Given the global nature of the Internet, how organizations handle personal data warrants increasingly close attention. A recent regulatory change in Europe, including the General Data Protection Regulation (GDPR), which will take effect in May 2018 is an important example. Within the ARIN service region (Canada, United States, and many Caribbean and North Atlantic Islands), privacy discussions are ongoing among users, service providers, and governments. In this context, ARIN is also taking a fresh look at its data privacy practices. ARIN seeks to treat any personal information it collects and maintains appropriately and consistent with its obligations and policies.
ARIN’s approach to privacy is grounded in its position as both the registry of number resources in its North American and Caribbean service area, and in the fact that ARIN’s customers are primarily businesses, and rarely individuals. These factors necessarily affect ARIN’s information practices. As a public registry, ARIN’s mission and obligations include distributing information about who administers number resources – most obviously, the Whois database, which provides law enforcement, technical troubleshooters, and the interested public with information about which network providers administer specific number resources. Distributing this information is very much in the public interest of proper functioning of the Internet, and ARIN more naturally aligns with sharing such information, not keeping it confidential and unavailable. Indeed, the ARIN public policy process has from time to time considered limitations on data availability, but the ARIN community has usually rejected these proposals, finding that the public interest in facilitating Internet coordination and operations is better served by distributing contact information consistent with ARIN’s longstanding practice. Meanwhile, if a network operator desires to keep confidential the name(s) of its designated contact(s), we allow the user role accounts (for example “Abuse Department” <firstname.lastname@example.org>). ARIN’s processes thus offer ample privacy to those who want it, even while simultaneously supporting the public interest aspects of making Internet number registry data widely available.
The ARIN community has recognized that residential customers of an Internet Service Provider (ISP) in the registry raise additional questions regarding privacy. Entries for residential customers are generally not organizations, and they have limited ability to designate a separate contact for communication with the public. With these factors in mind, ARIN’s “residential customer privacy” permits an ISP with downstream residential customers with small IP address blocks to substitute the ISP’s name for the customers’ name when publishing information about the corresponding number resources, and the ISP may similarly withhold the customer’s street address. As a result of these policies, ARIN does not require ISPs to reveal the names or addresses of residential customers. While protecting customer privacy, these policies nonetheless still facilitate abuse and technical communications, thereby balancing operational concerns with residential user privacy in a way that ARIN’s community deem appropriate and prudent.
ARIN and General Data Protection Regulation (GDPR)
ARIN’s General Operational Activities
Some people have asked about whether ARIN is required to comply with GDPR. The primary question is whether ARIN’s general operations trigger GDPR’s requirements. First, GDPR applies to the processing of personal data by businesses established in the EU. (GDPR, Art. 3.1.) As an organization with offices and employees only in the US (the Commonwealth of Virginia), ARIN is not an established entity in the EU. Second, GDPR also applies to the processing of personal data by businesses based outside the EU that (i) offer goods and services to individuals in the EU or (ii) monitor individuals in the EU, such as by automated profiling. GDPR, Art. 3.2.
In order to determine whether goods or services are being offered to individuals in the EU, it is relevant to consider whether ARIN directs its services and other activities toward the EU businesses and individuals. Having a commerce-oriented website that is accessible to EU companies and individuals, for example, does not by itself constitute offering goods or services in the EU. (See GDPR, Recital 23.) As evidenced by its services and website, ARIN does not target EU businesses or individuals in that it does not:
- Commonly use a language other than English on its website or in its materials.
- Use currency generally used in the EU for payment of its services.
- Use a top-level domain name of an EU country on its website, such as .de (or .fr).
- Direct its promotions and communications to individuals or businesses in the EU.
- Include among its members those organizations located in the European Union unless those organizations have ARIN-region facilities who contract with ARIN.
The GDPR only applies where individuals in the EU are targeted and only if there is sufficient nexus between ARIN’s activities and the EU.
Businesses monitoring the behavior of individuals in the EU are also subject to GDPR’s requirements. This type of monitoring contemplates online processes that track individuals for the purpose of creating profiles used for predicting personal preferences, behaviors and attitudes. ARIN is not in the business of online advertising to or automated profiling of EU businesses or individuals.
The primary data elements that ARIN collects in the normal course of its activities are business contact information — the business contact name, business email and business address of an individual representing a company. Such information arguably constitutes “personal data” as contemplated under GDPR — but only if such data identifies an individual in the EU. It is not ARIN’s practice to solicit this information from individuals in the EU for the ARIN Registry /Whois database or for other purposes.
For those reasons, ARIN’s general operational activities do not fall within the scope of GDPR.
ARIN’s Incidental Activities That Relate to Individuals in the EU
If individuals in the EU decide to attend an ARIN meeting in the U.S., for example, they may come in contact with ARIN’s event planning processes. The individual in the EU could be asked to register for the meeting online by providing his/her business contact data to ARIN, and as a result such an activity could be deemed to be “offering goods and services” to individuals in the EU. Though the business contact data constitutes “personal data” under GDPR, it is neither considered sensitive nor does it present significant risks if processed in a manner consistent for purpose for which it was collected.
Under GDPR, for these incidental activities, ARIN may process such EU individual’s personal data if there is a “lawful basis” for such processing. Companies governed by GDPR are required to identify a basis for processing at the time of collection, before processing occurs, and must furnish the individual with both the purpose of the processing and its legal basis at the time data is collected.
In Summary On GDPR
- ARIN is very aware of the General Data Protection Regulation (GDPR) that is taking effect in May 2018 in the European Union.
- ARIN is not an established entity in the EU and does not hold out its services to EU businesses or individuals. Therefore, ARIN’s general operational activities do not fall within the scope of GDPR.
- ARIN’s customers are businesses in its service region, and information collected from such organizations is generally business contact information, which only infrequently will include data supplied by EU businesses or individuals.
- ARIN’s customer organizations are responsible for the timely and accurate maintenance of any personal data provided to ARIN for the registry.
ARIN Personal Data Privacy Principles
While ARIN’s general activities do not fall within the scope of GDPR, ARIN has taken this opportunity to review ARIN’s data privacy practices. As part of this review, we also would like to more clearly and succinctly express ARIN Personal Data Privacy Principles, as follows:
- ARIN will process personal data only for specific lawful purposes.
- ARIN obtains personal data by lawful and fair means and, where required with the knowledge or consent of the individual to these specific lawful purposes at the time of collection.
- ARIN stores personal data with appropriate protections for its integrity and confidentiality.
- ARIN data retention practices call for not storing personal data for longer than necessary for the purposes for which it was collected.
- ARIN will use reasonable efforts to provide requesters with a copy of their personal data at ARIN upon request, and process requests for correction or deletion where feasible.
- ARIN will require any agents acting on its behalf to adhere to these (or equivalent) personal data privacy principles.
ARIN will continue to monitor and follow the privacy laws and regulations of Canada, the United States, the Commonwealth of Virginia (where ARIN is headquartered), and the local law of the Caribbean countries within the ARIN service area. ARIN notes that the local law of some of the Caribbean countries may adopt GDPR or other privacy-related requirements. But given ARIN’s special role and the context, these laws and regulations will be the beginning, not the end, of ARIN’s considerations.