nanog mailing list archives
Re: Whois vs GDPR, latest news
From: Michel 'ic' Luczak <lists () benappy com>
Date: Sat, 26 May 2018 10:31:29 +0200
On 23 May 2018, at 19:12, Anne P. Mitchell Esq. <amitchell () isipp com> wrote:On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthelms () gmail com> wrote: Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side of things. The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of regulations). That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, lawfully process someone's PII. Things like opting out and blanket agreements to use all of someone's data for any reason a company may want are specifically prohibited. Even companies that don't intentionally sell into the EU (or the UK) can find themselves dealing with this if they have customers with employees in the EU.Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or even just provides their PII)... but happens to be in a plane flying over an EU country at the time. Because GDPR doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at the time.
Actually, the EU Commission is pretty clear about the non-E.U. person travelling to E.U. and using a service not specifically targetting E.U. users : "When the regulation does not apply Your company is service provider based outside the EU. It provides services to customers outside the EU. Its clients can use its services when they travel to other countries, including within the EU. Provided your company doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.” https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en There are many other examples on their website which leave pretty little doubts about when it applies and when it does not. Regards, Michel
Current thread:
- Re: Whois vs GDPR, latest news, (continued)
- Re: Whois vs GDPR, latest news Mike Hammett (May 23)
- Re: Whois vs GDPR, latest news K. Scott Helms (May 23)
- Re: Whois vs GDPR, latest news John Levine (May 23)
- Re: Whois vs GDPR, latest news Owen DeLong (May 23)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 23)
- Re: Whois vs GDPR, latest news Stephen Satchell (May 23)
- Re: Whois vs GDPR, latest news Daniel Brisson (May 23)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 23)
- Re: Whois vs GDPR, latest news K. Scott Helms (May 23)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 23)
- Re: Whois vs GDPR, latest news Michel 'ic' Luczak (May 26)
- Re: Whois vs GDPR, latest news JORDI PALET MARTINEZ via NANOG (May 26)
- Re: Whois vs GDPR, latest news valdis . kletnieks (May 26)
- Re: Whois vs GDPR, latest news John Levine (May 27)
- Re: Whois vs GDPR, latest news Stephen Satchell (May 27)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 28)
- Re: Whois vs GDPR, latest news Owen DeLong (May 23)
- Message not available
- Re: Whois vs GDPR, latest news Owen DeLong (May 23)
- Message not available
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 24)
- Re: Whois vs GDPR, latest news K. Scott Helms (May 24)
- Re: Whois vs GDPR, latest news Seth Mattinen (May 26)