ?? 
I think things are more simplier for AFRINIC 
AFRINIC has just to declare that as company is fully respecting data privacy 
and should appoint a senior responsible for assuring that all mecanisms 
implemebted treating personal 
data comply with data privacy issues for example AFRINIC should ISO27001 
certified and had a Security Officer (which is mandatory to be ISO27001 
certified). 


Best 
Wafa 





De: "Arsène Tungali" <arsenebag...@gmail.com> 
À: "Mike Silber" <silber.m...@gmail.com> 
Cc: "S Moonesamy" <sm+afri...@elandsys.com>, community-discuss@afrinic.net 
Envoyé: Samedi 14 Avril 2018 11:18:22 
Objet: Re: [Community-Discuss] AFRINIC and the GDPR 


On Apr 14, 2018, at 7:45 AM, Mike Silber < silber.m...@gmail.com > wrote: 




My expectation is that the org confirms that is has performed a thorough 
evaluation and believe any risks have been mitigated. 


Exactly! 

If fines are to be imposed on AFRINIC (past May 25th) simply because there was 
less care taken upfront in dealing with this issue, then it will be a total 
mess. 

AFRINIC members need to look closely at this since they might be the ones 
paying! 

BQ_BEGIN


On Sat, 14 Apr 2018 at 00:18, S Moonesamy < sm+afri...@elandsys.com > wrote: 

BQ_BEGIN
Hi Arsene, 
At 07:48 AM 13-04-2018, Arsene Tungali wrote: 
>Reading this thread, I am still awaiting an official statement from 
>the Board telling us that AFRINIC is safe and at this stage is in 
>compliance with GDPR when it gets into enforcement next month. Or 
>maybe did i miss that one? 

There was a message at 
https://lists.afrinic.net/pipermail/community-discuss/2018-April/002093.html 

>I am not a EU citizen nor do I live in any EU country but i do care 
>very much about privacy issues in terms of the way WHOIS handles personal 
>data. 

I suggest sending an email to cont...@afrinic.net if you have 
questions about the above as I would not know how that works for you 
given that we do not reside in the same country. 

Regards, 
S. Moonesamy 


___ 
Community-Discuss mailing list 
Community-Discuss@afrinic.net 
https://lists.afrinic.net/mailman/listinfo/community-discuss 

BQ_END


BQ_END


___ 
Community-Discuss mailing list 
Community-Discuss@afrinic.net 
https://lists.afrinic.net/mailman/listinfo/community-discuss 

___ 
Community-Discuss mailing list 
Community-Discuss@afrinic.net 
https://lists.afrinic.net/mailman/listinfo/community-discuss 
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread wafa DAHMANI
Dear all, 

I think there are some misunderstandings of the issue 
By the way under which laws there will be fines imposed on AFRINIC after the 
25th  does AFRINIC have subsidiary company in EU area ?? 
I think things are more simplier for AFRINIC 
AFRINIC has just to declare that as company is fully respecting data privacy 
and should appoint a senior responsible for assuring that all mecanisms 
implemebted treating personal 
data comply with data privacy issues for example AFRINIC should ISO27001 
certified and had a Security Officer (which is mandatory to be ISO27001 
certified). 


Best 
Wafa 





De: "Arsène Tungali" <arsenebag...@gmail.com> 
À: "Mike Silber" <silber.m...@gmail.com> 
Cc: "S Moonesamy" <sm+afri...@elandsys.com>, community-discuss@afrinic.net 
Envoyé: Samedi 14 Avril 2018 11:18:22 
Objet: Re: [Community-Discuss] AFRINIC and the GDPR 


On Apr 14, 2018, at 7:45 AM, Mike Silber < silber.m...@gmail.com > wrote: 




My expectation is that the org confirms that is has performed a thorough 
evaluation and believe any risks have been mitigated. 


Exactly! 

If fines are to be imposed on AFRINIC (past May 25th) simply because there was 
less care taken upfront in dealing with this issue, then it will be a total 
mess. 

AFRINIC members need to look closely at this since they might be the ones 
paying! 

BQ_BEGIN


On Sat, 14 Apr 2018 at 00:18, S Moonesamy < sm+afri...@elandsys.com > wrote: 

BQ_BEGIN
Hi Arsene, 
At 07:48 AM 13-04-2018, Arsene Tungali wrote: 
>Reading this thread, I am still awaiting an official statement from 
>the Board telling us that AFRINIC is safe and at this stage is in 
>compliance with GDPR when it gets into enforcement next month. Or 
>maybe did i miss that one? 

There was a message at 
https://lists.afrinic.net/pipermail/community-discuss/2018-April/002093.html 

>I am not a EU citizen nor do I live in any EU country but i do care 
>very much about privacy issues in terms of the way WHOIS handles personal 
>data. 

I suggest sending an email to cont...@afrinic.net if you have 
questions about the above as I would not know how that works for you 
given that we do not reside in the same country. 

Regards, 
S. Moonesamy 


___ 
Community-Discuss mailing list 
Community-Discuss@afrinic.net 
https://lists.afrinic.net/mailman/listinfo/community-discuss 

BQ_END


BQ_END


___ 
Community-Discuss mailing list 
Community-Discuss@afrinic.net 
https://lists.afrinic.net/mailman/listinfo/community-discuss 
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread Ish Sookun
Hi Mike,

On 11/04/18 18:19, Mike Silber wrote:
> The Mauritius DPA is actually aligned with the old EU Data Privacy Directive 
> and not the GDPR.

Unfortunately, no.

The Data Protection Act of Mauritius was amended in December 2017 in the
likes of GDPR; and it's already into force.

Regards,

Ish Sookun

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread Ish Sookun
Hi Mike,

On 11/04/18 17:54, Mike Silber wrote:
> However I am still not certain that holding any of that information
> actually makes AfriNIC a controller in terms of the GDPR.

Article 4, paragraph 7 of the General Data Protection Regulations
defines the data controller as follows:

‘controller’ means the natural or legal person, public authority,
agency or other body which, alone or jointly with others, determines
the purposes and means of the processing of personal data; [...]

In my opinion, AfriNIC positions itself as a data controller by
collecting and processing personal data for a purpose (or several
purposes).

Regards,

Ish Sookun

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-15 Thread Ish Sookun
Hi Mike,

On 11/04/18 17:34, Mike Silber wrote:
> In addition, I am not sure I concur with Mr Alston’s insistence that
> “holding data of EU citizens” automatically places AfriNIC into the
> category of data controller in terms of GDPR or imposes any requirements
> on AfriNIC, particularly as the GDPR applies to processing of personal
> data in the context of the activities of an establishment of a
> controller or a processor in the Union.

Keeping GDPR aside for a while; AfriNIC is incorporated in Mauritius and
abides by Mauritian laws. Thus, it should comply with the "data
controller" definition of the Data Protection Act 2017 of Mauritius.

Now, in the context of GDPR, if AfriNIC is providing a service, whether
paid or free, to EU residents, and in doing so it is collecting,
processing and/or storing personal information about EU residents; it
has to comply with GDPR.

Regards,

Ish Sookun

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-14 Thread S Moonesamy

Hi Arsene,
At 03:12 AM 14-04-2018, Arsene Tungali wrote:
To be honest, i have never requested any IP resources so i am 
limited in my knowledge of what type of personal information is 
requested when someone is requesting resources from Afrinic. I would 
therefore appreciate to be directed to the RIPE NCC report 
mentionned in that communication.


There is a document about the RIPE NCC implementation at 
https://labs.ripe.net/Members/Athina/how-we-re-implementing-the-gdpr


Just a general question as i am following discussions on the GDPR 
but mostly from the naming community perspectives (being a domain 
name registrant): what impact does the Interim Models (with regards 
to the whois system and personal data and icann's compliance with 
GDPR) suggested by ICANN has on the numbering community? I haven't 
see any discussion on those models here since, from my 
understanding, Afrinic is just another data controller?


To keep our email exchange easy, I'll keep the Interim Models 
proposed by ICANN separate from the what the RIR in Africa has to do 
to comply with the data protection law.  Afrinic Ltd was registered 
as a controller under the Data Protection Act 2004 (Mauritius) [1] 
since several years.  The data protection framework to which it is 
subject has been aligned with the data protection framework for 
countries in the European Union since 2016.  There are some 
advantages to that, e.g. the company can "borrow" some ideas from 
RIPE NCC instead of starting from scratch.


The difference between domain names and number resources is that 
number resources are usually registered to legal entities.  Here is an example:


  netnum: 196.216.2.0 - 196.216.3.255
  netname:AFRINIC
  descr:  AfriNIC - Internal Use
  country:ZA
  org:ORG-AFNC1-AFRINIC

Regards,
S. Moonesamy

1. The current data protection framework is the Data Protection Act 2017.


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-14 Thread S Moonesamy

Hi Mike,
At 10:45 PM 13-04-2018, Mike Silber wrote:
I am not sure that AfriNIC can provide any definitive opinion. Only 
a DPA can do that.


My expectation is that the org confirms that is has performed a 
thorough evaluation and believe any risks have been mitigated.


Please see Section 4(d) of the Registration Service Agreement.  That 
sentence was also in the previous version of the Registration Service 
Agreement.  The above expectation is what is usually done in a legal 
entity for it to be in compliance with existing regulations.  In my 
opinion, that is part of the day to day business of a company.


Regards,
S. Moonesamy


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-14 Thread Arsène Tungali
Thank you very much SM for pointing me to that communication from the interim 
Chairman of Afrinic.

To be honest, i have never requested any IP resources so i am limited in my 
knowledge of what type of personal information is requested when someone is 
requesting resources from Afrinic. I would therefore appreciate to be directed 
to the RIPE NCC report mentionned in that communication.

Just a general question as i am following discussions on the GDPR but mostly 
from the naming community perspectives (being a domain name registrant): what 
impact does the Interim Models (with regards to the whois system and personal 
data and icann’s compliance with GDPR) suggested by ICANN has on the numbering 
community? I haven’t see any discussion on those models here since, from my 
understanding, Afrinic is just another data controller?

-
Arsène Tungali,
about.me/ArseneTungali
+243 993810967
GPG: 523644A0
Goma, Democratic Republic of Congo

Sent from my iPhone (excuse typos)

> On Apr 14, 2018, at 12:16 AM, S Moonesamy  wrote:
> 
> Hi Arsene,
> At 07:48 AM 13-04-2018, Arsene Tungali wrote:
>> Reading this thread, I am still awaiting an official statement from the 
>> Board telling us that AFRINIC is safe and at this stage is in compliance 
>> with GDPR when it gets into enforcement next month. Or maybe did i miss that 
>> one?
> 
> There was a message at 
> https://lists.afrinic.net/pipermail/community-discuss/2018-April/002093.html
> 
>> I am not a EU citizen nor do I live in any EU country but i do care very 
>> much about privacy issues in terms of the way WHOIS handles personal data.
> 
> I suggest sending an email to cont...@afrinic.net if you have questions about 
> the above as I would not know how that works for you given that we do not 
> reside in the same country.
> 
> Regards,
> S. Moonesamy 

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-14 Thread Arsène Tungali
> 
> On Apr 14, 2018, at 7:45 AM, Mike Silber  wrote:
> 
> My expectation is that the org confirms that is has performed a thorough 
> evaluation and believe any risks have been mitigated.
Exactly! 

If fines are to be imposed on AFRINIC (past May 25th) simply because there was 
less care taken upfront in dealing with this issue, then it will be a total 
mess. 

AFRINIC members need to look closely at this since they might be the ones 
paying!
> 
>> On Sat, 14 Apr 2018 at 00:18, S Moonesamy  wrote:
>> Hi Arsene,
>> At 07:48 AM 13-04-2018, Arsene Tungali wrote:
>> >Reading this thread, I am still awaiting an official statement from 
>> >the Board telling us that AFRINIC is safe and at this stage is in 
>> >compliance with GDPR when it gets into enforcement next month. Or 
>> >maybe did i miss that one?
>> 
>> There was a message at 
>> https://lists.afrinic.net/pipermail/community-discuss/2018-April/002093.html
>> 
>> >I am not a EU citizen nor do I live in any EU country but i do care 
>> >very much about privacy issues in terms of the way WHOIS handles personal 
>> >data.
>> 
>> I suggest sending an email to cont...@afrinic.net if you have 
>> questions about the above as I would not know how that works for you 
>> given that we do not reside in the same country.
>> 
>> Regards,
>> S. Moonesamy 
>> 
>> 
>> ___
>> Community-Discuss mailing list
>> Community-Discuss@afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-13 Thread S Moonesamy

Hi Arsene,
At 07:48 AM 13-04-2018, Arsene Tungali wrote:
Reading this thread, I am still awaiting an official statement from 
the Board telling us that AFRINIC is safe and at this stage is in 
compliance with GDPR when it gets into enforcement next month. Or 
maybe did i miss that one?


There was a message at 
https://lists.afrinic.net/pipermail/community-discuss/2018-April/002093.html


I am not a EU citizen nor do I live in any EU country but i do care 
very much about privacy issues in terms of the way WHOIS handles personal data.


I suggest sending an email to cont...@afrinic.net if you have 
questions about the above as I would not know how that works for you 
given that we do not reside in the same country.


Regards,
S. Moonesamy 



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-13 Thread Badru Ntege
Ashok 

Thanks for this clarification


On 4/12/18, 12:59 PM, "Ashok"  wrote:

Dear All,
Mauritius has signed the the European Convention for Protection of 
Individuals with regard to Automatic Processing of Personal Data 
(commonly known as Convention 108), to which  it acceded to on 17 June 
2016 at Strasbourg, France.
On a side note, Convention 108 is the first and only international 
legally binding instrument dealing explicitly with data protection and 
currently has 51 signatories including 47 Council of Europe Member 
States as well as Uruguay until Mauritius became the 49th State Party 
and the first African country. The treaty entered into force on 1 
October 2016 in Mauritius. [ Extract from Data Protection Office Document].
This is how GDPR applies to Mauritius and since then The Data Protection 
Act 2017 has incorporated same in our local law.
Ashok.,

On 11/04/2018 20:47, S Moonesamy wrote:
> Hi Owen,
> At 09:05 AM 11-04-2018, Owen DeLong wrote:
>> Since AfriNIC isn't actually present in either location, it's up to 
>> the government of Mauritius whether it would do any of the following:
>> 1.Allow suit based on GDPR violation to be brought in an MU court.
>> 2.Extradite AfriNIC for suit in a court of competent jurisdiction in 
>> one of those countries.
>
> I doubt that (1) is how the data protection law works in Mauritius.
>
>> However, given the new information from Kirs that MU signed a safe 
>> harbor treaty with EU subjecting MU to EU ICO->GDPR, then yes, 
>> everyone and all organizations in MU are subject to GDPR by virtue of 
>> the treaty requiring MU to do one of the two things above in such a 
>> case.
>
> I gather that you are referring to the safe harbor framework [1] 
> between the United States and the European Union.  I doubt that legal 
> entities in Mauritius are subject to the GDPR per se [2] as they are 
> not in the European Union.  Which treaty are you referring to?
>
> Regards,
> S. Moonesamy
>
> 1. 
> 
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework
> 2. There may be exceptions to this.
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss




___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-13 Thread Arsène Tungali
Reading this thread, I am still awaiting an official statement from the
Board telling us that AFRINIC is safe and at this stage is in compliance
with GDPR when it gets into enforcement next month. Or maybe did i miss
that one?

I am not a EU citizen nor do I live in any EU country but i do care very
much about privacy issues in terms of the way WHOIS handles personal data.


**Arsène Tungali* *
Co-Founder & Executive Director, *Rudi international
*,
CEO,* Smart Services Sarl *, *Mabingwa Forum
*
Tel: +243 993810967
GPG: 523644A0
*Goma, Democratic Republic of Congo*

2015 Mandela Washington Felllow

(YALI) - ISOC Ambassador (IGF Brazil

& Mexico
)
- AFRISIG 2016  - Blogger
 - ICANN's GNSO Council
 Member. AFRINIC Fellow (
Mauritius
)*
- *IGFSA Member  - Internet Governance - Internet
Freedom.

Check the *2016 State of Internet Freedom in DRC* report (English
) and (French
)

2018-04-12 11:55 GMT+02:00 Ashok :

> Dear All,
> Mauritius has signed the the European Convention for Protection of
> Individuals with regard to Automatic Processing of Personal Data (commonly
> known as Convention 108), to which  it acceded to on 17 June 2016 at
> Strasbourg, France.
> On a side note, Convention 108 is the first and only international legally
> binding instrument dealing explicitly with data protection and currently
> has 51 signatories including 47 Council of Europe Member States as well as
> Uruguay until Mauritius became the 49th State Party and the first African
> country. The treaty entered into force on 1 October 2016 in Mauritius. [
> Extract from Data Protection Office Document].
> This is how GDPR applies to Mauritius and since then The Data Protection
> Act 2017 has incorporated same in our local law.
> Ashok.,
>
>
> On 11/04/2018 20:47, S Moonesamy wrote:
>
>> Hi Owen,
>> At 09:05 AM 11-04-2018, Owen DeLong wrote:
>>
>>> Since AfriNIC isn't actually present in either location, it's up to the
>>> government of Mauritius whether it would do any of the following:
>>> 1.Allow suit based on GDPR violation to be brought in an MU court.
>>> 2.Extradite AfriNIC for suit in a court of competent jurisdiction in one
>>> of those countries.
>>>
>>
>> I doubt that (1) is how the data protection law works in Mauritius.
>>
>> However, given the new information from Kirs that MU signed a safe harbor
>>> treaty with EU subjecting MU to EU ICO->GDPR, then yes, everyone and all
>>> organizations in MU are subject to GDPR by virtue of the treaty requiring
>>> MU to do one of the two things above in such a case.
>>>
>>
>> I gather that you are referring to the safe harbor framework [1] between
>> the United States and the European Union.  I doubt that legal entities in
>> Mauritius are subject to the GDPR per se [2] as they are not in the
>> European Union.  Which treaty are you referring to?
>>
>> Regards,
>> S. Moonesamy
>>
>> 1. https://www.ftc.gov/tips-advice/business-center/privacy-and-
>> security/u.s.-eu-safe-harbor-framework
>> 2. There may be exceptions to this.
>>
>> ___
>> Community-Discuss mailing list
>> Community-Discuss@afrinic.net
>> https://lists.afrinic.net/mailman/listinfo/community-discuss
>>
>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-12 Thread Ashok

Dear All,
Mauritius has signed the the European Convention for Protection of 
Individuals with regard to Automatic Processing of Personal Data 
(commonly known as Convention 108), to which  it acceded to on 17 June 
2016 at Strasbourg, France.
On a side note, Convention 108 is the first and only international 
legally binding instrument dealing explicitly with data protection and 
currently has 51 signatories including 47 Council of Europe Member 
States as well as Uruguay until Mauritius became the 49th State Party 
and the first African country. The treaty entered into force on 1 
October 2016 in Mauritius. [ Extract from Data Protection Office Document].
This is how GDPR applies to Mauritius and since then The Data Protection 
Act 2017 has incorporated same in our local law.

Ashok.,

On 11/04/2018 20:47, S Moonesamy wrote:

Hi Owen,
At 09:05 AM 11-04-2018, Owen DeLong wrote:
Since AfriNIC isn't actually present in either location, it's up to 
the government of Mauritius whether it would do any of the following:

1.Allow suit based on GDPR violation to be brought in an MU court.
2.Extradite AfriNIC for suit in a court of competent jurisdiction in 
one of those countries.


I doubt that (1) is how the data protection law works in Mauritius.

However, given the new information from Kirs that MU signed a safe 
harbor treaty with EU subjecting MU to EU ICO->GDPR, then yes, 
everyone and all organizations in MU are subject to GDPR by virtue of 
the treaty requiring MU to do one of the two things above in such a 
case.


I gather that you are referring to the safe harbor framework [1] 
between the United States and the European Union.  I doubt that legal 
entities in Mauritius are subject to the GDPR per se [2] as they are 
not in the European Union.  Which treaty are you referring to?


Regards,
S. Moonesamy

1. 
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework

2. There may be exceptions to this.

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread S Moonesamy

Hi Owen,
At 10:29 AM 11-04-2018, Owen DeLong wrote:
I'm not referring to any specific treaty. I'm stating that the 
mechanism by which MU could subject its citizens to EU jurisdiction 
would be a treaty signed by EU and MU.


Thank you for the clarification.

Regards,
S. Moonesamy 



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong


> On Apr 11, 2018, at 09:47 , S Moonesamy  wrote:
> 
> Hi Owen,
> At 09:05 AM 11-04-2018, Owen DeLong wrote:
>> Since AfriNIC isn't actually present in either location, it's up to the 
>> government of Mauritius whether it would do any of the following:
>> 1.Allow suit based on GDPR violation to be brought in an MU court.
>> 2.Extradite AfriNIC for suit in a court of competent jurisdiction in one of 
>> those countries.
> 
> I doubt that (1) is how the data protection law works in Mauritius.
> 
>> However, given the new information from Kirs that MU signed a safe harbor 
>> treaty with EU subjecting MU to EU ICO->GDPR, then yes, everyone and all 
>> organizations in MU are subject to GDPR by virtue of the treaty requiring MU 
>> to do one of the two things above in such a case.
> 
> I gather that you are referring to the safe harbor framework [1] between the 
> United States and the European Union.  I doubt that legal entities in 
> Mauritius are subject to the GDPR per se [2] as they are not in the European 
> Union.  Which treaty are you referring to?
> 
> Regards,
> S. Moonesamy
> 
> 1. 
> https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework
> 2. There may be exceptions to this. 

I’m not referring to any specific treaty. I’m stating that the mechanism by 
which MU could subject its citizens to EU jurisdiction would be a treaty signed 
by EU and MU.

Owen


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread S Moonesamy

Hi Owen,
At 09:05 AM 11-04-2018, Owen DeLong wrote:
Since AfriNIC isn't actually present in either location, it's up to 
the government of Mauritius whether it would do any of the following:

1.Allow suit based on GDPR violation to be brought in an MU court.
2.Extradite AfriNIC for suit in a court of competent jurisdiction in 
one of those countries.


I doubt that (1) is how the data protection law works in Mauritius.

However, given the new information from Kirs that MU signed a safe 
harbor treaty with EU subjecting MU to EU ICO->GDPR, then yes, 
everyone and all organizations in MU are subject to GDPR by virtue 
of the treaty requiring MU to do one of the two things above in such a case.


I gather that you are referring to the safe harbor framework [1] 
between the United States and the European Union.  I doubt that legal 
entities in Mauritius are subject to the GDPR per se [2] as they are 
not in the European Union.  Which treaty are you referring to?


Regards,
S. Moonesamy

1. 
https://www.ftc.gov/tips-advice/business-center/privacy-and-security/u.s.-eu-safe-harbor-framework
2. There may be exceptions to this. 



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread John Walu
; In the same way – there are various EU members served by ARIN?
>>
>>
>> Andrew
>>
>>
>> *From:* Owen DeLong [mailto:o...@delong.com <o...@delong.com>]
>> *Sent:* 11 April 2018 17:12
>> *To:* Andrew Alston <andrew.als...@liquidtelecom.com>
>> *Cc:* Mike Silber <silber.m...@gmail.com>; Abibu R. Ntahigiye <
>> ab...@tznic.or.tz>; General Discussions of AFRINIC <
>> community-discuss@afrinic.net>; AfriNIC Discuss <
>> members-disc...@afrinic.net>
>> *Subject:* Re: [Community-Discuss] AFRINIC and the GDPR
>>
>> Roughly translated:
>>The ability of EU to inflict GDPR on those operators
>> outside of EU is predicated on that operator
>>having some business operation or presence within the EU
>> which allows them to subject you to their
>>jurisdiction. Determining that you have said presence
>> requires a specific determination by the
>>EU member state where said presence exists.
>>
>> I’m pretty sure AfriNIC has no such nexus.
>>
>> However, what is left out of Mike’s statement is the potential that any
>> other country may have signed some
>> sort of treaty with the EU (or a member state) which subjects them to
>> GDPR and/or grants additional
>> extraterritorial rights to the EU. Such is (unfortunately) the case with
>> the US, for example.
>>
>> Another key point is that EU citizens not living in Europe are not
>> covered by GDPR. Non-EU citizens living
>> within the EU are covered by GDPR. (At least that is my understanding…
>> AIUI, GDPR applies to EU residents,
>> not EU citizens.)
>>
>> Owen
>>
>>
>>
>>
>> On Apr 11, 2018, at 06:44 , Andrew Alston <Andrew.Alston@liquidtelecom.c
>> om> wrote:
>>
>> Thanks Mike,
>>
>> That’s actually pretty useful in some sense – but can I ask for an
>> English interpretation of the last sentence for those of us that sadly
>> don’t speak Lawyer ☺
>>
>> Thanks
>>
>> Andrew
>>
>>
>> *From: *Mike Silber <silber.m...@gmail.com>
>> *Date: *Wednesday, 11 April 2018 at 16:34
>> *To: *"Abibu R. Ntahigiye" <ab...@tznic.or.tz>
>> *Cc: *Andrew Alston <andrew.als...@liquidtelecom.com>, General
>> Discussions of AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss <
>> members-disc...@afrinic.net>
>> *Subject: *Re: [Community-Discuss] AFRINIC and the GDPR
>>
>> If I can add to this, there is as yet no clear direction from the
>> European DPAs as a collective on how GDPR affects whois access in general.
>>
>> The RIPE NCC approach is premised on their interactions with the Dutch
>> DPA, rather than a Europe wide approach.
>>
>> In addition, I am not sure I concur with Mr Alston’s insistence that
>> “holding data of EU citizens” automatically places AfriNIC into the
>> category of data controller in terms of GDPR or imposes any requirements on
>> AfriNIC, particularly as the GDPR applies to processing of personal data in
>> the context of the activities of an establishment of a controller or a
>> processor in the Union.
>>
>> The extraterritorial application is premised on a nexus requirement set
>> out in general terms in Recital 23, but requiring specific determination in
>> terms of national law by Member States.
>>
>> Mike
>>
>>
>>
>>
>>
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz> wrote:
>>
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks
>> so much Andrew.
>> The Board would like to inform you that the issue was discussed within
>> the Board at the Afrinic 27 meeting in Lagos and the Management was tasked
>> to work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The
>> Board believes that these regulations are not a barrier to publication of
>> the WHOIS data, and it has noted the RIPE NCC study that made such a
>> finding.  The Board further believes that the biggest changes required by
>> AFRINIC are in documenting how personal data is used, and in informing
>> people at the time data is collected.
>> The AFRINIC management will provide further updates on the issues at AIS
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR
>> related issues a

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
I didn’t say it was unnecessary. I said it was bad. GDPR is a bad regulation as 
far as I’m concerned and the more its grasp expands, the worse it is for all 
affected.

If for no other reason than the incredible extra-territorial jurisdiction 
land-grab, this sets a terrible precedent.

Owen


> On Apr 11, 2018, at 09:08 , Kris Seeburn  wrote:
> 
> Not quite bad it’s business and economic based. Most of the BPO companies are 
> and have EU citizen /resident data and for the outsourcing to continue to 
> operate within bounds and still survive. I do not think Mauritian government 
> had any option than to go forward with this. Now the agreement with EU 
> alignment dates way back in 2006 if i recall. It was also because of EU 
> business operations which wanted to ensure that Mauritius was a signatory and 
> aligned with safe harbour principles and data protection and privacy rules.
> 
> A small island which needs various economic sectors to be economically viable 
> does not have any options. Mauritius benefits heavily from the EU. Pot luck….
> 
>> On Apr 11, 2018, at 20:01, Owen DeLong > > wrote:
>> 
>> Well, then, that makes it just as bad for MU as it is for US.
>> 
>> Owen
>> 
>> 
>>> On Apr 10, 2018, at 23:18 , Kris Seeburn >> > wrote:
>>> 
>>> Mauritius is signatory that’s where the safe harbour was put In place years 
>>> back. All BPOs in mauritius are holding EU citizen / resident data. the 
>>> Data Protection office will be fast tracking to look like ICO which is 
>>> renamed GDPR anyways.
>>> 
>>> Kris
>>> 
>>> On 11 Apr 2018, at 10:08, Owen DeLong >> > wrote:
>>> 
 
 
> On Apr 10, 2018, at 22:42 , Andrew Alston 
>  > wrote:
> 
> Hi AfriNIC Board,
>  
> Can this board please *urgently* inform this community as to what 
> preparations they have made as regards to compliance with the General 
> Data Protection Regulations passed by the European Commision and the 
> board will be in a position to give this community a full and complete 
> report as to their GDPR compliance status and what will be changing 
> before the 25th of May to ensure that when the GDPR comes into force 
> AfriNIC is compliant.
 
 Is Mauritius signatory to some treaty making them subject to GDPR?
  
> Considering that the regulation comes into force on the 25th of May 2018 
> – and AfriNIC is 100% holding data of EU Citizens, which makes them 
> subject to the regulations irrespective of the fact that they are 
> domiciled in Mauritius – this is an urgent and critical issue.  It has 
> direct impact on the whois database, abuse contact information, handling 
> of data submitted during application process and potentially even the 
> proposed review policy, just to name a few things that I can think of off 
> the top of my head – and cannot be ignored.  I would in fact have liked 
> to have seen discussions by the board in the minutes that have been 
> published about the GDPR long before now – considering the impact – but 
> failing that – the question is now being asked.
 
 It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
 about GDPR).
 
 Further, unless your in a silly country that was dumb enough to sign a 
 treaty extending EU’s legal reach into your sovereignty, such as the 
 stupid congress of the united States, then you can offer the EU a nice big 
 Italian sign language gesture regarding their GDPR and continue on with 
 business as usual.
 
 Owen
 
 ___
 Community-Discuss mailing list
 Community-Discuss@afrinic.net 
 https://lists.afrinic.net/mailman/listinfo/community-discuss 
 
>> 
> 
> 
> 
> 
> 
> Kris Seeburn
> seebur...@gmail.com 
> www.linkedin.com/in/kseeburn/ 
> 
> "Life is a Beach, it all depends at how you look at it"
> 
> 
> 

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong


> On Apr 11, 2018, at 08:07 , John Walu  wrote:
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty 
> extending EU’s legal reach into your sovereignty, such as the stupid congress 
> of the united States, then you can offer the EU a nice big Italian sign 
> language gesture regarding their GDPR and continue on with business as usual.
> 
> @Owen, the above is not entirely true.
> 
> EU regulation/GDPR does affect African countries in general.  Or at least 
> those wishing to remain trade partners  with European Countries.
> 
> Most of Africa has little or no Data Protection/Privacy laws (with a few 
> exception being Ghana, Mauritius, SA, etc). Kenya for example doesn't have 
> one.  
> 
> Should Kenya show the EU the middle finger?
> 
> Yes they could. But essentially, that middle finger will translate into 
> losing money. 
> 
> A European Union Company would for example NOTdare engage (Data-wise/Business 
> wise) with a Kenyan partner/subsidiary that for example sells flowers to 
> European destinations/customers since Kenyan privacy /data protection 
> environment would be suspect. 
> 
> Whereas the EU cannot directly hold the Kenyan company liable for breaches, 
> it will penalize the European company thoroughly. The net effect is that most 
> European companies would review their risk profiles with African partners and 
> basically cut linkages or open new ones -  only with 'compliant' countries in 
> Africa.

Sure… There’s the question of actual jurisdiction vs. voluntary compliance. Any 
given organization in Africa may find that it wishes to comply with GDPR 
voluntarily in order to avoid such issues, but my point was that the EU does 
not automatically have world-wide jurisdiction over other sovereign nations and 
unless some form of voluntary subjugation is created through treaty or other 
mechanisms (economic extortion by the EU as you have described, for example), 
then there are no actual legal consequences to an organization outside of the 
EU for violating GDPR.

> Unlike US, Africa does need EU Euros ;-). And so we will have to improve our 
> Data protection regimes. Though it would have been good if we did it out of 
> our own volition.

I personally thing that GDPR goes too far and has a number of rather onerous 
requirements (maintaining a person on staff domiciled in the EU, for example) 
that should be closely examined by those feeling we should all just roll over 
and take it from the EU.

> Now more specifically for the Afrinic registry,
> 
> The board  just need to do an impact analysis of the GDPR on the Afrinic 
> Company and share with members.

Yes.

> Just off my head, the data within the registry (IP, Whois, etc) would need to 
> be protected. Essentially, if we have some data sitting in our Mauritius/SA 
> registries and it relates to European citizens/subject then we need to review 
> it in light of the GDPR requirements.  Essentially EU citizens/residents have 
> a whole list of rights to the data (consent, delete, etc) and whoever is 
> hosting it also has some obligations.

IF and only IF they are legally or voluntarily subject to EU jurisdiction. 
Apparently in the case of MU, due to treaties signed by MU and MU’s own DPA, 
AfriNIC is legally subject. Due to treaty obligations, US and US Organizations 
are subject.

Likely, Kenya is not legally subject (as Mike pointed out, there is 
clarification needed on this), but Kenyan entities may wish to voluntarily 
subject themselves in order to preserve their ability to do business with 
certain organizations in EU. This is an individual and voluntary decision which 
must be made by each entity, however, rather than legal subjugation.

The clarification is that while EU may consider them legally subject, the EU’s 
ability to enforce EU law upon entities within Kenya is entirely up to the 
Kenyan government. Just as no US entity would take it seriously if Kenya passed 
a law requiring all US residents to wear red bandanas. Sure, if we were 
visiting Kenya, we’d likely wear the bandanas while we’re there, because that’s 
within Kenyan jurisdiction and we are during that time subject to Kenyan 
sovereignty. But while we’re home in the US, we’re not subject to Kenyan laws.

US gets creative on some of this subjecting its citizens to certain US laws 
regardless of location (for example, it’s illegal under US law for a US Citizen 
to conduct a space launch without authorization from the FAA Office of Space 
Transportation no matter where in the world said launch is conducted). However, 
they have no control whatsoever over what Kenyan citizens do in Kenya.

Owen

> 
> That's my 1bitcoin on the matter ;-)
> 
> walu. 
> 
> 
> 
> 
> 
> On Wed, Apr 11, 2018 at 9:08 AM, Owen DeLong  > wrote:
> 
> 
>> On Apr 10, 2018, at 22:42 , Andrew Alston > > wrote:
>> 
>> Hi 

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
In the past and by precedent voting at a meeting includes electronic votes cast 
during the course of a meeting.

Of course the board must rule on this - but failure to open the electronic vote 
would be massively prejudicial to the majority of the member base.

Andrew

Get Outlook for iOS<https://aka.ms/o0ukef>

From: Owen DeLong <o...@delong.com>
Sent: Wednesday, April 11, 2018 7:09:29 PM
To: Andrew Alston
Cc: Jan Zorz Go6; community-discuss@afrinic.net; members-disc...@afrinic.net
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

That isn’t the question.

The question is… Since the wording of the motion specifically states “by ballot 
at the SGMM”, I am asking whether said ballot would include electronic voting 
leading up to the SGMM or not.

It could be argued that the specific text of the motion precludes electronic 
voting participation and only allows those present at the SGMM to cast votes 
(whether their own or as proxies for those not present or combination), 
depending on the specific legal definition of “ballot at the SGMM” under the 
regulations governing same.

It seems to me that clarification on this question is quite vital as I believe 
that the outcome of such an election could be severely tainted if electronic 
voting is not permitted.

While I do not have the ability to vote in either case, it seems to me that 
voters should be well informed of how the choice of electorate is affected by 
the wording in the motion prior to voting on the motion.

Owen

On Apr 11, 2018, at 07:21 , Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Owen,

I would presume that people could still vote for said directors – both before 
or after the vote is passed if it does indeed pass.

I would however hope that if the vote passed – the directors who were part of 
the current board would do the honorable thing and honor the motion and step 
aside.

Andrew


From: Owen DeLong [mailto:o...@delong.com]
Sent: 11 April 2018 17:15
To: Jan Zorz Go6 <j...@go6.si<mailto:j...@go6.si>>
Cc: Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>>; 
community-discuss@afrinic.net<mailto:community-discuss@afrinic.net>; 
members-disc...@afrinic.net<mailto:members-disc...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

Can we get a clarification from staff whether the wording in this motion would 
permit or preclude electronic voting for the directors to be elected at the 
proposed SGMM?

Thanks,

Owen



On Apr 11, 2018, at 06:10 , Jan Zorz Go6 <j...@go6.si<mailto:j...@go6.si>> 
wrote:

Oh boy... Interesting AGMM awaits in Dakar, as it seems :)
Cheers, Jan Žorž
---
Sent from mobile phone, please excuse brevity and top-posting...
On Apr 11, 2018, at 15:06, Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Hi Sander,

Mark tabled the following motion (and has agreed to let me send this to the 
community list on the phone just now) – this motion has also been accepted in 
emails to the members list from the board


 From Mark’s email to the member list 

I have been watching the mailing lists where Sunday, whom I consider a friend, 
has admitted to violating the NDA. He has stood down as chair but not tendered 
his resignation. There was a Board Meeting last night according to the mailing 
lists. The Board appear not to have ask Sunday to stand down (there was no 
announcement along these lines, therefore I request the following be tabled at 
upcoming AGMM in Dakar. As this is not a vote to remove the directors, but 
rather to express the communities lack of confidence in them, and to request 
their resignations, I request that this be tabled as a standard resolution.

Introduction:

In 2014, the board of directors (I was a director at that time) passed a 
resolution laying out the sanctions for NDA violations – that violations of the 
NDA could be result in expulsion from the board of directors.  In 2014, during 
a meeting in Tunis, that resolution was used to request, and subsequently gain, 
the resignation of two members of the board of directors.

During allegations made recently on an unrelated matter, it came to light that 
the former chair of the board, Mr Sunday Folayan, wilfully and blatantly shared 
information related directly to the company, with a junior member of staff, and 
an admission in this regard was made to the community in an email sent by Mr 
Folayan on the 16th of March 2018.

It is my belief that the sharing of the information was a direct contravention 
of the NDA – as well as a direct contravention of various sections of the 
companies act relating to the duties and responsibilities of a director.

Since this time – there have been numerous calls for Mr Folayan to resign from 
the board – something that as of now he has not 

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
That isn’t the question.

The question is… Since the wording of the motion specifically states “by ballot 
at the SGMM”, I am asking whether said ballot would include electronic voting 
leading up to the SGMM or not.

It could be argued that the specific text of the motion precludes electronic 
voting participation and only allows those present at the SGMM to cast votes 
(whether their own or as proxies for those not present or combination), 
depending on the specific legal definition of “ballot at the SGMM” under the 
regulations governing same.

It seems to me that clarification on this question is quite vital as I believe 
that the outcome of such an election could be severely tainted if electronic 
voting is not permitted.

While I do not have the ability to vote in either case, it seems to me that 
voters should be well informed of how the choice of electorate is affected by 
the wording in the motion prior to voting on the motion.

Owen

> On Apr 11, 2018, at 07:21 , Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Owen,
>  
> I would presume that people could still vote for said directors – both before 
> or after the vote is passed if it does indeed pass.
>  
> I would however hope that if the vote passed – the directors who were part of 
> the current board would do the honorable thing and honor the motion and step 
> aside.
>  
> Andrew
>  
>  
> From: Owen DeLong [mailto:o...@delong.com] 
> Sent: 11 April 2018 17:15
> To: Jan Zorz Go6 <j...@go6.si>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com>; 
> community-discuss@afrinic.net; members-disc...@afrinic.net
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> Can we get a clarification from staff whether the wording in this motion 
> would permit or preclude electronic voting for the directors to be elected at 
> the proposed SGMM?
>  
> Thanks,
>  
> Owen
>  
> 
> 
> On Apr 11, 2018, at 06:10 , Jan Zorz Go6 <j...@go6.si <mailto:j...@go6.si>> 
> wrote:
>  
> Oh boy... Interesting AGMM awaits in Dakar, as it seems :)
> 
> Cheers, Jan Žorž
> ---
> Sent from mobile phone, please excuse brevity and top-posting...
> On Apr 11, 2018, at 15:06, Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>> wrote:
> Hi Sander,
> 
> Mark tabled the following motion (and has agreed to let me send this to the 
> community list on the phone just now) – this motion has also been accepted in 
> emails to the members list from the board 
> 
> 
>  From Mark’s email to the member list 
> 
> I have been watching the mailing lists where Sunday, whom I consider a 
> friend, has admitted to violating the NDA. He has stood down as chair but not 
> tendered his resignation. There was a Board Meeting last night according to 
> the mailing lists. The Board appear not to have ask Sunday to stand down 
> (there was no announcement along these lines, therefore I request the 
> following be tabled at upcoming AGMM in Dakar. As this is not a vote to 
> remove the directors, but rather to express the communities lack of 
> confidence in them, and to request their resignations, I request that this be 
> tabled as a standard resolution.
> 
> Introduction:
> 
> In 2014, the board of directors (I was a director at that time) passed a 
> resolution laying out the sanctions for NDA violations – that violations of 
> the NDA could be result in expulsion from the board of directors.  In 2014, 
> during a meeting in Tunis, that resolution was used to request, and 
> subsequently gain, the resignation of two members of the board of directors.
> 
> During allegations made recently on an unrelated matter, it came to light 
> that the former chair of the board, Mr Sunday Folayan, wilfully and blatantly 
> shared information related directly to the company, with a junior member of 
> staff, and an admission in this regard was made to the community in an email 
> sent by Mr Folayan on the 16th of March 2018.
> 
> It is my belief that the sharing of the information was a direct 
> contravention of the NDA – as well as a direct contravention of various 
> sections of the companies act relating to the duties and responsibilities of 
> a director.
> 
> Since this time – there have been numerous calls for Mr Folayan to resign 
> from the board – something that as of now he has not done.  There have also 
> been numerous calls for the board to act against Mr. Folayan in this regard.  
> The board has failed to do this – and is acting outside of historic precedent 
> regarding similar violations.
> 
> As such, it is my belief that the entire board is in violation of its duties 
> and of the trust of the community – the de

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
Not quite bad it’s business and economic based. Most of the BPO companies are 
and have EU citizen /resident data and for the outsourcing to continue to 
operate within bounds and still survive. I do not think Mauritian government 
had any option than to go forward with this. Now the agreement with EU 
alignment dates way back in 2006 if i recall. It was also because of EU 
business operations which wanted to ensure that Mauritius was a signatory and 
aligned with safe harbour principles and data protection and privacy rules.

A small island which needs various economic sectors to be economically viable 
does not have any options. Mauritius benefits heavily from the EU. Pot luck….

> On Apr 11, 2018, at 20:01, Owen DeLong  wrote:
> 
> Well, then, that makes it just as bad for MU as it is for US.
> 
> Owen
> 
> 
>> On Apr 10, 2018, at 23:18 , Kris Seeburn > > wrote:
>> 
>> Mauritius is signatory that’s where the safe harbour was put In place years 
>> back. All BPOs in mauritius are holding EU citizen / resident data. the Data 
>> Protection office will be fast tracking to look like ICO which is renamed 
>> GDPR anyways.
>> 
>> Kris
>> 
>> On 11 Apr 2018, at 10:08, Owen DeLong > > wrote:
>> 
>>> 
>>> 
 On Apr 10, 2018, at 22:42 , Andrew Alston > wrote:
 
 Hi AfriNIC Board,
  
 Can this board please *urgently* inform this community as to what 
 preparations they have made as regards to compliance with the General Data 
 Protection Regulations passed by the European Commision and the board will 
 be in a position to give this community a full and complete report as to 
 their GDPR compliance status and what will be changing before the 25th of 
 May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>> 
>>> Is Mauritius signatory to some treaty making them subject to GDPR?
>>>  
 Considering that the regulation comes into force on the 25th of May 2018 – 
 and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
 to the regulations irrespective of the fact that they are domiciled in 
 Mauritius – this is an urgent and critical issue.  It has direct impact on 
 the whois database, abuse contact information, handling of data submitted 
 during application process and potentially even the proposed review 
 policy, just to name a few things that I can think of off the top of my 
 head – and cannot be ignored.  I would in fact have liked to have seen 
 discussions by the board in the minutes that have been published about the 
 GDPR long before now – considering the impact – but failing that – the 
 question is now being asked.
>>> 
>>> It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
>>> about GDPR).
>>> 
>>> Further, unless your in a silly country that was dumb enough to sign a 
>>> treaty extending EU’s legal reach into your sovereignty, such as the stupid 
>>> congress of the united States, then you can offer the EU a nice big Italian 
>>> sign language gesture regarding their GDPR and continue on with business as 
>>> usual.
>>> 
>>> Owen
>>> 
>>> ___
>>> Community-Discuss mailing list
>>> Community-Discuss@afrinic.net 
>>> https://lists.afrinic.net/mailman/listinfo/community-discuss 
>>> 
> 





Kris Seeburn
seebur...@gmail.com
www.linkedin.com/in/kseeburn/ 

"Life is a Beach, it all depends at how you look at it"



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong


> On Apr 11, 2018, at 07:19 , Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Owen,
>  
> Would the fact that AfriNIC serves  La Réunion and Mayotte not create such a 
> nexus since both are formally part of the EU?

The answer is it depends. IANAL, but AIUI…

La Réunion and Mayotte may think it does, but that doesn’t necessarily matter 
to AfriNIC.

Since AfriNIC isn’t actually present in either location, it’s up to the 
government of Mauritius whether it would do any of the following:
1.  Allow suit based on GDPR violation to be brought in an MU court.
2.  Extradite AfriNIC for suit in a court of competent jurisdiction 
in one of those countries.

However, given the new information from Kirs that MU signed a safe harbor 
treaty with EU subjecting MU to EU ICO->GDPR, then yes, everyone and all 
organizations in MU are subject to GDPR by virtue of the treaty requiring MU to 
do one of the two things above in such a case.

> In the same way – there are various EU members served by ARIN?

And in the same way, the only reason ARIN as a company in the US which does not 
have nexus in those EU member countries would not be subject except for the 
fact that the US signed a very bad treaty with the EU granting them 
extraterritorial jurisdiction to pursue cases in US courts in regards to GDPR 
violations.

It is going to make live _VERY_ interesting for a lot of US organizations going 
forward and keep our courts quite busy for a number of years.

Owen

>  
> Andrew
>  
>  
> From: Owen DeLong [mailto:o...@delong.com] 
> Sent: 11 April 2018 17:12
> To: Andrew Alston <andrew.als...@liquidtelecom.com>
> Cc: Mike Silber <silber.m...@gmail.com>; Abibu R. Ntahigiye 
> <ab...@tznic.or.tz>; General Discussions of AFRINIC 
> <community-discuss@afrinic.net>; AfriNIC Discuss <members-disc...@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> Roughly translated:
>The ability of EU to inflict GDPR on those operators outside 
> of EU is predicated on that operator
>having some business operation or presence within the EU which 
> allows them to subject you to their
>jurisdiction. Determining that you have said presence requires 
> a specific determination by the
>EU member state where said presence exists.
>  
> I’m pretty sure AfriNIC has no such nexus.
>  
> However, what is left out of Mike’s statement is the potential that any other 
> country may have signed some
> sort of treaty with the EU (or a member state) which subjects them to GDPR 
> and/or grants additional
> extraterritorial rights to the EU. Such is (unfortunately) the case with the 
> US, for example.
>  
> Another key point is that EU citizens not living in Europe are not covered by 
> GDPR. Non-EU citizens living
> within the EU are covered by GDPR. (At least that is my understanding… AIUI, 
> GDPR applies to EU residents,
> not EU citizens.)
>  
> Owen
>  
> 
> 
> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>  
> Thanks Mike,
>  
> That’s actually pretty useful in some sense – but can I ask for an English 
> interpretation of the last sentence for those of us that sadly don’t speak 
> Lawyer ☺
>  
> Thanks
>  
> Andrew
>  
>  
> From: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>>, General Discussions of AFRINIC 
> <community-discuss@afrinic.net <mailto:community-discuss@afrinic.net>>, 
> AfriNIC Discuss <members-disc...@afrinic.net 
> <mailto:members-disc...@afrinic.net>>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
>  
> The extraterritorial application is premised 

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
Well, then, that makes it just as bad for MU as it is for US.

Owen


> On Apr 10, 2018, at 23:18 , Kris Seeburn  wrote:
> 
> Mauritius is signatory that’s where the safe harbour was put In place years 
> back. All BPOs in mauritius are holding EU citizen / resident data. the Data 
> Protection office will be fast tracking to look like ICO which is renamed 
> GDPR anyways.
> 
> Kris
> 
> On 11 Apr 2018, at 10:08, Owen DeLong  > wrote:
> 
>> 
>> 
>>> On Apr 10, 2018, at 22:42 , Andrew Alston >> > wrote:
>>> 
>>> Hi AfriNIC Board,
>>>  
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>> 
>> Is Mauritius signatory to some treaty making them subject to GDPR?
>>  
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of the fact that they are domiciled in 
>>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>>> the whois database, abuse contact information, handling of data submitted 
>>> during application process and potentially even the proposed review policy, 
>>> just to name a few things that I can think of off the top of my head – and 
>>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>>> the board in the minutes that have been published about the GDPR long 
>>> before now – considering the impact – but failing that – the question is 
>>> now being asked.
>> 
>> It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
>> about GDPR).
>> 
>> Further, unless your in a silly country that was dumb enough to sign a 
>> treaty extending EU’s legal reach into your sovereignty, such as the stupid 
>> congress of the united States, then you can offer the EU a nice big Italian 
>> sign language gesture regarding their GDPR and continue on with business as 
>> usual.
>> 
>> Owen
>> 
>> ___
>> Community-Discuss mailing list
>> Community-Discuss@afrinic.net 
>> https://lists.afrinic.net/mailman/listinfo/community-discuss 
>> 

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread McTim
Here is the ARIN blog post about it:

https://teamarin.net/2018/03/20/personal-data-privacy-considerations-at-arin/

Rgds,

McTim

On Wed, Apr 11, 2018 at 11:00 AM, Dabu Sifiso <dabu.sif...@yandex.com>
wrote:

>
> Interesting discussion.
>
> It seems many are not aware of the reality of the European Union's extent
> and how RIR divided the world:
>
> https://www.arin.net/vault/about_us/bot/bot2017_1005.html
> "Merike Kaeo indicated that due to General Data Protection Regulations
> (GDPR), organizations are going 'dark' with their information because the
> fines are so high. The President provided more background on GDPR, and
> indicated ARIN was in good shape with regard to GDPR due to its service
> region."
>
> https://www.nro.net/about-the-nro/list-of-country-codes-and-
> rirs-ordered-by-country-code/
> Martinique is part of France and EU but is serviced by ARIN, not by RIPE
> and there are some more serviced at ARIN.
>
> If what Mike and Owen are saying is correct, the RIR being outside of EU
> is not obliged to be in line with those new rules, but the members from
> France (La Reunion, Mayotte) are responsible under French/EU laws?
>
> The few things I found in regards to GDPR was about exporting private data
> to outside of the European Union, does that mean those members will not be
> able to make use of the AFRINIC database unless they get confirmation that
> AFRINIC is compliant with that GDPR?
>
> Will AFRINIC move those members and their information to the RIPE where
> they will be within the legislation of their own laws?
>
>
>
> 11.04.2018, 09:30, "Kris Seeburn" <seebur...@gmail.com>:
>
> Mike
>
> Réunion and Mayotte are the outermost region
> <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union>
>  of
> the European Union <https://en.wikipedia.org/wiki/European_Union> and, as
> an overseas department of France, part of the Eurozone
> <https://en.wikipedia.org/wiki/Eurozone>
>
>
>
>
> On Apr 11, 2018, at 18:23, Mike Silber <silber.m...@gmail.com> wrote:
>
> They are not Member States.
>
> And Owen is not really that accurate in his interpretation. He mixes up
> enforcement (real nexus through operations) with some theoretical
> applicability which is poorly defined and has no practical expression in
> the GDPR and will need national DPAs to provide teeth.
>
>
> On 11 Apr 2018, at 16:19, Andrew Alston <andrew.als...@liquidtelecom.com>
> wrote:
>
> Owen,
>
> Would the fact that AfriNIC serves  La Réunion and Mayotte not create
> such a nexus since both are formally part of the EU?
>
> In the same way – there are various EU members served by ARIN?
>
>
> Andrew
>
>
> *From:* Owen DeLong [mailto:o...@delong.com <o...@delong.com>]
> *Sent:* 11 April 2018 17:12
> *To:* Andrew Alston <andrew.als...@liquidtelecom.com>
> *Cc:* Mike Silber <silber.m...@gmail.com>; Abibu R. Ntahigiye <
> ab...@tznic.or.tz>; General Discussions of AFRINIC <
> community-discuss@afrinic.net>; AfriNIC Discuss <
> members-disc...@afrinic.net>
> *Subject:* Re: [Community-Discuss] AFRINIC and the GDPR
>
> Roughly translated:
>The ability of EU to inflict GDPR on those operators
> outside of EU is predicated on that operator
>having some business operation or presence within the EU
> which allows them to subject you to their
>jurisdiction. Determining that you have said presence
> requires a specific determination by the
>EU member state where said presence exists.
>
> I’m pretty sure AfriNIC has no such nexus.
>
> However, what is left out of Mike’s statement is the potential that any
> other country may have signed some
> sort of treaty with the EU (or a member state) which subjects them to GDPR
> and/or grants additional
> extraterritorial rights to the EU. Such is (unfortunately) the case with
> the US, for example.
>
> Another key point is that EU citizens not living in Europe are not covered
> by GDPR. Non-EU citizens living
> within the EU are covered by GDPR. (At least that is my understanding…
> AIUI, GDPR applies to EU residents,
> not EU citizens.)
>
> Owen
>
>
>
>
> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com>
> wrote:
>
> Thanks Mike,
>
> That’s actually pretty useful in some sense – but can I ask for an English
> interpretation of the last sentence for those of us that sadly don’t speak
> Lawyer ☺
>
> Thanks
>
> Andrew
>
>
> *From: *Mike Silber <silber.m...@gmail.com>
> *Date: *Wednesday, 11 April 2018 at 16:34
>

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
+1 john...

> On Apr 11, 2018, at 19:07, John Walu  wrote:
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty 
> extending EU’s legal reach into your sovereignty, such as the stupid congress 
> of the united States, then you can offer the EU a nice big Italian sign 
> language gesture regarding their GDPR and continue on with business as usual.
> 
> @Owen, the above is not entirely true.
> 
> EU regulation/GDPR does affect African countries in general.  Or at least 
> those wishing to remain trade partners  with European Countries.
> 
> Most of Africa has little or no Data Protection/Privacy laws (with a few 
> exception being Ghana, Mauritius, SA, etc). Kenya for example doesn't have 
> one.  
> 
> Should Kenya show the EU the middle finger?
> 
> Yes they could. But essentially, that middle finger will translate into 
> losing money. 
> 
> A European Union Company would for example NOTdare engage (Data-wise/Business 
> wise) with a Kenyan partner/subsidiary that for example sells flowers to 
> European destinations/customers since Kenyan privacy /data protection 
> environment would be suspect. 
> 
> Whereas the EU cannot directly hold the Kenyan company liable for breaches, 
> it will penalize the European company thoroughly. The net effect is that most 
> European companies would review their risk profiles with African partners and 
> basically cut linkages or open new ones -  only with 'compliant' countries in 
> Africa.
> 
> Unlike US, Africa does need EU Euros ;-). And so we will have to improve our 
> Data protection regimes. Though it would have been good if we did it out of 
> our own volition.
> 
> Now more specifically for the Afrinic registry,
> 
> The board  just need to do an impact analysis of the GDPR on the Afrinic 
> Company and share with members.
> 
> Just off my head, the data within the registry (IP, Whois, etc) would need to 
> be protected. Essentially, if we have some data sitting in our Mauritius/SA 
> registries and it relates to European citizens/subject then we need to review 
> it in light of the GDPR requirements.  Essentially EU citizens/residents have 
> a whole list of rights to the data (consent, delete, etc) and whoever is 
> hosting it also has some obligations.
> 
> That's my 1bitcoin on the matter ;-)
> 
> walu. 
> 
> 
> 
> 
> 
> On Wed, Apr 11, 2018 at 9:08 AM, Owen DeLong  > wrote:
> 
> 
>> On Apr 10, 2018, at 22:42 , Andrew Alston > > wrote:
>> 
>> Hi AfriNIC Board,
>>  
>> Can this board please *urgently* inform this community as to what 
>> preparations they have made as regards to compliance with the General Data 
>> Protection Regulations passed by the European Commision and the board will 
>> be in a position to give this community a full and complete report as to 
>> their GDPR compliance status and what will be changing before the 25th of 
>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
> 
> Is Mauritius signatory to some treaty making them subject to GDPR?
>  
>> Considering that the regulation comes into force on the 25th of May 2018 – 
>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
>> the regulations irrespective of the fact that they are domiciled in 
>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>> the whois database, abuse contact information, handling of data submitted 
>> during application process and potentially even the proposed review policy, 
>> just to name a few things that I can think of off the top of my head – and 
>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>> the board in the minutes that have been published about the GDPR long before 
>> now – considering the impact – but failing that – the question is now being 
>> asked.
> 
> It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
> about GDPR).
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty 
> extending EU’s legal reach into your sovereignty, such as the stupid congress 
> of the united States, then you can offer the EU a nice big Italian sign 
> language gesture regarding their GDPR and continue on with business as usual.
> 
> Owen
> 
> 
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net 
> https://lists.afrinic.net/mailman/listinfo/community-discuss 
> 
> 
> 
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss





Kris Seeburn
seebur...@gmail.com
www.linkedin.com/in/kseeburn/ 

"Life is a Beach, it all depends 

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread John Walu
Further, unless your in a silly country that was dumb enough to sign a
treaty extending EU’s legal reach into your sovereignty, such as the stupid
congress of the united States, then you can offer the EU a nice big Italian
sign language gesture regarding their GDPR and continue on with business as
usual.

@Owen, the above is not entirely true.

EU regulation/GDPR does affect African countries in general.  Or at least
those wishing to remain trade partners  with European Countries.

Most of Africa has little or no Data Protection/Privacy laws (with a few
exception being Ghana, Mauritius, SA, etc). Kenya for example doesn't have
one.

Should Kenya show the EU the middle finger?

Yes they could. But essentially, that middle finger will translate into
losing money.

A European Union Company would for example NOTdare engage
(Data-wise/Business wise) with a Kenyan partner/subsidiary that for example
sells flowers to European destinations/customers since Kenyan privacy /data
protection environment would be suspect.

Whereas the EU cannot directly hold the Kenyan company liable for breaches,
it will penalize the European company thoroughly. The net effect is that
most European companies would review their risk profiles with African
partners and basically cut linkages or open new ones -  only with
'compliant' countries in Africa.

Unlike US, Africa does need EU Euros ;-). And so we will have to improve
our Data protection regimes. Though it would have been good if we did it
out of our own volition.

Now more specifically for the Afrinic registry,

The board  just need to do an impact analysis of the GDPR on the Afrinic
Company and share with members.

Just off my head, the data within the registry (IP, Whois, etc) would need
to be protected. Essentially, if we have some data sitting in our
Mauritius/SA registries and it relates to European citizens/subject then we
need to review it in light of the GDPR requirements.  Essentially EU
citizens/residents have a whole list of rights to the data (consent,
delete, etc) and whoever is hosting it also has some obligations.

That's my 1bitcoin on the matter ;-)

walu.





On Wed, Apr 11, 2018 at 9:08 AM, Owen DeLong  wrote:

>
>
> On Apr 10, 2018, at 22:42 , Andrew Alston 
> wrote:
>
> Hi AfriNIC Board,
>
> Can this board please **urgently** inform this community as to what
> preparations they have made as regards to compliance with the General Data
> Protection Regulations passed by the European Commision and the board will
> be in a position to give this community a full and complete report as to
> their GDPR compliance status and what will be changing before the 25th of
> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>
>
> Is Mauritius signatory to some treaty making them subject to GDPR?
>
>
> Considering that the regulation comes into force on the 25th of May 2018
> – and AfriNIC is 100% holding data of EU Citizens, which makes them subject
> to the regulations irrespective of the fact that they are domiciled in
> Mauritius – this is an urgent and critical issue.  It has direct impact on
> the whois database, abuse contact information, handling of data submitted
> during application process and potentially even the proposed review policy,
> just to name a few things that I can think of off the top of my head – and
> cannot be ignored.  I would in fact have liked to have seen discussions by
> the board in the minutes that have been published about the GDPR long
> before now – considering the impact – but failing that – the question is
> now being asked.
>
>
> It’s not about EU Citizens. It’s about EU Residents. (Common misconception
> about GDPR).
>
> Further, unless your in a silly country that was dumb enough to sign a
> treaty extending EU’s legal reach into your sovereignty, such as the stupid
> congress of the united States, then you can offer the EU a nice big Italian
> sign language gesture regarding their GDPR and continue on with business as
> usual.
>
> Owen
>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
Thanks Alan … i was going to point to that as i remember their was a need to 
align with DPA and Afrinic was registered as a data controller. But am sure 
we’ll get over the hurdle.

> On Apr 11, 2018, at 18:00, Alan Barrett  wrote:
> 
> 
> 
>> On 11 Apr 2018, at 17:54, Mike Silber  wrote:
>> 
>> No issue with doing a proper information audit (what there is, where it is 
>> stored, how it can be accessed and by whom). That is just good information 
>> security practice.
>> 
>> However I am still not certain that holding any of that information actually 
>> makes AfriNIC a controller in terms of the GDPR.
> 
> I am pretty sure that AFRINIC is a data controller in terms of the Mauritius 
> Data Protection Act, which is aligned with GDPR.
> 
> Yes, we are auditing the information we hold and the way we process it, and I 
> expect to be able to report on progress at the AIS meeting in early May.
> 
> Alan
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss





Kris Seeburn
seebur...@gmail.com
www.linkedin.com/in/kseeburn/ 

"Life is a Beach, it all depends at how you look at it"



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
Yes… And even WRT whois, if you’re stuck going down the GDPR road, then it’s 
also about the data collected, the “voluntary” nature of the submission of the 
data, etc. It’s much more far-reaching than what is published.

Owen


> On Apr 11, 2018, at 06:47 , Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Mike,
>  
> Also just to clarify – I believe this goes beyond whois data – there is far 
> more data that AfriNIC holds than just the whois data that could be affected 
> by this.  I concede the whois portion I may well be wrong on that – the rest 
> of it – as I said – I simply want to see from AfriNIC a report on that they 
> are doing and where they aren’t in compliance to present that to this 
> community – mindful of the time frames involved – the situation the current 
> board finds facing – and the dictates of section 3.4.iiv of the bylaws
>  
> Andrew
>  
>  
> From: Mike Silber <silber.m...@gmail.com>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of 
> AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss 
> <members-disc...@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
>  
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
>  
> Mike
>  
> 
> 
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz 
>> <mailto:ab...@tznic.or.tz>> wrote:
>>  
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so 
>> much Andrew.
>> The Board would like to inform you that the issue was discussed within the 
>> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
>> work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
>> Board believes that these regulations are not a barrier to publication of 
>> the WHOIS data, and it has noted the RIPE NCC study that made such a 
>> finding.  The Board further believes that the biggest changes required by 
>> AFRINIC are in documenting how personal data is used, and in informing 
>> people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
>> Senegal.
>> 
>> Kind regards
>> 
>> 
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>>  
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>>  
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of the fact that they are domiciled in 
>>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>>> the whois database, abuse contact information, handling of data submitted 
>>> during application process and potentially even the proposed review policy, 
>>> just to name a few things that I can think of off the top of my head – and 
>&g

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
Which should in principle bring Mauritius adequacy in terms of GDPR.

However, as the adequacy rules have yet to be finalised, it is difficult to
say.

On Wed, 11 Apr 2018 at 16:39, Alan Barrett  wrote:

>
>
> > On 11 Apr 2018, at 18:19, Mike Silber  wrote:
> >
> > The Mauritius DPA is actually aligned with the old EU Data Privacy
> Directive and not the GDPR.
>
> There’s a 2017 revision to the Mauritius Data Protection Act.
>
> Alan Barrett
>
>
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
>
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
exactly….i would suggest all to not talk over something and the ceo already has 
on his plate.So i’d suggest we let him deal. It was a good question we 
discussed and if we continue we will end up like the RDS of ICANN over GDPR. 
Here, it is a clear cut advise from DPA. Let the CEO and his team do and take 
whatever actions is required.

But i would just remind the board that under GDPR compliance the Board becomes 
fully accountable.


> On Apr 11, 2018, at 18:39, Alan Barrett  wrote:
> 
> 
> 
>> On 11 Apr 2018, at 18:19, Mike Silber  wrote:
>> 
>> The Mauritius DPA is actually aligned with the old EU Data Privacy Directive 
>> and not the GDPR.
> 
> There’s a 2017 revision to the Mauritius Data Protection Act.
> 
> Alan Barrett
> 
> 
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss





Kris Seeburn
seebur...@gmail.com
www.linkedin.com/in/kseeburn/ 

"Life is a Beach, it all depends at how you look at it"



___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Alan Barrett


> On 11 Apr 2018, at 18:19, Mike Silber  wrote:
> 
> The Mauritius DPA is actually aligned with the old EU Data Privacy Directive 
> and not the GDPR.

There’s a 2017 revision to the Mauritius Data Protection Act.

Alan Barrett


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
Respectfully Kris - they are a French overseas territory and this subject to 
French law.

They are not members of the EU in their own right.

As such - we need to hear from the French DPA on their interpretation and not 
chasing a chimera.

I would not worry unless and until the French DPA proclaims that it has 
jurisdiction over AfriNIC. Even then, I think that is challengeable.

> On 11 Apr 2018, at 16:28, Kris Seeburn <seebur...@gmail.com> wrote:
> 
> Mike
> 
> Réunion and Mayotte are the outermost region 
> <https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union>
>  of the European Union <https://en.wikipedia.org/wiki/European_Union> and, as 
> an overseas department of France, part of the Eurozone 
> <https://en.wikipedia.org/wiki/Eurozone>
> 
> 
> 
>> On Apr 11, 2018, at 18:23, Mike Silber <silber.m...@gmail.com 
>> <mailto:silber.m...@gmail.com>> wrote:
>> 
>> They are not Member States.
>> 
>> And Owen is not really that accurate in his interpretation. He mixes up 
>> enforcement (real nexus through operations) with some theoretical 
>> applicability which is poorly defined and has no practical expression in the 
>> GDPR and will need national DPAs to provide teeth.
>> 
>>> On 11 Apr 2018, at 16:19, Andrew Alston <andrew.als...@liquidtelecom.com 
>>> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>>> 
>>> Owen,
>>>  
>>> Would the fact that AfriNIC serves  La Réunion and Mayotte not create such 
>>> a nexus since both are formally part of the EU?
>>>  
>>> In the same way – there are various EU members served by ARIN?
>>>  
>>> Andrew
>>>  
>>>  
>>> From: Owen DeLong [mailto:o...@delong.com <mailto:o...@delong.com>] 
>>> Sent: 11 April 2018 17:12
>>> To: Andrew Alston <andrew.als...@liquidtelecom.com 
>>> <mailto:andrew.als...@liquidtelecom.com>>
>>> Cc: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>; 
>>> Abibu R. Ntahigiye <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>; General 
>>> Discussions of AFRINIC <community-discuss@afrinic.net 
>>> <mailto:community-discuss@afrinic.net>>; AfriNIC Discuss 
>>> <members-disc...@afrinic.net <mailto:members-disc...@afrinic.net>>
>>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>>  
>>> Roughly translated:
>>>The ability of EU to inflict GDPR on those operators outside 
>>> of EU is predicated on that operator
>>>having some business operation or presence within the EU 
>>> which allows them to subject you to their
>>>jurisdiction. Determining that you have said presence 
>>> requires a specific determination by the
>>>EU member state where said presence exists.
>>>  
>>> I’m pretty sure AfriNIC has no such nexus.
>>>  
>>> However, what is left out of Mike’s statement is the potential that any 
>>> other country may have signed some
>>> sort of treaty with the EU (or a member state) which subjects them to GDPR 
>>> and/or grants additional
>>> extraterritorial rights to the EU. Such is (unfortunately) the case with 
>>> the US, for example.
>>>  
>>> Another key point is that EU citizens not living in Europe are not covered 
>>> by GDPR. Non-EU citizens living
>>> within the EU are covered by GDPR. (At least that is my understanding… 
>>> AIUI, GDPR applies to EU residents,
>>> not EU citizens.)
>>>  
>>> Owen
>>>  
>>> 
>>> 
>>> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com 
>>> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>>>  
>>> Thanks Mike,
>>>  
>>> That’s actually pretty useful in some sense – but can I ask for an English 
>>> interpretation of the last sentence for those of us that sadly don’t speak 
>>> Lawyer ☺
>>>  
>>> Thanks
>>>  
>>> Andrew
>>>  
>>>  
>>> From: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>
>>> Date: Wednesday, 11 April 2018 at 16:34
>>> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>
>>> Cc: Andrew Alston <andrew.als...@liquidtelecom.com 
>>> <mailto:andrew.als...@liquidtelecom.com>>, General Discussions of AFRINIC 
>>

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
Mike

Réunion and Mayotte are the outermost region 
<https://en.wikipedia.org/wiki/Special_member_state_territories_and_the_European_Union>
 of the European Union <https://en.wikipedia.org/wiki/European_Union> and, as 
an overseas department of France, part of the Eurozone 
<https://en.wikipedia.org/wiki/Eurozone>



> On Apr 11, 2018, at 18:23, Mike Silber <silber.m...@gmail.com> wrote:
> 
> They are not Member States.
> 
> And Owen is not really that accurate in his interpretation. He mixes up 
> enforcement (real nexus through operations) with some theoretical 
> applicability which is poorly defined and has no practical expression in the 
> GDPR and will need national DPAs to provide teeth.
> 
>> On 11 Apr 2018, at 16:19, Andrew Alston <andrew.als...@liquidtelecom.com 
>> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>> 
>> Owen,
>>  
>> Would the fact that AfriNIC serves  La Réunion and Mayotte not create such a 
>> nexus since both are formally part of the EU?
>>  
>> In the same way – there are various EU members served by ARIN?
>>  
>> Andrew
>>  
>>  
>> From: Owen DeLong [mailto:o...@delong.com <mailto:o...@delong.com>] 
>> Sent: 11 April 2018 17:12
>> To: Andrew Alston <andrew.als...@liquidtelecom.com 
>> <mailto:andrew.als...@liquidtelecom.com>>
>> Cc: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>; 
>> Abibu R. Ntahigiye <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>; General 
>> Discussions of AFRINIC <community-discuss@afrinic.net 
>> <mailto:community-discuss@afrinic.net>>; AfriNIC Discuss 
>> <members-disc...@afrinic.net <mailto:members-disc...@afrinic.net>>
>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>  
>> Roughly translated:
>>The ability of EU to inflict GDPR on those operators outside 
>> of EU is predicated on that operator
>>having some business operation or presence within the EU 
>> which allows them to subject you to their
>>jurisdiction. Determining that you have said presence 
>> requires a specific determination by the
>>EU member state where said presence exists.
>>  
>> I’m pretty sure AfriNIC has no such nexus.
>>  
>> However, what is left out of Mike’s statement is the potential that any 
>> other country may have signed some
>> sort of treaty with the EU (or a member state) which subjects them to GDPR 
>> and/or grants additional
>> extraterritorial rights to the EU. Such is (unfortunately) the case with the 
>> US, for example.
>>  
>> Another key point is that EU citizens not living in Europe are not covered 
>> by GDPR. Non-EU citizens living
>> within the EU are covered by GDPR. (At least that is my understanding… AIUI, 
>> GDPR applies to EU residents,
>> not EU citizens.)
>>  
>> Owen
>>  
>> 
>> 
>> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com 
>> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>>  
>> Thanks Mike,
>>  
>> That’s actually pretty useful in some sense – but can I ask for an English 
>> interpretation of the last sentence for those of us that sadly don’t speak 
>> Lawyer ☺
>>  
>> Thanks
>>  
>> Andrew
>>  
>>  
>> From: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>
>> Date: Wednesday, 11 April 2018 at 16:34
>> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>
>> Cc: Andrew Alston <andrew.als...@liquidtelecom.com 
>> <mailto:andrew.als...@liquidtelecom.com>>, General Discussions of AFRINIC 
>> <community-discuss@afrinic.net <mailto:community-discuss@afrinic.net>>, 
>> AfriNIC Discuss <members-disc...@afrinic.net 
>> <mailto:members-disc...@afrinic.net>>
>> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>>  
>> If I can add to this, there is as yet no clear direction from the European 
>> DPAs as a collective on how GDPR affects whois access in general.
>>  
>> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
>> rather than a Europe wide approach.
>>  
>> In addition, I am not sure I concur with Mr Alston’s insistence that 
>> “holding data of EU citizens” automatically places AfriNIC into the category 
>> of data controller in terms of GDPR or imposes any requirements on AfriNIC, 
>> particularly as the GDPR applies to processing

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
They are not Member States.

And Owen is not really that accurate in his interpretation. He mixes up 
enforcement (real nexus through operations) with some theoretical applicability 
which is poorly defined and has no practical expression in the GDPR and will 
need national DPAs to provide teeth.

> On 11 Apr 2018, at 16:19, Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Owen,
>  
> Would the fact that AfriNIC serves  La Réunion and Mayotte not create such a 
> nexus since both are formally part of the EU?
>  
> In the same way – there are various EU members served by ARIN?
>  
> Andrew
>  
>  
> From: Owen DeLong [mailto:o...@delong.com] 
> Sent: 11 April 2018 17:12
> To: Andrew Alston <andrew.als...@liquidtelecom.com>
> Cc: Mike Silber <silber.m...@gmail.com>; Abibu R. Ntahigiye 
> <ab...@tznic.or.tz>; General Discussions of AFRINIC 
> <community-discuss@afrinic.net>; AfriNIC Discuss <members-disc...@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> Roughly translated:
>The ability of EU to inflict GDPR on those operators outside 
> of EU is predicated on that operator
>having some business operation or presence within the EU which 
> allows them to subject you to their
>jurisdiction. Determining that you have said presence requires 
> a specific determination by the
>EU member state where said presence exists.
>  
> I’m pretty sure AfriNIC has no such nexus.
>  
> However, what is left out of Mike’s statement is the potential that any other 
> country may have signed some
> sort of treaty with the EU (or a member state) which subjects them to GDPR 
> and/or grants additional
> extraterritorial rights to the EU. Such is (unfortunately) the case with the 
> US, for example.
>  
> Another key point is that EU citizens not living in Europe are not covered by 
> GDPR. Non-EU citizens living
> within the EU are covered by GDPR. (At least that is my understanding… AIUI, 
> GDPR applies to EU residents,
> not EU citizens.)
>  
> Owen
>  
> 
> 
> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>  
> Thanks Mike,
>  
> That’s actually pretty useful in some sense – but can I ask for an English 
> interpretation of the last sentence for those of us that sadly don’t speak 
> Lawyer ☺
>  
> Thanks
>  
> Andrew
>  
>  
> From: Mike Silber <silber.m...@gmail.com <mailto:silber.m...@gmail.com>>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz <mailto:ab...@tznic.or.tz>>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>>, General Discussions of AFRINIC 
> <community-discuss@afrinic.net <mailto:community-discuss@afrinic.net>>, 
> AfriNIC Discuss <members-disc...@afrinic.net 
> <mailto:members-disc...@afrinic.net>>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
>  
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
>  
> Mike
>  
> 
> 
> 
> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz 
> <mailto:ab...@tznic.or.tz>> wrote:
>  
> Dear Andrew, Members and the whole Afrinic community,
> Andrew has raised a very important issue for Afrinic operations - Thanks so 
> much Andrew.
> The Board would like to inform you that the issue was discussed within the 
> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
> work on the issue.
> The Board has also been made aware that the Mauritius Data Protection Act 
> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
> Board believes that these regulations are not a barrier to publication of th

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong


> On Apr 11, 2018, at 03:51 , Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Btw Owen,
>  
> I might also point out – AfriNIC has EU territories that it services directly 
> – which heightens this even further
>  
> Andrew
>  
>  
> From: Andrew Alston [mailto:andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>] 
> Sent: 11 April 2018 13:06
> To: Owen DeLong <o...@delong.com <mailto:o...@delong.com>>
> Cc: General <community-discuss@afrinic.net 
> <mailto:community-discuss@afrinic.net>>; AFRINIC Board of Directors' List 
> <bo...@afrinic.net <mailto:bo...@afrinic.net>>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> Owen,
>  
> Firstly – AfriNIC does hold data on EU residents – that is without question – 
> I know of a couple of cases of EU residents with their data held by AfriNIC 
> without even thinking of it.

Yes, but this, alone, does not subject AfriNIC to EU jurisdiction and therefore 
GDPR.

> Secondly – irrespective of if they are signatories or not – if AfriNIC 
> chooses to do any business with RIPE for example, they are doing business 
> with an EU entity and can be prevented from doing so if they don’t comply is 
> my understanding.

Gray area. I’m not sure that AfriNIC does anything which would count as 
“business” with RIPE in any case. Their business
relationship is with PTI. Their relationship with RIPE is as fellow members of 
a trade organization.
 
> Irrespective of this – the AfriNIC board if they believe they do not need to 
> comply in any way shape or form – needs to state that to this community and 
> to its members and give reasons as to why not – at that point – the affected 
> members can then make an informed decision as to their course of action 
> should they choose one. But – AfriNIC still has an obligation to inform its 
> community as to its standing in this regard and do so before the legislation 
> becomes reality.

Sure. I’m just saying, it’s not clear at this time that AfriNIC is even subject 
to GDPR and it seems to me that would be the first question to ask before 
embarking on a journey involving how to comply with a law to which the 
organization might not even be subject.

Owen

>  
> Please note clause 3.4.vii of the bylaws:
>  
> (vii) to disseminate among its members information on all matters affecting 
> the Company and its members and to provide for and be a central channel of 
> communication for the members of the Company and generally for the 
> furtherance and promotion of their interests;
>  
> Andrew
>  
> From: Owen DeLong [mailto:o...@delong.com <mailto:o...@delong.com>] 
> Sent: 11 April 2018 09:08
> To: Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>>
> Cc: General <community-discuss@afrinic.net 
> <mailto:community-discuss@afrinic.net>>; AFRINIC Board of Directors' List 
> <bo...@afrinic.net <mailto:bo...@afrinic.net>>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
> Importance: High
>  
>  
>  
> 
> On Apr 10, 2018, at 22:42 , Andrew Alston <andrew.als...@liquidtelecom.com 
> <mailto:andrew.als...@liquidtelecom.com>> wrote:
>  
> Hi AfriNIC Board,
>  
> Can this board please *urgently* inform this community as to what 
> preparations they have made as regards to compliance with the General Data 
> Protection Regulations passed by the European Commision and the board will be 
> in a position to give this community a full and complete report as to their 
> GDPR compliance status and what will be changing before the 25th of May to 
> ensure that when the GDPR comes into force AfriNIC is compliant.
>  
> Is Mauritius signatory to some treaty making them subject to GDPR?
>  
> 
> Considering that the regulation comes into force on the 25th of May 2018 – 
> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
> the regulations irrespective of the fact that they are domiciled in Mauritius 
> – this is an urgent and critical issue.  It has direct impact on the whois 
> database, abuse contact information, handling of data submitted during 
> application process and potentially even the proposed review policy, just to 
> name a few things that I can think of off the top of my head – and cannot be 
> ignored.  I would in fact have liked to have seen discussions by the board in 
> the minutes that have been published about the GDPR long before now – 
> considering the impact – but failing that – the question is now being asked.
>  
> It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
> about GDPR).
>  
> Further, unless your in a silly

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Owen,

I would presume that people could still vote for said directors – both before 
or after the vote is passed if it does indeed pass.

I would however hope that if the vote passed – the directors who were part of 
the current board would do the honorable thing and honor the motion and step 
aside.

Andrew


From: Owen DeLong [mailto:o...@delong.com]
Sent: 11 April 2018 17:15
To: Jan Zorz Go6 <j...@go6.si>
Cc: Andrew Alston <andrew.als...@liquidtelecom.com>; 
community-discuss@afrinic.net; members-disc...@afrinic.net
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

Can we get a clarification from staff whether the wording in this motion would 
permit or preclude electronic voting for the directors to be elected at the 
proposed SGMM?

Thanks,

Owen



On Apr 11, 2018, at 06:10 , Jan Zorz Go6 <j...@go6.si<mailto:j...@go6.si>> 
wrote:

Oh boy... Interesting AGMM awaits in Dakar, as it seems :)
Cheers, Jan Žorž
---
Sent from mobile phone, please excuse brevity and top-posting...
On Apr 11, 2018, at 15:06, Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Hi Sander,

Mark tabled the following motion (and has agreed to let me send this to the 
community list on the phone just now) – this motion has also been accepted in 
emails to the members list from the board


 From Mark’s email to the member list 

I have been watching the mailing lists where Sunday, whom I consider a friend, 
has admitted to violating the NDA. He has stood down as chair but not tendered 
his resignation. There was a Board Meeting last night according to the mailing 
lists. The Board appear not to have ask Sunday to stand down (there was no 
announcement along these lines, therefore I request the following be tabled at 
upcoming AGMM in Dakar. As this is not a vote to remove the directors, but 
rather to express the communities lack of confidence in them, and to request 
their resignations, I request that this be tabled as a standard resolution.

Introduction:

In 2014, the board of directors (I was a director at that time) passed a 
resolution laying out the sanctions for NDA violations – that violations of the 
NDA could be result in expulsion from the board of directors.  In 2014, during 
a meeting in Tunis, that resolution was used to request, and subsequently gain, 
the resignation of two members of the board of directors.

During allegations made recently on an unrelated matter, it came to light that 
the former chair of the board, Mr Sunday Folayan, wilfully and blatantly shared 
information related directly to the company, with a junior member of staff, and 
an admission in this regard was made to the community in an email sent by Mr 
Folayan on the 16th of March 2018.

It is my belief that the sharing of the information was a direct contravention 
of the NDA – as well as a direct contravention of various sections of the 
companies act relating to the duties and responsibilities of a director.

Since this time – there have been numerous calls for Mr Folayan to resign from 
the board – something that as of now he has not done.  There have also been 
numerous calls for the board to act against Mr. Folayan in this regard.  The 
board has failed to do this – and is acting outside of historic precedent 
regarding similar violations.

As such, it is my belief that the entire board is in violation of its duties 
and of the trust of the community – the degree of that loss of confidence will 
be tested by this motion as is proper procedure.

It is also acknowledged that the board has the right to defy this motion and 
continue to claim legitimacy under strict legal interpretation – hence – this 
motion is phrased as a request – with the knowledge that should the board not 
adhere to this request if this motion passes – they will lose all credibility 
and the ability to claim legitimacy as representatives of the member base of 
AfriNIC – irrespective of their legal standing.

As a former Board member and the proposer of this resolution, I wish to state 
that if this motion be passed and the request granted, I will not be standing 
for any seat myself.
With this in mind:

The members of AfriNIC here by RESOLVE:

To state that the members of AfriNIC have lost all confidence in the current 
board of directors to act in the best interests of the company or its 
registered, resource and associate members.
To request the resignations of every member of the board of directors with 
immediate effect
To request that Viv Padayachee act as caretaker director with the sole purpose 
of appointing a NomCOM and convening an SGMM at which a full election will be 
held to appoint a new board of directors
To elect a new board of directors by ballot at an SGMM within 90 days of these 
proceedings – at which point directors elected will hold their positions for 
the remainder of the specific term of the seat to which they are appointed.


 End of Mar

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Owen,

Would the fact that AfriNIC serves  La Réunion and Mayotte not create such a 
nexus since both are formally part of the EU?

In the same way – there are various EU members served by ARIN?

Andrew


From: Owen DeLong [mailto:o...@delong.com]
Sent: 11 April 2018 17:12
To: Andrew Alston <andrew.als...@liquidtelecom.com>
Cc: Mike Silber <silber.m...@gmail.com>; Abibu R. Ntahigiye 
<ab...@tznic.or.tz>; General Discussions of AFRINIC 
<community-discuss@afrinic.net>; AfriNIC Discuss <members-disc...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

Roughly translated:
   The ability of EU to inflict GDPR on those operators outside of 
EU is predicated on that operator
   having some business operation or presence within the EU which 
allows them to subject you to their
   jurisdiction. Determining that you have said presence requires a 
specific determination by the
   EU member state where said presence exists.

I’m pretty sure AfriNIC has no such nexus.

However, what is left out of Mike’s statement is the potential that any other 
country may have signed some
sort of treaty with the EU (or a member state) which subjects them to GDPR 
and/or grants additional
extraterritorial rights to the EU. Such is (unfortunately) the case with the 
US, for example.

Another key point is that EU citizens not living in Europe are not covered by 
GDPR. Non-EU citizens living
within the EU are covered by GDPR. (At least that is my understanding… AIUI, 
GDPR applies to EU residents,
not EU citizens.)

Owen



On Apr 11, 2018, at 06:44 , Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Thanks Mike,

That’s actually pretty useful in some sense – but can I ask for an English 
interpretation of the last sentence for those of us that sadly don’t speak 
Lawyer ☺

Thanks

Andrew


From: Mike Silber <silber.m...@gmail.com<mailto:silber.m...@gmail.com>>
Date: Wednesday, 11 April 2018 at 16:34
To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz<mailto:ab...@tznic.or.tz>>
Cc: Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>>, 
General Discussions of AFRINIC 
<community-discuss@afrinic.net<mailto:community-discuss@afrinic.net>>, AfriNIC 
Discuss <members-disc...@afrinic.net<mailto:members-disc...@afrinic.net>>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

If I can add to this, there is as yet no clear direction from the European DPAs 
as a collective on how GDPR affects whois access in general.

The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
rather than a Europe wide approach.

In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
data of EU citizens” automatically places AfriNIC into the category of data 
controller in terms of GDPR or imposes any requirements on AfriNIC, 
particularly as the GDPR applies to processing of personal data in the context 
of the activities of an establishment of a controller or a processor in the 
Union.

The extraterritorial application is premised on a nexus requirement set out in 
general terms in Recital 23, but requiring specific determination in terms of 
national law by Member States.

Mike




On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye 
<ab...@tznic.or.tz<mailto:ab...@tznic.or.tz>> wrote:

Dear Andrew, Members and the whole Afrinic community,
Andrew has raised a very important issue for Afrinic operations - Thanks so 
much Andrew.
The Board would like to inform you that the issue was discussed within the 
Board at the Afrinic 27 meeting in Lagos and the Management was tasked to work 
on the issue.
The Board has also been made aware that the Mauritius Data Protection Act 2017 
is already in effect and is aligned with the EU GDPR regulations.  The Board 
believes that these regulations are not a barrier to publication of the WHOIS 
data, and it has noted the RIPE NCC study that made such a finding.  The Board 
further believes that the biggest changes required by AFRINIC are in 
documenting how personal data is used, and in informing people at the time data 
is collected.
The AFRINIC management will provide further updates on the issues at AIS 2018 
in Senegal.
Further to the above, the Board expects to receive more insights on GDPR  
related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
Senegal.

Kind regards



On 11/04/2018 08:42, Andrew Alston wrote:
Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ens

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
I would agree with that completely

The Mauritius DPA is actually aligned with the old EU Data Privacy Directive 
and not the GDPR.

There are some interesting changes from the DPD to the GDPR. Most are quite 
minor in language (but could be more significant in application - time will 
tell).


> On 11 Apr 2018, at 16:00, Alan Barrett  wrote:
> 
> 
> 
>> On 11 Apr 2018, at 17:54, Mike Silber  wrote:
>> 
>> No issue with doing a proper information audit (what there is, where it is 
>> stored, how it can be accessed and by whom). That is just good information 
>> security practice.
>> 
>> However I am still not certain that holding any of that information actually 
>> makes AfriNIC a controller in terms of the GDPR.
> 
> I am pretty sure that AFRINIC is a data controller in terms of the Mauritius 
> Data Protection Act, which is aligned with GDPR.
> 
> Yes, we are auditing the information we hold and the way we process it, and I 
> expect to be able to report on progress at the AIS meeting in early May.
> 
> Alan
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss


___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
Can we get a clarification from staff whether the wording in this motion would 
permit or preclude electronic voting for the directors to be elected at the 
proposed SGMM?

Thanks,

Owen


> On Apr 11, 2018, at 06:10 , Jan Zorz Go6  wrote:
> 
> Oh boy... Interesting AGMM awaits in Dakar, as it seems :)
> 
> Cheers, Jan Žorž
> ---
> Sent from mobile phone, please excuse brevity and top-posting...
> On Apr 11, 2018, at 15:06, Andrew Alston  > wrote:
> Hi Sander,
> 
> Mark tabled the following motion (and has agreed to let me send this to the 
> community list on the phone just now) – this motion has also been accepted in 
> emails to the members list from the board 
> 
> 
>  From Mark’s email to the member list 
> 
> I have been watching the mailing lists where Sunday, whom I consider a 
> friend, has admitted to violating the NDA. He has stood down as chair but not 
> tendered his resignation. There was a Board Meeting last night according to 
> the mailing lists. The Board appear not to have ask Sunday to stand down 
> (there was no announcement along these lines, therefore I request the 
> following be tabled at upcoming AGMM in Dakar. As this is not a vote to 
> remove the directors, but rather to express the communities lack of 
> confidence in them, and to request their resignations, I request that this be 
> tabled as a standard resolution.
> 
> Introduction:
> 
> In 2014, the board of directors (I was a director at that time) passed a 
> resolution laying out the sanctions for NDA violations – that violations of 
> the NDA could be result in expulsion from the board of directors.  In 2014, 
> during a meeting in Tunis, that resolution was used to request, and 
> subsequently gain, the resignation of two members of the board of directors.
> 
> During allegations made recently on an unrelated matter, it came to light 
> that the former chair of the board, Mr Sunday Folayan, wilfully and blatantly 
> shared information related directly to the company, with a junior member of 
> staff, and an admission in this regard was made to the community in an email 
> sent by Mr Folayan on the 16th of March 2018.
> 
> It is my belief that the sharing of the information was a direct 
> contravention of the NDA – as well as a direct contravention of various 
> sections of the companies act relating to the duties and responsibilities of 
> a director.
> 
> Since this time – there have been numerous calls for Mr Folayan to resign 
> from the board – something that as of now he has not done.  There have also 
> been numerous calls for the board to act against Mr. Folayan in this regard.  
> The board has failed to do this – and is acting outside of historic precedent 
> regarding similar violations.
> 
> As such, it is my belief that the entire board is in violation of its duties 
> and of the trust of the community – the degree of that loss of confidence 
> will be tested by this motion as is proper procedure.
> 
> It is also acknowledged that the board has the right to defy this motion and 
> continue to claim legitimacy under strict legal interpretation – hence – this 
> motion is phrased as a request – with the knowledge that should the board not 
> adhere to this request if this motion passes – they will lose all credibility 
> and the ability to claim legitimacy as representatives of the member base of 
> AfriNIC – irrespective of their legal standing.
> 
> As a former Board member and the proposer of this resolution, I wish to state 
> that if this motion be passed and the request granted, I will not be standing 
> for any seat myself.
> With this in mind:
> 
> The members of AfriNIC here by RESOLVE:
> 
> To state that the members of AfriNIC have lost all confidence in the current 
> board of directors to act in the best interests of the company or its 
> registered, resource and associate members.
> To request the resignations of every member of the board of directors with 
> immediate effect
> To request that Viv Padayachee act as caretaker director with the sole 
> purpose of appointing a NomCOM and convening an SGMM at which a full election 
> will be held to appoint a new board of directors
> To elect a new board of directors by ballot at an SGMM within 90 days of 
> these proceedings – at which point directors elected will hold their 
> positions for the remainder of the specific term of the seat to which they 
> are appointed.
> 
> 
>  End of Mark’s email 
> 
> On 11/04/2018, 16:00, "Sander Steffann"  wrote:
> 
> Hi,
> 
>  Considering that the board is facing a tabled and accepted motion of no 
> confidence in Dakar – which has been accepted to the Agenda
> 
> Wait, what motion? I have seen the message from Sunday that he is 
> stepping down as chair, and I of course have seen the allegations. I haven't 
> seen a motion on this list though...
> 
> Cheers,
>

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong
Roughly translated:
The ability of EU to inflict GDPR on those operators outside of EU is 
predicated on that operator
having some business operation or presence within the EU which allows 
them to subject you to their
jurisdiction. Determining that you have said presence requires a 
specific determination by the
EU member state where said presence exists.

I’m pretty sure AfriNIC has no such nexus.

However, what is left out of Mike’s statement is the potential that any other 
country may have signed some
sort of treaty with the EU (or a member state) which subjects them to GDPR 
and/or grants additional
extraterritorial rights to the EU. Such is (unfortunately) the case with the 
US, for example.

Another key point is that EU citizens not living in Europe are not covered by 
GDPR. Non-EU citizens living
within the EU are covered by GDPR. (At least that is my understanding… AIUI, 
GDPR applies to EU residents,
not EU citizens.)

Owen


> On Apr 11, 2018, at 06:44 , Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Thanks Mike,
>  
> That’s actually pretty useful in some sense – but can I ask for an English 
> interpretation of the last sentence for those of us that sadly don’t speak 
> Lawyer ☺
>  
> Thanks
>  
> Andrew
>  
>  
> From: Mike Silber <silber.m...@gmail.com>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of 
> AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss 
> <members-disc...@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
>  
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
>  
> Mike
>  
> 
> 
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz 
>> <mailto:ab...@tznic.or.tz>> wrote:
>>  
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so 
>> much Andrew.
>> The Board would like to inform you that the issue was discussed within the 
>> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
>> work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
>> Board believes that these regulations are not a barrier to publication of 
>> the WHOIS data, and it has noted the RIPE NCC study that made such a 
>> finding.  The Board further believes that the biggest changes required by 
>> AFRINIC are in documenting how personal data is used, and in informing 
>> people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
>> Senegal.
>> 
>> Kind regards
>> 
>> 
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>>  
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>>  
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Alan Barrett


> On 11 Apr 2018, at 17:54, Mike Silber  wrote:
> 
> No issue with doing a proper information audit (what there is, where it is 
> stored, how it can be accessed and by whom). That is just good information 
> security practice.
> 
> However I am still not certain that holding any of that information actually 
> makes AfriNIC a controller in terms of the GDPR.

I am pretty sure that AFRINIC is a data controller in terms of the Mauritius 
Data Protection Act, which is aligned with GDPR.

Yes, we are auditing the information we hold and the way we process it, and I 
expect to be able to report on progress at the AIS meeting in early May.

Alan
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
No issue with doing a proper information audit (what there is, where it is 
stored, how it can be accessed and by whom). That is just good information 
security practice.

However I am still not certain that holding any of that information actually 
makes AfriNIC a controller in terms of the GDPR.

> On 11 Apr 2018, at 15:47, Andrew Alston <andrew.als...@liquidtelecom.com> 
> wrote:
> 
> Mike,
>  
> Also just to clarify – I believe this goes beyond whois data – there is far 
> more data that AfriNIC holds than just the whois data that could be affected 
> by this.  I concede the whois portion I may well be wrong on that – the rest 
> of it – as I said – I simply want to see from AfriNIC a report on that they 
> are doing and where they aren’t in compliance to present that to this 
> community – mindful of the time frames involved – the situation the current 
> board finds facing – and the dictates of section 3.4.iiv of the bylaws
>  
> Andrew
>  
>  
> From: Mike Silber <silber.m...@gmail.com>
> Date: Wednesday, 11 April 2018 at 16:34
> To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
> Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of 
> AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss 
> <members-disc...@afrinic.net>
> Subject: Re: [Community-Discuss] AFRINIC and the GDPR
>  
> If I can add to this, there is as yet no clear direction from the European 
> DPAs as a collective on how GDPR affects whois access in general.
>  
> The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
> rather than a Europe wide approach.
>  
> In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
> data of EU citizens” automatically places AfriNIC into the category of data 
> controller in terms of GDPR or imposes any requirements on AfriNIC, 
> particularly as the GDPR applies to processing of personal data in the 
> context of the activities of an establishment of a controller or a processor 
> in the Union.
>  
> The extraterritorial application is premised on a nexus requirement set out 
> in general terms in Recital 23, but requiring specific determination in terms 
> of national law by Member States.
>  
> Mike
>  
> 
> 
>> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye <ab...@tznic.or.tz 
>> <mailto:ab...@tznic.or.tz>> wrote:
>>  
>> Dear Andrew, Members and the whole Afrinic community,
>> Andrew has raised a very important issue for Afrinic operations - Thanks so 
>> much Andrew.
>> The Board would like to inform you that the issue was discussed within the 
>> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
>> work on the issue.
>> The Board has also been made aware that the Mauritius Data Protection Act 
>> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
>> Board believes that these regulations are not a barrier to publication of 
>> the WHOIS data, and it has noted the RIPE NCC study that made such a 
>> finding.  The Board further believes that the biggest changes required by 
>> AFRINIC are in documenting how personal data is used, and in informing 
>> people at the time data is collected. 
>> The AFRINIC management will provide further updates on the issues at AIS 
>> 2018 in Senegal.
>> Further to the above, the Board expects to receive more insights on GDPR  
>> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
>> Senegal.
>> 
>> Kind regards
>> 
>> 
>> On 11/04/2018 08:42, Andrew Alston wrote:
>>> Hi AfriNIC Board,
>>>  
>>> Can this board please *urgently* inform this community as to what 
>>> preparations they have made as regards to compliance with the General Data 
>>> Protection Regulations passed by the European Commision and the board will 
>>> be in a position to give this community a full and complete report as to 
>>> their GDPR compliance status and what will be changing before the 25th of 
>>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>>  
>>> Considering that the regulation comes into force on the 25th of May 2018 – 
>>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject 
>>> to the regulations irrespective of the fact that they are domiciled in 
>>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>>> the whois database, abuse contact information, handling of data submitted 
>>> during application process and potentially even the proposed review policy, 
>>> just to name

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Mike,

Also just to clarify – I believe this goes beyond whois data – there is far 
more data that AfriNIC holds than just the whois data that could be affected by 
this.  I concede the whois portion I may well be wrong on that – the rest of it 
– as I said – I simply want to see from AfriNIC a report on that they are doing 
and where they aren’t in compliance to present that to this community – mindful 
of the time frames involved – the situation the current board finds facing – 
and the dictates of section 3.4.iiv of the bylaws

Andrew


From: Mike Silber <silber.m...@gmail.com>
Date: Wednesday, 11 April 2018 at 16:34
To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of 
AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss 
<members-disc...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

If I can add to this, there is as yet no clear direction from the European DPAs 
as a collective on how GDPR affects whois access in general.

The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
rather than a Europe wide approach.

In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
data of EU citizens” automatically places AfriNIC into the category of data 
controller in terms of GDPR or imposes any requirements on AfriNIC, 
particularly as the GDPR applies to processing of personal data in the context 
of the activities of an establishment of a controller or a processor in the 
Union.

The extraterritorial application is premised on a nexus requirement set out in 
general terms in Recital 23, but requiring specific determination in terms of 
national law by Member States.

Mike



On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye 
<ab...@tznic.or.tz<mailto:ab...@tznic.or.tz>> wrote:

Dear Andrew, Members and the whole Afrinic community,
Andrew has raised a very important issue for Afrinic operations - Thanks so 
much Andrew.
The Board would like to inform you that the issue was discussed within the 
Board at the Afrinic 27 meeting in Lagos and the Management was tasked to work 
on the issue.
The Board has also been made aware that the Mauritius Data Protection Act 2017 
is already in effect and is aligned with the EU GDPR regulations.  The Board 
believes that these regulations are not a barrier to publication of the WHOIS 
data, and it has noted the RIPE NCC study that made such a finding.  The Board 
further believes that the biggest changes required by AFRINIC are in 
documenting how personal data is used, and in informing people at the time data 
is collected.
The AFRINIC management will provide further updates on the issues at AIS 2018 
in Senegal.
Further to the above, the Board expects to receive more insights on GDPR  
related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
Senegal.

Kind regards


On 11/04/2018 08:42, Andrew Alston wrote:
Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

Andrew



___

Community-Discuss mailing list

Community-Discuss@afrinic.net<mailto:Community-Discuss@afrinic.net>

https://lists.afrinic.net/mailman/listinfo/community-discuss<https://lists.afrinic.net/mailman/listinfo/community-discuss>



--

Abibu R. Ntahigiye



CEO, tzNIC / Interim Chairman, Afrinic.
___
Community-Discuss mailing list
Community-Discuss@afrinic.net<mailto:Community-Discuss@afrinic.net>
https://lists.afrinic.net/mailman/listinfo/community-discuss<https://lists.afrinic.net/mailman/listinfo/community-discuss>

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Thanks Mike,

That’s actually pretty useful in some sense – but can I ask for an English 
interpretation of the last sentence for those of us that sadly don’t speak 
Lawyer ☺

Thanks

Andrew


From: Mike Silber <silber.m...@gmail.com>
Date: Wednesday, 11 April 2018 at 16:34
To: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
Cc: Andrew Alston <andrew.als...@liquidtelecom.com>, General Discussions of 
AFRINIC <community-discuss@afrinic.net>, AfriNIC Discuss 
<members-disc...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

If I can add to this, there is as yet no clear direction from the European DPAs 
as a collective on how GDPR affects whois access in general.

The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
rather than a Europe wide approach.

In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
data of EU citizens” automatically places AfriNIC into the category of data 
controller in terms of GDPR or imposes any requirements on AfriNIC, 
particularly as the GDPR applies to processing of personal data in the context 
of the activities of an establishment of a controller or a processor in the 
Union.

The extraterritorial application is premised on a nexus requirement set out in 
general terms in Recital 23, but requiring specific determination in terms of 
national law by Member States.

Mike



On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye 
<ab...@tznic.or.tz<mailto:ab...@tznic.or.tz>> wrote:

Dear Andrew, Members and the whole Afrinic community,
Andrew has raised a very important issue for Afrinic operations - Thanks so 
much Andrew.
The Board would like to inform you that the issue was discussed within the 
Board at the Afrinic 27 meeting in Lagos and the Management was tasked to work 
on the issue.
The Board has also been made aware that the Mauritius Data Protection Act 2017 
is already in effect and is aligned with the EU GDPR regulations.  The Board 
believes that these regulations are not a barrier to publication of the WHOIS 
data, and it has noted the RIPE NCC study that made such a finding.  The Board 
further believes that the biggest changes required by AFRINIC are in 
documenting how personal data is used, and in informing people at the time data 
is collected.
The AFRINIC management will provide further updates on the issues at AIS 2018 
in Senegal.
Further to the above, the Board expects to receive more insights on GDPR  
related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
Senegal.

Kind regards


On 11/04/2018 08:42, Andrew Alston wrote:
Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

Andrew



___

Community-Discuss mailing list

Community-Discuss@afrinic.net<mailto:Community-Discuss@afrinic.net>

https://lists.afrinic.net/mailman/listinfo/community-discuss<https://lists.afrinic.net/mailman/listinfo/community-discuss>



--

Abibu R. Ntahigiye



CEO, tzNIC / Interim Chairman, Afrinic.
___
Community-Discuss mailing list
Community-Discuss@afrinic.net<mailto:Community-Discuss@afrinic.net>
https://lists.afrinic.net/mailman/listinfo/community-discuss<https://lists.afrinic.net/mailman/listinfo/community-discuss>

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Mike Silber
If I can add to this, there is as yet no clear direction from the European DPAs 
as a collective on how GDPR affects whois access in general.

The RIPE NCC approach is premised on their interactions with the Dutch DPA, 
rather than a Europe wide approach.

In addition, I am not sure I concur with Mr Alston’s insistence that “holding 
data of EU citizens” automatically places AfriNIC into the category of data 
controller in terms of GDPR or imposes any requirements on AfriNIC, 
particularly as the GDPR applies to processing of personal data in the context 
of the activities of an establishment of a controller or a processor in the 
Union.

The extraterritorial application is premised on a nexus requirement set out in 
general terms in Recital 23, but requiring specific determination in terms of 
national law by Member States.

Mike


> On 11 Apr 2018, at 13:36, Abibu R. Ntahigiye  wrote:
> 
> Dear Andrew, Members and the whole Afrinic community,
> 
> Andrew has raised a very important issue for Afrinic operations - Thanks so 
> much Andrew.
> 
> The Board would like to inform you that the issue was discussed within the 
> Board at the Afrinic 27 meeting in Lagos and the Management was tasked to 
> work on the issue.
> 
> The Board has also been made aware that the Mauritius Data Protection Act 
> 2017 is already in effect and is aligned with the EU GDPR regulations.  The 
> Board believes that these regulations are not a barrier to publication of the 
> WHOIS data, and it has noted the RIPE NCC study that made such a finding.  
> The Board further believes that the biggest changes required by AFRINIC are 
> in documenting how personal data is used, and in informing people at the time 
> data is collected. 
> 
> The AFRINIC management will provide further updates on the issues at AIS 2018 
> in Senegal.
> 
> Further to the above, the Board expects to receive more insights on GDPR  
> related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
> Senegal.
> 
> Kind regards
> 
> 
> On 11/04/2018 08:42, Andrew Alston wrote:
>> Hi AfriNIC Board,
>>  
>> Can this board please *urgently* inform this community as to what 
>> preparations they have made as regards to compliance with the General Data 
>> Protection Regulations passed by the European Commision and the board will 
>> be in a position to give this community a full and complete report as to 
>> their GDPR compliance status and what will be changing before the 25th of 
>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
>>  
>> Considering that the regulation comes into force on the 25th of May 2018 – 
>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
>> the regulations irrespective of the fact that they are domiciled in 
>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>> the whois database, abuse contact information, handling of data submitted 
>> during application process and potentially even the proposed review policy, 
>> just to name a few things that I can think of off the top of my head – and 
>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>> the board in the minutes that have been published about the GDPR long before 
>> now – considering the impact – but failing that – the question is now being 
>> asked.
>>  
>> Andrew
>>  
>>  
>> ___
>> Community-Discuss mailing list
>> Community-Discuss@afrinic.net 
>> https://lists.afrinic.net/mailman/listinfo/community-discuss 
>> 
> 
> -- 
> Abibu R. Ntahigiye
> 
> CEO, tzNIC / Interim Chairman, Afrinic.
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net 
> https://lists.afrinic.net/mailman/listinfo/community-discuss 
> 

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Jan Zorz Go6
Oh boy... Interesting AGMM awaits in Dakar, as it seems :)

⁣Cheers, Jan Žorž
---
Sent from mobile phone, please excuse brevity and top-posting...​

On Apr 11, 2018, 15:06, at 15:06, Andrew Alston 
 wrote:
>Hi Sander,
>
>Mark tabled the following motion (and has agreed to let me send this to
>the community list on the phone just now) – this motion has also been
>accepted in emails to the members list from the board
>
>
> From Mark’s email to the member list 
>
>I have been watching the mailing lists where Sunday, whom I consider a
>friend, has admitted to violating the NDA. He has stood down as chair
>but not tendered his resignation. There was a Board Meeting last night
>according to the mailing lists. The Board appear not to have ask Sunday
>to stand down (there was no announcement along these lines, therefore I
>request the following be tabled at upcoming AGMM in Dakar. As this is
>not a vote to remove the directors, but rather to express the
>communities lack of confidence in them, and to request their
>resignations, I request that this be tabled as a standard resolution.
>
>Introduction:
>
>In 2014, the board of directors (I was a director at that time) passed
>a resolution laying out the sanctions for NDA violations – that
>violations of the NDA could be result in expulsion from the board of
>directors.  In 2014, during a meeting in Tunis, that resolution was
>used to request, and subsequently gain, the resignation of two members
>of the board of directors.
>
>During allegations made recently on an unrelated matter, it came to
>light that the former chair of the board, Mr Sunday Folayan, wilfully
>and blatantly shared information related directly to the company, with
>a junior member of staff, and an admission in this regard was made to
>the community in an email sent by Mr Folayan on the 16th of March 2018.
>
>It is my belief that the sharing of the information was a direct
>contravention of the NDA – as well as a direct contravention of various
>sections of the companies act relating to the duties and
>responsibilities of a director.
>
>Since this time – there have been numerous calls for Mr Folayan to
>resign from the board – something that as of now he has not done.
>There have also been numerous calls for the board to act against Mr.
>Folayan in this regard.  The board has failed to do this – and is
>acting outside of historic precedent regarding similar violations.
>
>As such, it is my belief that the entire board is in violation of its
>duties and of the trust of the community – the degree of that loss of
>confidence will be tested by this motion as is proper procedure.
>
>It is also acknowledged that the board has the right to defy this
>motion and continue to claim legitimacy under strict legal
>interpretation – hence – this motion is phrased as a request – with the
>knowledge that should the board not adhere to this request if this
>motion passes – they will lose all credibility and the ability to claim
>legitimacy as representatives of the member base of AfriNIC –
>irrespective of their legal standing.
>
>As a former Board member and the proposer of this resolution, I wish to
>state that if this motion be passed and the request granted, I will not
>be standing for any seat myself.
>With this in mind:
>
>The members of AfriNIC here by RESOLVE:
>
>To state that the members of AfriNIC have lost all confidence in the
>current board of directors to act in the best interests of the company
>or its registered, resource and associate members.
>To request the resignations of every member of the board of directors
>with immediate effect
>To request that Viv Padayachee act as caretaker director with the sole
>purpose of appointing a NomCOM and convening an SGMM at which a full
>election will be held to appoint a new board of directors
>To elect a new board of directors by ballot at an SGMM within 90 days
>of these proceedings – at which point directors elected will hold their
>positions for the remainder of the specific term of the seat to which
>they are appointed.
>
>
> End of Mark’s email 
>
>On 11/04/2018, 16:00, "Sander Steffann"  wrote:
>
>Hi,
>
>> Considering that the board is facing a tabled and accepted motion of
>no confidence in Dakar – which has been accepted to the Agenda
>
>Wait, what motion? I have seen the message from Sunday that he is
>stepping down as chair, and I of course have seen the allegations. I
>haven't seen a motion on this list though...
>
>Cheers,
>Sander
>
>
>
>___
>Community-Discuss mailing list
>Community-Discuss@afrinic.net
>https://lists.afrinic.net/mailman/listinfo/community-discuss
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Hi Abibu,

Considering that the board is facing a tabled and accepted motion of no 
confidence in Dakar – which has been accepted to the Agenda – and considering 
the GDPR comes into force on the 25th of May – is it not prudent of the board 
to do investigations and conclude them before the Dakar meeting – coming with 
fixed and concrete and agreed actions to the meeting - so that in the event 
that the motion does indeed pass – the outgoing board would have at the very 
least left AfriNIC in a strong position to deal with the potential issues 
created by the GDPR.

I can also say – I really hope that in sending this – the board will not come 
with an argument that the vote places AfriNIC in a precarious position because 
of the GDPR situation and the fact that meetings with RIPE were only happening 
at the meeting – since such an argument would be predicated on the board 
creating a negative situation for the company in order to potentially save 
themselves.

Andrew


From: "Abibu R. Ntahigiye" <ab...@tznic.or.tz>
Date: Wednesday, 11 April 2018 at 14:36
To: Andrew Alston <andrew.als...@liquidtelecom.com>
Cc: "members-disc...@afrinic.net" <members-disc...@afrinic.net>, 
"community-discuss@afrinic.net" <community-discuss@afrinic.net>, AFRINIC Board 
of Directors' List <bo...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR


Dear Andrew, Members and the whole Afrinic community,

Andrew has raised a very important issue for Afrinic operations - Thanks so 
much Andrew.

The Board would like to inform you that the issue was discussed within the 
Board at the Afrinic 27 meeting in Lagos and the Management was tasked to work 
on the issue.

The Board has also been made aware that the Mauritius Data Protection Act 2017 
is already in effect and is aligned with the EU GDPR regulations.  The Board 
believes that these regulations are not a barrier to publication of the WHOIS 
data, and it has noted the RIPE NCC study that made such a finding.  The Board 
further believes that the biggest changes required by AFRINIC are in 
documenting how personal data is used, and in informing people at the time data 
is collected.

The AFRINIC management will provide further updates on the issues at AIS 2018 
in Senegal.
Further to the above, the Board expects to receive more insights on GDPR  
related issues at the joint Boards (AfriNIC and RIPE NCC) meeting planned in 
Senegal.

Kind regards

On 11/04/2018 08:42, Andrew Alston wrote:
Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

Andrew



___

Community-Discuss mailing list

Community-Discuss@afrinic.net<mailto:Community-Discuss@afrinic.net>

https://lists.afrinic.net/mailman/listinfo/community-discuss<https://lists.afrinic.net/mailman/listinfo/community-discuss>



--

Abibu R. Ntahigiye



CEO, tzNIC / Interim Chairman, Afrinic.
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Abibu R. Ntahigiye

Dear Andrew, Members and the whole Afrinic community,

Andrew has raised a very important issue for Afrinic operations - Thanks 
so much Andrew.


The Board would like to inform you that the issue was discussed within 
the Board at the Afrinic 27 meeting in Lagos and the Management was 
tasked to work on the issue.


The Board has also been made aware that the Mauritius Data Protection 
Act 2017 is already in effect and is aligned with the EU GDPR 
regulations.  The Board believes that these regulations are not a 
barrier to publication of the WHOIS data, and it has noted the RIPE NCC 
study that made such a finding.  The Board further believes that the 
biggest changes required by AFRINIC are in documenting how personal data 
is used, and in informing people at the time data is collected.


The AFRINIC management will provide further updates on the issues at AIS 
2018 in Senegal.


Further to the above, the Board expects to receive more insights on 
GDPR  related issues at the joint Boards (AfriNIC and RIPE NCC) meeting 
planned in Senegal.


Kind regards


On 11/04/2018 08:42, Andrew Alston wrote:


Hi AfriNIC Board,

Can this board please **urgently** inform this community as to what 
preparations they have made as regards to compliance with the General 
Data Protection Regulations passed by the European Commision and the 
board will be in a position to give this community a full and complete 
report as to their GDPR compliance status and what will be changing 
before the 25^th of May to ensure that when the GDPR comes into force 
AfriNIC is compliant.


Considering that the regulation comes into force on the 25^th of May 
2018 – and AfriNIC is 100% holding data of EU Citizens, which makes 
them subject to the regulations irrespective of the fact that they are 
domiciled in Mauritius – this is an urgent and critical issue.  It has 
direct impact on the whois database, abuse contact information, 
handling of data submitted during application process and potentially 
even the proposed review policy, just to name a few things that I can 
think of off the top of my head – and cannot be ignored.  I would in 
fact have liked to have seen discussions by the board in the minutes 
that have been published about the GDPR long before now – considering 
the impact – but failing that – the question is now being asked.


Andrew

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


--
Abibu R. Ntahigiye

CEO, tzNIC / Interim Chairman, Afrinic.

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Btw Owen,

I might also point out – AfriNIC has EU territories that it services directly – 
which heightens this even further

Andrew


From: Andrew Alston [mailto:andrew.als...@liquidtelecom.com]
Sent: 11 April 2018 13:06
To: Owen DeLong <o...@delong.com>
Cc: General <community-discuss@afrinic.net>; AFRINIC Board of Directors' List 
<bo...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR

Owen,

Firstly – AfriNIC does hold data on EU residents – that is without question – I 
know of a couple of cases of EU residents with their data held by AfriNIC 
without even thinking of it.
Secondly – irrespective of if they are signatories or not – if AfriNIC chooses 
to do any business with RIPE for example, they are doing business with an EU 
entity and can be prevented from doing so if they don’t comply is my 
understanding.

Irrespective of this – the AfriNIC board if they believe they do not need to 
comply in any way shape or form – needs to state that to this community and to 
its members and give reasons as to why not – at that point – the affected 
members can then make an informed decision as to their course of action should 
they choose one. But – AfriNIC still has an obligation to inform its community 
as to its standing in this regard and do so before the legislation becomes 
reality.

Please note clause 3.4.vii of the bylaws:

(vii) to disseminate among its members information on all matters affecting the 
Company and its members and to provide for and be a central channel of 
communication for the members of the Company and generally for the furtherance 
and promotion of their interests;

Andrew

From: Owen DeLong [mailto:o...@delong.com]
Sent: 11 April 2018 09:08
To: Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>>
Cc: General 
<community-discuss@afrinic.net<mailto:community-discuss@afrinic.net>>; AFRINIC 
Board of Directors' List <bo...@afrinic.net<mailto:bo...@afrinic.net>>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR
Importance: High



On Apr 10, 2018, at 22:42 , Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

Is Mauritius signatory to some treaty making them subject to GDPR?

Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
about GDPR).

Further, unless your in a silly country that was dumb enough to sign a treaty 
extending EU’s legal reach into your sovereignty, such as the stupid congress 
of the united States, then you can offer the EU a nice big Italian sign 
language gesture regarding their GDPR and continue on with business as usual.

Owen

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread JORDI PALET MARTINEZ via Community-Discuss
I think Andrew is right.

 

I just found a short article that explains it:

 

https://www.gdprandbeyond.com/blog-post/data-privacy/gdpr-affect-non-european-companies/

 

If you don’t want to read all the article, this is the key:

 

“The short answer is: the regulation will affect firms both inside and outside 
of the EU. In fact, any company dealing with EU businesses’, residents’, or 
citizens’ data will have to comply with the GDPR.”

 

Even more than that, it affects any company that may hold data from EU 
citizens, and that includes IP addresses.

 

For example, if EU citizens are using a DNS resolver sitting in any AfriNIC 
country, then the logs with the IP addresses of the queries are subjected to 
the GDPR, if you make business out of those logs, and don’t anonymize them, you 
are subjected to fines of up to 4% of your annual turnover, up to a maximum of 
20 million euros.

 

In chats with EU lawyers, they basically told that there is a long road with 
this regulation in the courts, and ISPs need to be aware that this means that 
if their customers do “bad” things with EU citizens personal data, and they 
don’t react on those “abuse” cases, you may be at the end of the history, 
liable for that.


Regards,

Jordi

 

De: Andrew Alston <andrew.als...@liquidtelecom.com>
Fecha: miércoles, 11 de abril de 2018, 12:15
Para: Owen DeLong <o...@delong.com>
CC: General <community-discuss@afrinic.net>, AFRINIC Board of Directors' List 
<bo...@afrinic.net>
Asunto: Re: [Community-Discuss] AFRINIC and the GDPR

 

Owen,

 

Firstly – AfriNIC does hold data on EU residents – that is without question – I 
know of a couple of cases of EU residents with their data held by AfriNIC 
without even thinking of it.

Secondly – irrespective of if they are signatories or not – if AfriNIC chooses 
to do any business with RIPE for example, they are doing business with an EU 
entity and can be prevented from doing so if they don’t comply is my 
understanding.

 

Irrespective of this – the AfriNIC board if they believe they do not need to 
comply in any way shape or form – needs to state that to this community and to 
its members and give reasons as to why not – at that point – the affected 
members can then make an informed decision as to their course of action should 
they choose one. But – AfriNIC still has an obligation to inform its community 
as to its standing in this regard and do so before the legislation becomes 
reality.

 

Please note clause 3.4.vii of the bylaws:

 

(vii) to disseminate among its members information on all matters affecting the 
Company and its members and to provide for and be a central channel of 
communication for the members of the Company and generally for the furtherance 
and promotion of their interests;

 

Andrew

 

From: Owen DeLong [mailto:o...@delong.com] 
Sent: 11 April 2018 09:08
To: Andrew Alston <andrew.als...@liquidtelecom.com>
Cc: General <community-discuss@afrinic.net>; AFRINIC Board of Directors' List 
<bo...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR
Importance: High

 

 




On Apr 10, 2018, at 22:42 , Andrew Alston <andrew.als...@liquidtelecom.com> 
wrote:

 

Hi AfriNIC Board,

 

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

 

Is Mauritius signatory to some treaty making them subject to GDPR?

 


Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

 

It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
about GDPR).

 

Further, unless your in a silly country that was dumb enough to sign a treaty 
extending EU’s legal reach into your sovereignty, such as the stupid congress 
of the united States, then you can offer the EU a nice big Italian sign 
language gesture regarding their GDPR and continue on with business as usual.

 

Owen

 

_

Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Andrew Alston
Owen,

Firstly – AfriNIC does hold data on EU residents – that is without question – I 
know of a couple of cases of EU residents with their data held by AfriNIC 
without even thinking of it.
Secondly – irrespective of if they are signatories or not – if AfriNIC chooses 
to do any business with RIPE for example, they are doing business with an EU 
entity and can be prevented from doing so if they don’t comply is my 
understanding.

Irrespective of this – the AfriNIC board if they believe they do not need to 
comply in any way shape or form – needs to state that to this community and to 
its members and give reasons as to why not – at that point – the affected 
members can then make an informed decision as to their course of action should 
they choose one. But – AfriNIC still has an obligation to inform its community 
as to its standing in this regard and do so before the legislation becomes 
reality.

Please note clause 3.4.vii of the bylaws:

(vii) to disseminate among its members information on all matters affecting the 
Company and its members and to provide for and be a central channel of 
communication for the members of the Company and generally for the furtherance 
and promotion of their interests;

Andrew

From: Owen DeLong [mailto:o...@delong.com]
Sent: 11 April 2018 09:08
To: Andrew Alston <andrew.als...@liquidtelecom.com>
Cc: General <community-discuss@afrinic.net>; AFRINIC Board of Directors' List 
<bo...@afrinic.net>
Subject: Re: [Community-Discuss] AFRINIC and the GDPR
Importance: High




On Apr 10, 2018, at 22:42 , Andrew Alston 
<andrew.als...@liquidtelecom.com<mailto:andrew.als...@liquidtelecom.com>> wrote:

Hi AfriNIC Board,

Can this board please *urgently* inform this community as to what preparations 
they have made as regards to compliance with the General Data Protection 
Regulations passed by the European Commision and the board will be in a 
position to give this community a full and complete report as to their GDPR 
compliance status and what will be changing before the 25th of May to ensure 
that when the GDPR comes into force AfriNIC is compliant.

Is Mauritius signatory to some treaty making them subject to GDPR?


Considering that the regulation comes into force on the 25th of May 2018 – and 
AfriNIC is 100% holding data of EU Citizens, which makes them subject to the 
regulations irrespective of the fact that they are domiciled in Mauritius – 
this is an urgent and critical issue.  It has direct impact on the whois 
database, abuse contact information, handling of data submitted during 
application process and potentially even the proposed review policy, just to 
name a few things that I can think of off the top of my head – and cannot be 
ignored.  I would in fact have liked to have seen discussions by the board in 
the minutes that have been published about the GDPR long before now – 
considering the impact – but failing that – the question is now being asked.

It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
about GDPR).

Further, unless your in a silly country that was dumb enough to sign a treaty 
extending EU’s legal reach into your sovereignty, such as the stupid congress 
of the united States, then you can offer the EU a nice big Italian sign 
language gesture regarding their GDPR and continue on with business as usual.

Owen

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
Mauritius is signatory that’s where the safe harbour was put In place years 
back. All BPOs in mauritius are holding EU citizen / resident data. the Data 
Protection office will be fast tracking to look like ICO which is renamed GDPR 
anyways.

Kris

> On 11 Apr 2018, at 10:08, Owen DeLong  wrote:
> 
> 
> 
>> On Apr 10, 2018, at 22:42 , Andrew Alston  
>> wrote:
>> 
>> Hi AfriNIC Board,
>>  
>> Can this board please *urgently* inform this community as to what 
>> preparations they have made as regards to compliance with the General Data 
>> Protection Regulations passed by the European Commision and the board will 
>> be in a position to give this community a full and complete report as to 
>> their GDPR compliance status and what will be changing before the 25th of 
>> May to ensure that when the GDPR comes into force AfriNIC is compliant.
> 
> Is Mauritius signatory to some treaty making them subject to GDPR?
>  
>> Considering that the regulation comes into force on the 25th of May 2018 – 
>> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
>> the regulations irrespective of the fact that they are domiciled in 
>> Mauritius – this is an urgent and critical issue.  It has direct impact on 
>> the whois database, abuse contact information, handling of data submitted 
>> during application process and potentially even the proposed review policy, 
>> just to name a few things that I can think of off the top of my head – and 
>> cannot be ignored.  I would in fact have liked to have seen discussions by 
>> the board in the minutes that have been published about the GDPR long before 
>> now – considering the impact – but failing that – the question is now being 
>> asked.
> 
> It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
> about GDPR).
> 
> Further, unless your in a silly country that was dumb enough to sign a treaty 
> extending EU’s legal reach into your sovereignty, such as the stupid congress 
> of the united States, then you can offer the EU a nice big Italian sign 
> language gesture regarding their GDPR and continue on with business as usual.
> 
> Owen
> 
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Owen DeLong


> On Apr 10, 2018, at 22:42 , Andrew Alston  
> wrote:
> 
> Hi AfriNIC Board,
>  
> Can this board please *urgently* inform this community as to what 
> preparations they have made as regards to compliance with the General Data 
> Protection Regulations passed by the European Commision and the board will be 
> in a position to give this community a full and complete report as to their 
> GDPR compliance status and what will be changing before the 25th of May to 
> ensure that when the GDPR comes into force AfriNIC is compliant.

Is Mauritius signatory to some treaty making them subject to GDPR?
 
> Considering that the regulation comes into force on the 25th of May 2018 – 
> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
> the regulations irrespective of the fact that they are domiciled in Mauritius 
> – this is an urgent and critical issue.  It has direct impact on the whois 
> database, abuse contact information, handling of data submitted during 
> application process and potentially even the proposed review policy, just to 
> name a few things that I can think of off the top of my head – and cannot be 
> ignored.  I would in fact have liked to have seen discussions by the board in 
> the minutes that have been published about the GDPR long before now – 
> considering the impact – but failing that – the question is now being asked.

It’s not about EU Citizens. It’s about EU Residents. (Common misconception 
about GDPR).

Further, unless your in a silly country that was dumb enough to sign a treaty 
extending EU’s legal reach into your sovereignty, such as the stupid congress 
of the united States, then you can offer the EU a nice big Italian sign 
language gesture regarding their GDPR and continue on with business as usual.

Owen

___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss


Re: [Community-Discuss] AFRINIC and the GDPR

2018-04-11 Thread Kris Seeburn
That is a good question and hope EU and a repealed safe harbour to an ICO 
equivalent will be going thru parliament approval soonest. 

Not only Whois but more is implied. Unless afrinic is waiting to see whether Eu 
and local govt will bite

Kris

> On 11 Apr 2018, at 09:42, Andrew Alston  
> wrote:
> 
> Hi AfriNIC Board,
>  
> Can this board please *urgently* inform this community as to what 
> preparations they have made as regards to compliance with the General Data 
> Protection Regulations passed by the European Commision and the board will be 
> in a position to give this community a full and complete report as to their 
> GDPR compliance status and what will be changing before the 25th of May to 
> ensure that when the GDPR comes into force AfriNIC is compliant.
>  
> Considering that the regulation comes into force on the 25th of May 2018 – 
> and AfriNIC is 100% holding data of EU Citizens, which makes them subject to 
> the regulations irrespective of the fact that they are domiciled in Mauritius 
> – this is an urgent and critical issue.  It has direct impact on the whois 
> database, abuse contact information, handling of data submitted during 
> application process and potentially even the proposed review policy, just to 
> name a few things that I can think of off the top of my head – and cannot be 
> ignored.  I would in fact have liked to have seen discussions by the board in 
> the minutes that have been published about the GDPR long before now – 
> considering the impact – but failing that – the question is now being asked.
>  
> Andrew
>  
>  
> ___
> Community-Discuss mailing list
> Community-Discuss@afrinic.net
> https://lists.afrinic.net/mailman/listinfo/community-discuss
___
Community-Discuss mailing list
Community-Discuss@afrinic.net
https://lists.afrinic.net/mailman/listinfo/community-discuss