[arin-ppml] Privacy of ARIN registry data (was: Re: Reclamation of Number Resources)

John Curran jcurran at arin.net
Mon Jul 18 10:10:54 EDT 2022 

On 18 Jul 2022, at 9:04 AM, Ronald F. Guilmette <rfg at tristatelogic.com<mailto:rfg at tristatelogic.com>> wrote:

In message <6D0E26DD-2B7D-49F3-9889-6B2D0CC41956 at arin.net<mailto:6D0E26DD-2B7D-49F3-9889-6B2D0CC41956 at arin.net>>,
John Curran <jcurran at arin.net<mailto:jcurran at arin.net>> wrote:

If you wish the ARIN registry to obtain and/or publish "the names and full
contact information of any and all officers, directors, shareholders, and/or
legal representatives of any given member", you would need to propose a policy
that clearly notes the necessary purpose for the collection and processing
for this information, and have the ARIN community concur and adopt said
policy.

Yes.

But how about a policy of ARIN just publishing the name & contact info of
each natural person representative of each legal entity that is an ARIN
member and who filed the membership application?   You already have that
information in your files, so there is no issue of "collecting" that
because you already have it, agreed?

Ah, no... there would be a very significant issue, as we did not collect the data for that
purpose and thus have no consent to publish it as you suggest.  We may be able to go
out and individually obtain such consents (although I expect there may be just a few
organizations who decline, and that would likely defeat your goals in publication. )

Alternatively, it might be possible for us publish that information as you suggest if
the ARIN community developed a policy that required such publication which included
a very clear and specific need for ARIN to so do in order to fulfill its mission. (I’m not
sure that’s actually possible, as we have been fulfilling our mission successfully for
decades without publishing the data as you propose.)

In the end, we would probably need to make the requirement for publication of this
information explicit in the RSA.  Note that doing so for all existing parties would require
both a Board recommendation for the change and then a member ratification vote –
as changes to everyone’s existing RSA, other than as needed for conformance to
prevailing law, have been put under member control as per Section 1 of the RSA.

So, yes, just a few issues involved...

Absent such a policy, what you seek would represent a fairly significant
departure from what are becoming commonly accepted principles for personal
data privacy and processing of personally identifiable information.

Baloney!  "Commonly accepted principles for personal data privacy and
processing of personally identifiable information" ??  Where are you
getting this from John?  Europe?  Just because THEY have chosen to
shoot themselves in the foot with their newfound privacy fetish, that's
no reason why we should.

ARIN serves numerous jurisdictions with such personal data privacy principles now
in place, including Canada and many US states, and ARIN has a Personal Data
Privacy Policy which embeds similar concepts - https://www.arin.net/about/privacy/

Thanks,
/John

John Curran
President and CEO
American Registry for Internet Numbers

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.arin.net/pipermail/arin-ppml/attachments/20220718/2d078c21/attachment.htm>

More information about the ARIN-PPML mailing list