nanog mailing list archives
Re: Whois vs GDPR, latest news
From: "K. Scott Helms" <kscott.helms () gmail com>
Date: Thu, 24 May 2018 11:19:16 -0400
Anne, While I was re-reading some of the emails last night I realized that I mischaracterized your description here, *"You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is the actual language) is very much open to interpretation. In a judicial system where lawsuits have turned on - I kid you not - the interpretation of what a comma meant, I can almost guarantee you that "in the Union" is going to get interpreted through lawsuits, and it is absolutely not outside the realm of possibility that a U.S. citizen visiting in the EU will bring a lawsuit based on something happening with their PII while they were "in the Union".* I didn't make it clear that you were suggesting that some would make this claim rather than you making that claim. Mea culpa :) Our counselors made it clear (as did the regulators I was able to ask) that short term visits weren't intended to be covered *in their opinion.* There are and will be many questions that won't be fully answered until adjudicated or more precise language is used to make the meaning clear. Juhan Lepassaar (Head of VP Ansip Cabinet, European Commission) was one of the speakers and we were able to ask questions of him. It looks like the video of one of the presentations I was at is now publicly available and I encourage those with questions to watch it. https://www.rsaconference.com/speakers/juhan-lepassaar *" Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the _controller_ can also be held liable, and the financial penalties in GDPR are very stiff."* Yep, this is better (clearer) wording than what I used and is absolutely correct. On Thu, May 24, 2018 at 10:21 AM Anne P. Mitchell Esq. <amitchell () isipp com> wrote:
On May 23, 2018, at 7:18 PM, K. Scott Helms <kscott.helms () gmail com>wrote:Anything that can tie back to an individual data subject is PII, thatmeans email addresses, names in combination with addresses or phone numbers, finger prints, or even insufficiently abstracted internal ID numbers/codes. Don't forget IP addresses, as part of the wonderfully vague "online identifiers".Notice I didn't say EU citizen there, that's because the law andregulations (GDPR consists of both) intentionally cover any natural person in any of the 28 EU nations including the citizens of non-EU nations.I don't go as far as I think Anne was suggesting, in that someone in EUairspace who sent an email or made a purchase is now suddenly an EU data subject. You may accuse me of being a lawyer here (and rightly so :-) ), but "in", as in "in the Union" (which is the actual language) is very much open to interpretation. In a judicial system where lawsuits have turned on - I kid you not - the interpretation of what a comma meant, I can almost guarantee you that "in the Union" is going to get interpreted through lawsuits, and it is absolutely not outside the realm of possibility that a U.S. citizen visiting in the EU will bring a lawsuit based on something happening with their PII while they were "in the Union".Any company that is covered by the GDPR must be extremely careful thatany company they do business with is also compliant if that company will have access or act as a data processor. That means that if you are a US company that has US only customers, but some of your customers have employees that are US citizens but who live in an EU nation then they are bound to only use providers that are GDPR compliant. Now, this will result in contractual disputes and/or loss of business rather than having EU regulators fine your company directly. The end result is that many many many companies that don't sell or market to the EU are finding themselves needing to comply in the same way that companies that sell services to medical companies often have to follow HIPAA (and be audited) even though they provide medical services themselves.Actually, GDPR specifically requires processors to include statements of compliance right in their contracts; we also strongly recommend that controllers insist on indemnification clauses in their contracts with processors, because if the processor screws up and there is a breach, the _controller_ can also be held liable, and the financial penalties in GDPR are very stiff. Anne Anne P. Mitchell, Attorney at Law CEO/President, SuretyMail Email Reputation Certification and Inbox Delivery Assistance GDPR Compliance Consultant GDPR Compliance Certification http://www.SuretyMail.com/ http://www.SuretyMail.eu/ Attorney at Law / Legislative Consultant Author: Section 6 of the CAN-SPAM Act of 2003 (the Federal anti-spam law) Author: The Email Deliverability Handbook Legal Counsel: The CyberGreen Institute Legal Counsel: The Earth Law Center Member, California Bar Cyberspace Law Committee Member, Colorado Cybersecurity Consortium Member, Board of Directors, Asilomar Microcomputer Workshop Member, Advisory Board, Cause for Awareness Member, Elevations Credit Union Member Council Former Chair, Asilomar Microcomputer Workshop Ret. Professor of Law, Lincoln Law School of San Jose Available for consultations by special arrangement. amitchell () isipp com | @AnnePMitchell Facebook/AnnePMitchell | LinkedIn/in/annemitchell
Current thread:
- Re: Whois vs GDPR, latest news, (continued)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 23)
- Re: Whois vs GDPR, latest news Michel 'ic' Luczak (May 26)
- Re: Whois vs GDPR, latest news JORDI PALET MARTINEZ via NANOG (May 26)
- Re: Whois vs GDPR, latest news valdis . kletnieks (May 26)
- Re: Whois vs GDPR, latest news John Levine (May 27)
- Re: Whois vs GDPR, latest news Stephen Satchell (May 27)
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 28)
- Re: Whois vs GDPR, latest news Owen DeLong (May 23)
- Message not available
- Re: Whois vs GDPR, latest news Owen DeLong (May 23)
- Message not available
- Re: Whois vs GDPR, latest news Anne P. Mitchell Esq. (May 24)
- Re: Whois vs GDPR, latest news K. Scott Helms (May 24)
- Re: Whois vs GDPR, latest news Seth Mattinen (May 26)
- Re: Whois vs GDPR, latest news Nick Hilliard (May 26)
- Re: Whois vs GDPR, latest news JORDI PALET MARTINEZ via NANOG (May 26)
- Re: Whois vs GDPR, latest news Seth Mattinen (May 26)
- Re: Whois vs GDPR, latest news JORDI PALET MARTINEZ via NANOG (May 26)
- Re: Whois vs GDPR, latest news Owen DeLong (May 26)
- Re: Whois vs GDPR, latest news Rob McEwen (May 26)
- Re: Whois vs GDPR, latest news Michel 'ic' Luczak (May 26)
- Re: Whois vs GDPR, latest news Seth Mattinen (May 26)
- Re: Whois vs GDPR, latest news Michel 'ic' Luczak (May 26)