This is the first in a series of articles we plan to publish on RIPE Labs over the coming weeks and months, each of which will provide details of any legal analysis we perform in the implementation of the GDPR in the RIPE Database, and any other RIPE NCC services.
Some background
There has been a lot of discussion lately about the General Data Protection Regulation (GDPR). For those who don’t yet know, the GDPR aims to strengthen EU citizens' personal data protection rights and imposes heavy fines on businesses (both within and beyond the EU) that infringe these rights.
The GDPR is a Regulation that will replace the current EU Data Protection Directive. The replacement of a Directive by a Regulation by itself makes a big difference. A Directive is a set of rules presented to the entire EU that can then be interpreted and implemented differently by each of the 28 member-states. A Regulation creates a unified legal framework to be implemented identically by all countries within the European Union.
The GDPR was adopted in April 2016 by the EU and will come into effect on 25 May 2018. For more information see here.
Data Protection and the RIPE NCC - The Data Protection Task Force
Data protection legislation is not a new concept for the RIPE NCC and the RIPE community. As the RIPE NCC is located in the Netherlands – an EU country – we have been bound by the EU Data Protection Directive.
With regards to the RIPE Database, the RIPE NCC fills the role of “Data Controller” - that is, the entity legally responsible for all personal data stored in the RIPE Database. In 2005, the RIPE Database Working Group recognised the need for the RIPE NCC to update the RIPE Database processes and services in compliance with the EU’s data protection legislation and in recognition of the RIPE NCC’s responsibility under this legislation.
At RIPE 52, in April 2006, the community established the RIPE Data Protection Task Force (DPTF) with the mandate to recommend steps that the RIPE NCC should take to comply with the legislation. The DPTF, working together with the RIPE NCC and with input from the wider RIPE community, developed a revised set of procedures for the RIPE NCC to control personal data exposure and set up a legal framework for the use of personal data in accordance with the Data Protection Legislation. The DPTF concluded its work in 2010 and published a report on its findings and work.
Based on this input, the RIPE NCC published a very detailed report, the RIPE NCC Data Protection Report, explaining the legal framework and the related amendments and new procedures.
The Way to the GDPR
In 2009 the European Commission, in its efforts to review the current EU Data Protection Directive, launched a public consultation on the legal framework for the fundamental right to protection of personal data, the outcome of which led to the European Commission’s proposal for the GDPR.
The RIPE NCC, in consultation with the still active DPTF, contributed to this public consultation, with a focus on (among other things) the contact details of people responsible for maintaining Internet connectivity and communication:
“The RIPE NCC considers that personal data related to the operators of the Internet should be easily available to each other, both inside and outside the EU, in order for those individuals to be able to contact one another to coordinate the proper functioning of the Internet around the world.”
In the following European Commission proposal and the further EU legislative discussions that led to the GDPR, nothing arose that was controversial to any of the matters addressed by the RIPE NCC.
Today – Preparations for the GDPR and Informing the Community
As mentioned above, the GDPR will come into effect in May 2018 and the RIPE NCC must make sure it complies with this new legislation, not just in relation to the personal data held in the RIPE Database, but for all the personal data the RIPE NCC processes. For this purpose, in early 2017 the RIPE NCC set up an internal project to review all personal data processed by every department in the organisation. The project team consists of the Head of Legal, a Legal Counsel, the Information Security Officer and the Information Security Engineer, and is supported by representatives from each department. We are also engaging with external legal counsel, as well as industry partners and national authorities.
Working with the RIPE community and keeping them informed throughout this process is a priority for the RIPE NCC. We will also focus on engaging and collecting feedback over the coming months. As well as keeping the community informed as to how this may affect RIPE NCC services and the RIPE Database, we hope it can also provide some insight into the kinds of issues that have to be considered in relation to the GDPR. This may be helpful to other RIPE community organisations who may find their business affected by the GDPR.
This is the first in a series of articles we plan to publish on RIPE Labs over the coming weeks and months, each of which will provide details of any legal analysis we perform in the implementation of the GDPR in the RIPE Database and any other RIPE NCC services. In other words, watch this space!
Comments 2
Comments are disabled on articles published more than a year ago. If you'd like to inform us of any issues, please reach out to us via the contact form here.
Alex •
Dear RIPE NCC, Why don't you hide personal data in the RIPE database's person objects, like domain registrars do in their whois, in regards to GDPR? What do RIPE members have to change in their work on registration process of IP ranges, which relate to their customers? e.g. inetnum, inet6num, person, organisation objects?
Maria Stafyla •
Hi Alex, Thank you for your question. Contact details of the parties responsible for specific Internet number resources are essential for the smooth and uninterrupted operation of Internet and connectivity. One of the purposes of the RIPE Database is to facilitate communication between the people responsible for networks to address technical issues, allowing for quick coordination between operators that do not have a direct relationship. For more information on the purpose that justifies this type of processing of personal data in the RIPE Database and the responsibilities of the responsible parties, please refer to our second and third article on How We're Implementing the GDPR, available here: https://www.ripe.net/about-us/legal/corporate-governance/gdpr-and-the-ripe-ncc Kind regards, Maria Stafyla Legal Counsel RIPE NCC