Re: Whois vs GDPR, latest news

[JORDI PALET MARTINEZ via NANOG <nanog () nanog org>]

However, if an EU citizen or resident uses the services of those companies, they are bound to comply with the GDPR.

So, if you target your services to people outside the EU, you must have a way to DENY that anyone in the EU register to 
your services, or even sent a request via a form in your web, etc.

I don't think that's so easy as to make 100% proof ... and maybe the cost of complying the GDPR is even cheaper/easier 
and you open your services to the EU as well (or EU people, for example, visiting US).

Regards,
Jordi
 
 

-----Mensaje original-----
De: NANOG <nanog-bounces () nanog org> en nombre de Michel 'ic' Luczak <lists () benappy com>
Fecha: sábado, 26 de mayo de 2018, 10:34
Para: "Anne P. Mitchell Esq." <amitchell () isipp com>
CC: "Gary T. Giesen via NANOG" <nanog () nanog org>
Asunto: Re: Whois vs GDPR, latest news

    
    > On 23 May 2018, at 19:12, Anne P. Mitchell Esq. <amitchell () isipp com> wrote:
    > 
    > 
    > 
    >> On May 23, 2018, at 11:05 AM, K. Scott Helms <kscotthelms () gmail com> wrote:
    >> 
    >> Yep, if you're doing a decent job around securing data then you don't have much to be worried about on that side 
of things.  The problem for most companies is that GDPR isn't really a security law, it's a privacy law (and set of 
regulations).  That's where it's hard because there are a limited number of ways you can, from the EU's standpoint, 
lawfully process someone's PII.  Things like opting out and blanket agreements to use all of someone's data for any 
reason a company may want are specifically prohibited.  Even companies that don't intentionally sell into the EU (or 
the UK) can find themselves dealing with this if they have customers with employees in the EU. 
    > 
    > Or if someone who is a U.S. citizen and resident goes to the org's U.S.-based website and orders something (or 
even just provides their PII)... but happens to be in a plane flying over an EU country at the time.  Because GDPR 
doesn't talk about residence or citizenship, it talks only about a vague and ambiguous "in the Union", and I can 
certainly envision an argument in which the person in the plane claims that they were, technically, "in the Union" at 
the time. 
    > 
    
    Actually, the EU Commission is pretty clear about the non-E.U. person travelling to E.U. and using a service not 
specifically targetting E.U. users :
    
    "When the regulation does not apply
    Your company is service provider based outside the EU. It provides services to customers outside the EU.  Its 
clients can use its services when they travel to other countries, including within the EU. Provided your company  
doesn't specifically target its services at individuals in the EU, it is not subject to the rules of the GDPR.”
    
    
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/application-regulation/who-does-data-protection-law-apply_en
    
    There are many other examples on their website which leave pretty little doubts about when it applies and when it 
does not.
    
    Regards, Michel
    
    
    



**********************************************
IPv4 is over
Are you ready for the new Internet ?
http://www.consulintel.es
The IPv6 Company

This electronic message contains information which may be privileged or confidential. The information is intended to be 
for the exclusive use of the individual(s) named above and further non-explicilty authorized disclosure, copying, 
distribution or use of the contents of this information, even if partially, including attached files, is strictly 
prohibited and will be considered a criminal offense. If you are not the intended recipient be aware that any 
disclosure, copying, distribution or use of the contents of this information, even if partially, including attached 
files, is strictly prohibited, will be considered a criminal offense, so you must reply to the original sender to 
inform about this communication and delete it.