The RIPE NCC aims to protect personal data in the public sources it administers and controls, adhering to data protection legislation in the Netherlands. The RIPE NCC has a legal obligation to comply with Dutch data protection legislation with regards to the personal data it processes.
In order to comply, the RIPE NCC has developed a legal framework that guarantees the proper and lawful use of personal data. This legal framework has been established in coordination with the RIPE community through a task force created for this purpose, the RIPE Data Protection Task Force, which put forward proposals that were considered in the RIPE Database Working Group.
This paper outlines:
The RIPE NCC is an association under Dutch law. Therefore, the applicable data protection legislation is the Dutch Personal Data Protection Act (“Wet bescherming persoonsgegevens”). The Dutch Personal Data Protection Act (hereafter “the Act”) outlines the conditions according to which processing personal data is lawful.
The Act[1] defines some basic concepts. Accordingly:
According to the Act[3], personal data may be collected for specific, explicitly defined and legitimate purposes. Once collected, this data must:
The data subject has the right to be informed by the responsible party of the collection and processing of their personal data before their data is collected or processed in any way[4]. Additionally, the data subject has the right to request that the responsible party correct or delete their personal data[5].
In 2005, the RIPE Database Working Group identified a need to comply with data protection legislation by updating the processes and services relating to the RIPE Database. At RIPE 52 in April 2006, the community established the RIPE Data Protection Task Force (DPTF)[6]. The DPTF was mandated by the RIPE Database Working Group to recommend steps that the RIPE NCC should take to comply with the legislation.
The DPTF, working together with the RIPE NCC and input from the RIPE community, developed a revised set of procedures for the RIPE NCC to control personal data exposure and set up a legal framework for the use of personal data in accordance with the Act. Specifically, the DPTF proposed that the RIPE NCC:
The DPTF proposed the changes to the RIPE community and to the RIPE NCC Executive Board. There was extensive communication between the DPTF and the RIPE community (via RIPE Meetings, the DPTF mailing list and the RIPE Database Working Group mailing list). The changes in procedures and documents were finalised by the RIPE NCC and communicated to the RIPE community.
The task force was disbanded at RIPE 59 in October 2009 when the mandated deliverables were completed. The following sections outline the changes made in order for the RIPE NCC to comply with the Act, as proposed by the DPTF and agreed on by the RIPE community and the RIPE NCC Executive Board.
The RIPE NCC operates the publicly available RIPE Database. The RIPE Database contains registration details of Internet number resources (IP addresses and AS Numbers) and, in particular, information about the natural or legal persons that hold the Internet number resources. This information includes contact details of those responsible for the networks the Internet number resources correspond to and/or for maintaining the information in the RIPE Database (usually technical and administrative employees of the natural or legal persons that hold the resource). The contact details consist of names, (business) email addresses, (business) phone and fax numbers and (business) postal addresses. Since these contact details are information relating to an identified or identifiable natural person they are considered to be personal data according to the Act (see above section 2.1).
The purpose and means of processing personal data registered in the RIPE Database are not determined by the RIPE NCC but by the RIPE community. However, the RIPE NCC is the organisation that implements or oversees the implementation of the instructions given by the RIPE community. In that sense, the RIPE NCC could be seen as the responsible party for processing personal data in the RIPE Database in accordance with the Act (see above section 2.1).
Although the RIPE NCC can be seen as the responsible party, the RIPE NCC has no, or only limited, control over the personal data stored in the RIPE Database. Most personal data is not registered in the RIPE Database by the RIPE NCC but by others (generally those responsible for the specific Internet number resources or by the data subjects themselves).
The DPTF considered that certain obligations coming from this “by default” responsibility must be shifted to those who are actually responsible for the personal data they collect and process (see section 2.3). Accordingly, it was proposed to contractually impose (via the RIPE Database Terms and Conditions) certain obligations on the persons who insert and maintain specific personal data in the RIPE Database.
In the RIPE Database, these persons are identified by the maintainer object (referenced by the “mnt-by:” attribute in any data object). The DPTF proposed that this attribute should be made mandatory for all objects. This attribute would be used to indicate who is really responsible for specific personal data in the RIPE Database. The maintainer would be responsible for:
These obligations are outlined in the RIPE Database Terms and Conditions and the maintainers are contractually bound to these obligations by agreeing to the RIPE Database Terms and Conditions.
As mentioned above, according to the Act personal data may be collected for specific, explicitly defined and legitimate purposes (see above section 2.2). Accordingly, the DPTF needed to clearly identify the reason why personal data should be inserted into, and made publicly available through, the RIPE Database.
The reason the Internet community initially requested that this data be made publicly available was for Internet operation purposes. Internet network operators should have each other's contact details in order to facilitate communication among the individuals responsible for networks in case of operational problems.
The DPTF concluded that the personal data in the RIPE Database should be contact details of persons that, because of their profession, are responsible for the administration and the technical maintenance of each network. This personal data may be used to contact that person in the case of a problem in the network (troubleshooting, abuse, etc.).
This purpose had to be explicitly stated in order for data subjects to give their consent on the use of their personal data. Therefore, the DPTF decided to document the purpose this personal data should be used for in the RIPE Database Terms and Conditions[7].
It was also necessary to ensure that RIPE Database users only use this personal data for the stated purpose. The DPTF considered the proper way for the RIPE Database Terms and Conditions to be enforceable. Accordingly, in order for somebody to use the RIPE Database, they must agree to these Terms and Conditions, which include the condition that the personal data contained in the RIPE Database will only be used for the purposes specified in the Terms and Conditions. Use of this data for any other purpose, and in particular for advertising purposes, is strictly forbidden[8]. In this way, users are contractually bound to use the data only for the purpose mentioned in the RIPE Database Terms and Conditions, to which the data subjects have given their consent.
According to the Act, the data subject has the right to ask for their personal data to be corrected or removed from any database in which it is stored. Accordingly, the DPTF created a procedure whereby anyone whose personal data is contained in the RIPE Database may request that their data be removed[9].
As noted above (section 3.2.2.), much of the personal data contained in the RIPE Database is not managed by the RIPE NCC but by the maintainer (persons indicated in the maintainer object referenced in the "mnt-by:" attribute). Therefore, the DPTF considered that if an individual wishes their data to be deleted from the RIPE Database, it is the responsibility of the maintainer to remove this personal data and replace it with the personal data of another individual.
The DPTF also considered that, since the RIPE NCC is the responsible party under the Act, if the maintainer fails to fulfill their responsibilities, the RIPE NCC has a legal obligation to intervene and to modify or delete personal data in the RIPE Database. The DPTF concluded that such a procedure would balance maintaining accountability with the privacy rights of individuals.
The DPTF also examined the case where the holder of Internet number resources is an individual and wishes their personal data to be removed. The DPTF considered that one of the purposes of the RIPE Database is to provide information related to the resource holder. Therefore, a data subject cannot maintain an Internet number resource and be anonymous. Where accountability for registrations of global resources conflicts with an individual's right to privacy, drastic action may be required. The data subject could be offered the option of having their personal data replaced with another person's data (provided this other person agrees)[10]. If this option is not acceptable for a resource holder, then the resources should be deregistered from them.
The RIPE Database contained personal data that was not referenced by any other object (record) in the database. No one appeared to be responsible for this data and its existence in the RIPE Database could not be justified.
The DPTF proposed routine, automated removal of this unreferenced personal data from the RIPE Database[11]. The DPTF also recommended creating a “white pages” mechanism for individuals wishing to have their personal contact data publicly available in the RIPE Database without being referenced by any other objects in the database. Database objects listed in the white pages would not be subject to the automated removal process[12].
The RIPE Database has historically been a publicly-available service to which anyone might have unlimited access. The DPTF considered that this unlimited access could lead to abuse of the personal data in the RIPE Database. Moreover, unlimited access to the personal data contained in the RIPE Database cannot be justified by the purpose for which that personal data is provided. Mining personal data contained in the RIPE Database does not comply with the database's operational purpose and it would be an inappropriate use of the personal data.
The DPTF estimated the maximum number of possible times somebody would need to access personal data in the RIPE Database in order to report abuse or for troubleshooting purposes, etc. Based on this, the DPTF proposed the drafting of an Acceptable Use Policy (AUP)[13], which clearly defines access limits to the personal data in the RIPE Database. Users exceeding these limits would have their access to further personal data blocked for a period of time.
The AUP also took into account queries made to the RIPE Database through web interfaces hosted by third parties (proxies). In such cases, the access limits are higher because such interfaces are intended to be used by more than one user.
The DPTF reviewed the RIPE Database-related services offered by the RIPE NCC and determined whether those services complied with the Act.
The Near Real Time Mirroring (NRTM) and Bulk Access services offer the possibility for network operators to have access to all data contained in the RIPE Database in bulk. This would offer the recipients of the service all personal data in the database without the restrictions placed on users of the other interfaces.
The DPTF questioned the need for access to this amount of personal data through these services and specifically examined whether the purpose of this service would justify the bulk provision of personal data.
The DPTF gathered all existing and possible purposes for which bulk access services can be used. These purposes include:
While the first three purposes can justify bulk access to most of the data contained in the RIPE Database, bulk access to personal data cannot be justified because it is not in line with the purpose of processing personal data in the RIPE Database (see above section 3.2.3).
As far as the fourth purpose is concerned, the DPTF highlighted the following issue: If the personal data contained in the RIPE Database is made available through other RIR databases, there is no guarantee that users searching those databases have agreed to the RIPE Database Terms and Conditions. Agreeing to these terms and conditions would oblige users to adhere to lawful use of the personal data as required by the Act (see above section 3.2.3). While other RIR databases serve the same purposes as the RIPE Database, the jurisdictions in which other RIRs operate do not offer the same level of data protection as Dutch law.
Therefore, the DPTF proposed that NRTM and Bulk Access should only be offered without personal data.
In order to increase efficiency and accuracy with regards to reporting abusive behavior to the correct network operator, in November 2011 a new policy proposal [14] was introduced to tackle this matter. The Abuse Contact Management Task Force established by the RIPE community was tasked to examine the possibility of introducing a new contact attribute named “abuse-c:” as a standard way of documenting abuse contact details in the RIPE Database. In this way, the maintainers would be assisted in organising their provided information and every interested party would be helped to find the correct abuse contact information more easily.
Since September 2012 when the policy was accepted and the beginning of 2013 when the relevant policy [15] was implemented, the maintainers are responsible for indicating the contact details for the abusive behavior. The email contacts that the proposed attribute will document are available “with no restrictions on bulk access” in order to allow automated abuse reporting processes. This means that these email contacts will not be filtered when the RIPE Database information is made available in a bulk way (e.g., through NRTM, proxy services, etc.).
The new contact attribute “abuse-c:” should not reference personal data. However, if the maintainers do set up the “abuse-c:” attribute to reference email contacts which could be considered to be personal data, it is the maintainers' responsibility to inform the individuals whose contact details will be referenced and obtain their prior consent. Moreover, the individuals need to be informed that their email contacts will be processed in a bulk way and obtain their consent on this kind of use of their data.
Aside from the RIPE Database, the DPTF examined the use of personal data by the RIPE NCC in relation to other RIPE NCC services. The RIPE NCC provides other services and activities that may require the processing of members' personal information. In this case, the RIPE NCC is clearly the responsible party as defined by the Act (see above section 2.1) because it defines the purpose and means of processing personal data.
Under the Act, the purposes for the collection and process of personal data must be clearly defined and made known to the data subject before the submission of their personal data. Therefore the DPTF proposed the drafting of a privacy statement that outlines the purposes of processing personal data by the RIPE NCC and the details of such processing.
Personal data may be asked for and processed by the RIPE NCC for the following purposes:
The RIPE NCC may also on occasion forward public messages to a particular mailing list if it is relevant and appropriate for that list. If an individual does not wish to receive such messages, they can unsubscribe at any time. There is one mailing list ([email protected]) to which all RIPE NCC members must be subscribed so that they receive information relevant to the activities of the RIPE NCC (such as General Meeting (GM) convocations, GM resolutions, etc.). It is an obligation of the RIPE NCC to inform its members of these activities; therefore, subscription to this mailing list is mandatory.
Data collected for the above purposes may be transferred to third parties engaged by the RIPE NCC for the provision of the services requested by the data subject. The information shared in this case is limited to what is required for provision of the service. Personal data is transferred to third party service providers to ensure equivalent levels of security and protection to those provided the RIPE NCC.
In addition to the above, the RIPE NCC may register, process or transfer personal data where such is required pursuant to a statutory duty.
As mentioned above (section 2.3), data subjects have the right to ask the responsible party to correct or delete their personal data. The privacy statement outlines the details for this process.
“Cookies” are small files that a web browser can record after visiting a website. These files are set on a person's computer (or any other device used to visit a website) through the web browser. The use of cookies is regulated by the Dutch Telecommunications Act (Telecommunicatiewet), hereafter “the DTA”[16].
According to the DTA, the installation of or access to cookies (or equivalent technology) on the terminal equipment of a user may take place only if the user:
The law does not apply to cookies that have as their sole purpose:
Additionally, the European Union Article 29 Working Party[17] has issued an opinion on Cookie Consent Exemption[18] which analyses whether various types of cookies fall under this exemption. Among others, the analysis examines the so-called “first party analytics” type of cookies:
“Analytics are statistical audience measuring tools for websites, which often rely on cookies. These tools are notably used by website owners to estimate the number of unique visitors, to detect the most preeminent search engine keywords that lead to a webpage or to track down website navigation issues […]
While they are often considered as a “strictly necessary” tool for website operators, they are not strictly necessary to provide a functionality explicitly requested by the user (or subscriber). […] As a consequence, these cookies do not fall under the exemption […].
However the Working Party considers that first party analytics cookies are not likely to create a privacy risk when they are strictly limited to first party aggregated statistical purposes and when they are used by websites that already provide clear information about these cookies in their privacy policy as well as adequate privacy safeguards. Such safeguards are expected to include a user friendly mechanism to opt-out from any data collection and comprehensive anonymization mechanisms that are applied to other collected identifiable information such as IP addresses.” [19]
Websites operated by the RIPE NCC use cookies that:
The last two types of cookies are considered "first party analytics", according to the opinion of the Article 29 Working Group. Based on this opinion, the RIPE NCC provides appropriate privacy safeguards[20].
The RIPE NCC does not use cookies for online behavioural advertising purposes, nor does it share information collected via cookies with any third parties.
version 20141218
[1] Article 1 of the Act
[2] In other European national laws, the “responsible party” is referred to as the “data controller”
[3] Articles 6-11 of the Act
[4] Articles 33-34 of the Act
[5] Article 36 of the Act
[6] https://www.ripe.net/participate/ripe/tf/dp
[7] Article 3 of the RIPE Database Terms and Conditions
[8] Article 4 of the RIPE Database Terms and Conditions
[9] https://apps.db.ripe.net/docs/removal-of-personal-data/
[10] More information in the procedural document (see footnote [9] )
[11] More information here: https://apps.db.ripe.net/docs/Database-Support/Clean-up-of-Unreferenced-Data/
[12] More information here: http://www.ripe.net/data-tools/support/documentation/white-pages
[13] The current AUP is available here.
[14] https://www.ripe.net/participate/policies/proposals/2011-06
[15] https://www.ripe.net/publications/docs/ripe-documents/ripe-705
[16] Art 11.7.a of the DTA
[17] The Article 29 Working Party is made up of a representative from the data protection authority of each EU Member State, the European Data Protection Supervisor and the European Commission. More information here: http://ec.europa.eu/justice/data-protection/article-29/index_en.htm
[18] Opinion 04/2012 on Cookie Consent Exemption adopted on 7 June 2012 available here: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/index_en.htm
[19] Section 4.3 – “First Party Analytics”, Opinion 04/2012 (see footnote [18])
[20] More information available in the RIPE NCC privacy statement