We’ve heard feedback that there’s a lot of interest in the way personal data is processed in the RIPE Database and how it will be affected by the GDPR implementation. Spoiler alert: our assessment indicates that current operations are in line with the legislation.
This is our second in a series of articles discussing the General Data Protection Regulation (GDPR) implementation. In our earlier article, How We're Implementing the GDPR, we provided some background information. Here we are looking at the purpose for which personal data is collected and publicly accessed through the RIPE Database, as well as other aspects of the data protection legislation, such as the legal basis for this processing, data removal procedures, and so on.
The RIPE NCC is a not-for-profit, membership-based organisation. We have a mandate from the RIPE community to act as the registration authority for Internet number resources in our service region and, in particular, to manage the operation of the RIPE Database.
This function is crucial for the operations of the Internet globally. It ensures the uniqueness of Internet number resources used in the public network, which is essential for the Internet to function properly. Publishing registration information in the RIPE Database also ensures transparency around the proper distribution of Internet number resources. Moreover, having contact details of individuals responsible for specific Internet number resources, or that provide technical support to the corresponding networks, facilitates Internet coordination and is crucial when something goes wrong.
The RIPE NCC and the RIPE community understand the responsibility that comes with this role. Both strive to make sure that the registry is accountable and complies with the relevant legal frameworks. When the fulfilment of this role requires the processing of personal data, this process must be in accordance with current legislation. Here, the upcoming application of the GDPR comes into play. This is both because the RIPE NCC is established in the Netherlands, and therefore must comply with Dutch law (which includes the GDPR), and because the RIPE NCC is processing the personal data of members that are located in the EU.
Example of personal information stored in the RIPE Database
Personal Data in the RIPE Database
The publicly-available RIPE Database contains registration details of Internet number resources (IP addresses and AS Numbers) and, in particular, information about the organisations or persons (e.g. sole traders) that hold Internet number resources, including their contact details.
Also contained are the contact details of people responsible for the networks the Internet number resources correspond to and/or those responsible for maintaining the information in the RIPE Database. These are usually the technical and administrative employees of the natural or legal persons that hold the resources.
The contact details of a resource holder and their appointed contact persons consist of names, (business) email addresses, (business) phone and fax numbers, and (business) postal addresses.
So long as this information relates to identified or identifiable natural persons, it is considered to be personal data under both the current data protection regime and the GDPR.
The Purpose of the RIPE Database
An essential first step when applying data protection legislation is the specification of the purpose for which personal data is processed.
The purpose must be specified, explicit, and legitimate. Personal data may only be collected and processed to fulfil this purpose and must not be further processed in a way that is incompatible with this purpose.
Back in 2009, the Data Protection Task Force – a Task Force formed by the RIPE community to investigate the implementation of data protection legislation by the RIPE NCC – identified the purpose of the RIPE Database, which is explicitly described in Article 3 of the RIPE Database Terms and Conditions:
Article 3 -Purpose of the RIPE Database
The RIPE Database contains information for the following purposes:
- Ensuring the uniqueness of Internet number resource usage through registration of information related to the resources and Registrants
- Publishing routing policies by network operators (IRR)
- Facilitating coordination between network operators (network problem resolution, outage notification etc.)
- Provisioning of Reverse Domain Name System (DNS) and ENUM delegations
- Providing information about the Registrant and Maintainer of Internet number resources when the resources are suspected of being used for unlawful activities, to parties who are authorised under the law to receive such information.
- Scientific research into network operations and topology
- Providing information to parties involved in disputes over Internet number resource registrations to parties who are authorised under the law to receive such information.
The purpose described in the third bullet point of Article 3 (Facilitating coordination between network operators (network problem resolution, outage notification etc.) is the one that justifies the publication of personal data in the RIPE Database.
The Internet relies on cooperation between network operators that do not have direct business or contractual relationships. This is especially vital in dealing with operational problems (troubleshooting, abuse, cyberattacks, etc.). In such cases, network operators must be able to quickly establish contacts among themselves.
For this reason, the RIPE Database includes the contact details of resource holders and persons that are responsible for the administration and the technical maintenance of a particular network. This personal data may be used to contact these people in the event of a problem in the network.
Legal Basis for the Processing
In order for the personal data of individuals to be lawfully processed for the purposes of the RIPE Database, a proper legal basis must be in place. Accordingly, individuals whose personal data is made publicly available in the RIPE Database must be informed about this use as specified in the RIPE Database Terms and Conditions.
As mentioned above, the purpose and means of processing personal data registered in the RIPE Database are not determined by the RIPE NCC but by the RIPE community, which includes the resource holders and network operators themselves. The RIPE NCC is the organisation that implements or oversees the implementation of instructions given by the RIPE community.
However, the RIPE NCC has only limited control over the personal data stored in the RIPE Database. Most personal data is not registered in the RIPE Database by the RIPE NCC but by others (generally those responsible for the specific Internet number resources or the data subjects themselves).
In the RIPE Database, these responsible parties are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object), which is mandatory for all objects and indicates who is really responsible for specific personal data in the RIPE Database. Accordingly, this responsible party must inform the relevant individuals of the purpose of the RIPE Database, the legal basis for the processing of their personal data, how their personal data may be used, and their relevant rights before they enter their personal data.
In our next RIPE Labs article, we will analyse in more detail the legal basis for the processing of the personal data of resource holders that are natural persons (individuals), for the processing of the personal data of contact persons, and the relevant obligations of the responsible parties.
Removal of Personal Data
An individual whose personal data has been inserted into the RIPE Database has the right to ask for their personal data to be corrected or removed. As most of the personal data contained in the RIPE Database is not managed by the RIPE NCC but by the persons indicated in the maintainer object referenced in the "mnt-by:" attribute (mainly the resource holders), it is the responsibility of the maintainer to remove this personal data and replace it with the personal data of another individual.
If a maintainer fails to fulfill these responsibilities, the RIPE NCC will intervene and modify or delete personal data in the RIPE Database. However, the resource holder must find another individual who is willing to share their personal data in the RIPE Database.
The RIPE community, through the Data Protection Task Force, considered situations where a resource holder refuses to make the contact details of individuals publicly available, or cases where the resource holder wishes their personal data to be removed. As one of the purposes of the RIPE Database is to provide information related to the resource holder (see above), the RIPE community concluded that an individual maintaining an Internet number resource cannot be anonymous. Where accountability for registrations of global resources conflicts with an individual's right to privacy, drastic action may be required. Accordingly, an individual can be offered the option of having their personal data replaced with another person's data (provided this other person agrees). If this option is not acceptable for a resource holder, then the resources should be deregistered from them.
It must be highlighted that this procedure was established by the RIPE community through the Data Protection Task Force as the right balance between maintaining the accountability of resource holders and safeguarding the data protection rights of individuals.
The Data Protection Task Force considered that unlimited access to the personal data contained in the RIPE Database could lead to abuse and that such access would not be justified by the purpose for which the personal data is provided.
The Data Protection Task Force estimated the maximum number of possible times somebody would need to access personal data in the RIPE Database and, based on this evaluation, proposed the Acceptable Use Policy (AUP). This document clearly defines access limits to the personal data contained in the RIPE Database. Users exceeding these limits have their access to further personal data blocked for a period of time.
The RIPE NCC is confident that the current RIPE Database operations are in line with the requirements of the GDPR. Having said that, we do see some room for improvement in the relevant documentation and we are currently reviewing our procedures accordingly.