[address-policy-wg] Personal Data and 2012-05
Jim Reid jim at rfc1035.com
Wed Sep 5 11:00:39 CEST 2012
On 5 Sep 2012, at 07:16, Turchanyi Geza wrote: > I share Milton's view that a name (etc) of a person acting in > business is > not personal only, however, a business ID, what is public > information. > This is the rule in my country which is not in the US and won't be. There are many views on what is and isn't Personal Data, even amongst European Data Protection Authorities who are working off the same EU Directives. Don't make the mistake of assuming everyone shares your view or that of your local DPA. Or that those views might or might not change tomorrow. Strictly speaking any data which identifies a living person constitutes Personal Data. Therefore that data falls within scope of the EU Directives and the prevailing national laws which enacted them. However some, but by no means all, European DPAs take a pragmatic view and consider end user expectations and/or the intent behind publishing Personal Data when deciding what is and isn't acceptable. Other DPAs may take a much more literal approach to what's in the Directive and local law. So what's "legal" in one jurisdiction may well be "illegal" in another even though both positions are based on the same EU Directives. This situation might well apply in non-EU countries which have Data Protection legislation too. Things can get even murkier if you go into greater detail. For instance my former ISP added contact details for me to the RIPE database when they gave me a /29. This was OK from the DPA's perspective since the intent was reasonable: maintaining an accurate, public database of who was using address space. However it was also not OK because the entries were added without my consent and I had no clear way to update them. Those entries were still in the database several months after the space had been handed back. That wasn't OK either. Schrodinger's cat has/had a very happy home in Data Protection. :-) Anyway, this latest rat-holing is somewhat irrelevant. If contact information for IP address resources need to be obscured for whatever reason -- commercial confidentiality, data protection/privacy, preventing spam, etc -- methods for that already exist and could be applied. In some cases, they already are in use. Others may well be invented. Just look at the "imaginitive" solutions found in the domain name world for obfuscating whois data. If we look in the real world, the public registers of physical assets such as shares and property regularly contain entries for things like lawyers's offices, nominee accounts, offshore companies/trusts and so on so that the details of the real owner remain hidden.