How We're Implementing the GDPR
• 5 min read
This is the first in a series of articles we plan to publish on RIPE Labs over the coming weeks and months, each of which will provide details of any legal analysis we perform in the implementation of the GDPR in the RIPE Database, and any other RIPE NCC services.
“I'm not sure about the consequences. Does it mean that Afrinic could lose its accreditation?”
The goal of this work is to fortify the accountability of the RIR system and the stability of the Joint Internet Registry. To have RIRs that are able to conduct their function in a reliable manner.
“Exactly what the BETTER position is. When my honest organization had money/payment problems, the RIPE NCC threatened us to take away all resources. But an organization tainted by its involvement in international crimes can pay whenever it wants. Moreover, I repeat: RIPE NCC distributes to sanctioning organizations SURPLUS what the sanctions explicitly forbid. This is a very strange "neutrality."”
Please note that the RIPE NCC surplus is not redistributed to sanctioned members. From a practical perspective, the redistribution of the surplus is done in the form of a discount on members' yearly invoices. As mentioned in the article, although the payment obligation remains, we do not invoice sanctioned members and so we do not risk violating sanctions in this way.
“Thank you guys for the explanation, but I have a question: why OFAC restrictions matter regards to EU operation activity? I supposed ARIN is under their control, am I wrong?”
We can appreciate that this point is a little confusing. OFAC sanctions indeed are not applicable to us and do not affect our ability to provide services or resources to our members. However, they are important to our banks, as they also operate in the US. This has impacted our ability to receive payment from 68 members in Iran/Syria. We are looking for a long-term solution that will allow us to continue receiving membership fees in these cases.
“Given that section 32 adds to Article 19 to the UHDR: “The promotion, protection and enjoyment of human rights on the Internet”, can't it be argued it be under the humanitarian exemptions that exist in the law on sanctions ?”
In our request to the Dutch authorities, we did call upon humanitarian exemptions in the EU regulation. Their assessment was that the regulations did not provide legal grounds for an exemption that would be applicable in our case. Note that the UHDR is not directly enforceable to national legislation. It can only be enforceable if it is incorporated in the national (or EU) law.
“For people interested in these things, have a look at the following survey: https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13017-Declaration-of-Digital-Principles-the-‘European-way’-for-the-digital-society_en”
Thank you for sharing this, Jaap.
“Hello, I would like to ask what is a good practice for collecting consents from customers. I mean from network operator's position - we must collect consents from customers in order to provide them IP addresses together with our telco services. Should we sign dedicated agreement on processing personal data? Or a simple form enclosed to telco agreement is sufficient. Regards, Michal Halbsguth”
This is a very good question. It's important that network operators are clear about what obtaining the consent of their customers means in very practical terms. However, as I'm sure you'll understand, we're not able to give legal advice to third parties. My only recommendation is to seek this guidance from a lawyer that is able to speak to your particular situation. Athina Fragkouli Head of Legal RIPE NCC
Showing 6 comment(s)