[address-policy-wg] Personal Data and 2012-05

On 5 Sep 2012, at 07:16, Turchanyi Geza wrote:

> I share Milton's view that a name (etc) of a person acting in  
> business is
> not personal  only, however, a business ID, what is public  
> information.
> This is the rule in my country which is not in the US and won't be.

There are many views on what is and isn't Personal Data, even amongst  
European Data Protection Authorities who are working off the same EU  
Directives. Don't make the mistake of assuming everyone shares your  
view or that of your local DPA. Or that those views might or might not  
change tomorrow.

Strictly speaking any data which identifies a living person  
constitutes Personal Data. Therefore that data falls within scope of  
the EU Directives and the prevailing national laws which enacted them.  
However some, but by no means all, European DPAs take a pragmatic view  
and consider end user expectations and/or the intent behind publishing  
Personal Data when deciding what is and isn't acceptable. Other DPAs  
may take a much more literal approach to what's in the Directive and  
local law. So what's "legal" in one jurisdiction may well be "illegal"  
in another even though both positions are based on the same EU  
Directives. This situation might well apply in non-EU countries which  
have Data Protection legislation too.

Things can get even murkier if you go into greater detail. For  
instance my former ISP added contact details for me to the RIPE  
database when they gave me a /29. This was OK from the DPA's  
perspective since the intent was reasonable: maintaining an accurate,  
public database of who was using address space. However it was also  
not OK because the entries were added without my consent and I had no  
clear way to update them. Those entries were still in the database  
several months after the space had been handed back. That wasn't OK  
either.

Schrodinger's cat has/had a very happy home in Data Protection. :-)

Anyway, this latest rat-holing is somewhat irrelevant. If contact  
information for IP address resources need to be obscured for whatever  
reason -- commercial confidentiality, data protection/privacy,  
preventing spam, etc -- methods for that already exist and could be  
applied. In some cases, they already are in use. Others may well be  
invented. Just look at the "imaginitive" solutions found in the domain  
name world for obfuscating whois data. If we look in the real world,  
the public registers of physical assets such as shares and property  
regularly contain entries for things like lawyers's offices, nominee  
accounts, offshore companies/trusts and so on so that the details of  
the real owner remain hidden.