Personal Data Privacy Considerations at ARIN [Archived]

By John Curran

Given the global nature of the Internet, how organizations handle personal data warrants increasingly close attention. A recent regulatory change in Europe, including the General Data Protection Regulation (GDPR), which will take effect in May 2018 is an important example. Within the ARIN service region (Canada, United States, and many Caribbean and North Atlantic Islands), privacy discussions are ongoing among users, service providers, and governments. In this context, ARIN is also taking a fresh look at its data privacy practices. ARIN seeks to treat any personal information it collects and maintains appropriately and consistent with its obligations and policies.

ARIN’s approach to privacy is grounded in its position as both the registry of number resources in its North American and Caribbean service area, and in the fact that ARIN’s customers are primarily businesses, and rarely individuals. These factors necessarily affect ARIN’s information practices. As a public registry, ARIN’s mission and obligations include distributing information about who administers number resources – most obviously, the Whois database, which provides law enforcement, technical troubleshooters, and the interested public with information about which network providers administer specific number resources. Distributing this information is very much in the public interest of proper functioning of the Internet, and ARIN more naturally aligns with sharing such information, not keeping it confidential and unavailable.  Indeed, the ARIN public policy process has from time to time considered limitations on data availability, but the ARIN community has usually rejected these proposals, finding that the public interest in facilitating Internet coordination and operations is better served by distributing contact information consistent with ARIN’s longstanding practice. Meanwhile, if a network operator desires to keep confidential the name(s) of its designated contact(s), we allow the user role accounts (for example “Abuse Department” abuse@example.com ). ARIN’s processes thus offer ample privacy to those who want it, even while simultaneously supporting the public interest aspects of making Internet number registry data widely available.

The ARIN community has recognized that residential customers of an Internet Service Provider (ISP) in the registry raise additional questions regarding privacy. Entries for residential customers are generally not organizations, and they have limited ability to designate a separate contact for communication with the public. With these factors in mind, ARIN’s “residential customer privacy” permits an ISP with downstream residential customers with small IP address blocks to substitute the ISP’s name for the customers’ name when publishing information about the corresponding number resources, and the ISP may similarly withhold the customer’s street address. As a result of these policies, ARIN does not require ISPs to reveal the names or addresses of residential customers. While protecting customer privacy, these policies nonetheless still facilitate abuse and technical communications, thereby balancing operational concerns with residential user privacy in a way that ARIN’s community deem appropriate and prudent.

ARIN and General Data Protection Regulation (GDPR)

ARIN’s General Operational Activities

Some people have asked about whether ARIN is required to comply with GDPR. The primary question is whether ARIN’s general operations trigger GDPR’s requirements.  First, GDPR applies to the processing of personal data by businesses established in the EU. (GDPR, Art. 3.1.)  As an organization with offices and employees only in the US (the Commonwealth of Virginia), ARIN is not an established entity in the EU.  Second, GDPR also applies to the processing of personal data by businesses based outside the EU that (i) offer goods and services to individuals in the EU or (ii) monitor individuals in the EU, such as by automated profiling.  GDPR, Art. 3.2.

In order to determine whether goods or services are being offered to individuals in the EU, it is relevant to consider whether ARIN directs its services and other activities toward the EU businesses and individuals.  Having a commerce-oriented website that is accessible to EU companies and individuals, for example, does not by itself constitute offering goods or services in the EU.  (See GDPR, Recital 23.)  As evidenced by its services and website, ARIN does not target EU businesses or individuals in that it does not:

• Commonly use a language other than English on its website or in its materials.

• Use currency generally used in the EU for payment of its services.

• Use a top-level domain name of an EU country on its website, such as .de (or .fr).

• Direct its promotions and communications to individuals or businesses in the EU.

• Include among its members those organizations located in the European Union unless those organizations have ARIN-region facilities who contract with ARIN.

The GDPR only applies where individuals in the EU are targeted and only if there is sufficient nexus between ARIN’s activities and the EU.

Businesses monitoring the behavior of individuals in the EU are also subject to GDPR’s requirements.  This type of monitoring contemplates online processes that track individuals for the purpose of creating profiles used for predicting personal preferences, behaviors and attitudes.  ARIN is not in the business of online advertising to or automated profiling of EU businesses or individuals.

The primary data elements that ARIN collects in the normal course of its activities are business contact information – the business contact name, business email and business address of an individual representing a company.  Such information arguably constitutes “personal data” as contemplated under GDPR – but only if such data identifies an individual in the EU.  It is not ARIN’s practice to solicit this information from individuals in the EU for the ARIN Registry /Whois database or for other purposes.

For those reasons, ARIN’s general operational activities do not fall within the scope of GDPR.

ARIN’s Incidental Activities That Relate to Individuals in the EU

If individuals in the EU decide to attend an ARIN meeting in the U.S., for example, they may come in contact with ARIN’s event planning processes.  The individual in the EU could be asked to register for the meeting online by providing his/her business contact data to ARIN, and as a result such an activity could be deemed to be “offering goods and services” to individuals in the EU.  Though the business contact data constitutes “personal data” under GDPR, it is neither considered sensitive nor does it present significant risks if processed in a manner consistent for purpose for which it was collected.

Under GDPR, for these incidental activities, ARIN may process such EU individual’s personal data if there is a “lawful basis” for such processing.  Companies governed by GDPR are required to identify a basis for processing at the time of collection, before processing occurs, and must furnish the individual with both the purpose of the processing and its legal basis at the time data is collected.

For these incidental activities, ARIN may rely on one of the available lawful bases for these types of personal data processing: (i) processing is necessary in order to perform a task carried out in the public interest (Public Interest); (ii) processing is necessary for performance of a contract to which the data subject is a party (Contract) (iii) processing is necessary for the purposes of the legitimate interests of ARIN except if such interests are overridden by the fundamental rights of the EU individual (Legitimate Interest).  For certain activities, ARIN may rely on the Public Interest basis, particularly in light of ARIN’s community basis and consensus-based processes.  For other incidental activities – event registration, for example – ARIN may rely on the Contract basis.  And, for other incidental activities, ARIN may rely on the legitimate interests basis, as ARIN’s information practices are reasonably expected (a network connecting to the Internet and using number resources should expect to identify itself and its resources), have minimal privacy impact (particularly given the possibility of role accounts where desired and the fact that the personal data is limited to business contact data), and also have compelling justification (including being of assistance to law enforcement, civil society and permit technical troubleshooting).  When we collect or process personal data about an individual in the EU as part of our incidental activities, we take steps to apply our privacy policy to this data.

In Summary On GDPR

• ARIN is very aware of the General Data Protection Regulation (GDPR) that is taking effect in May 2018 in the European Union.

• ARIN is not an established entity in the EU and does not hold out its services to EU businesses or individuals. Therefore, ARIN’s general operational activities do not fall within the scope of GDPR.

• ARIN’s customers are businesses in its service region, and information collected from such organizations is generally business contact information, which only infrequently will include data supplied by EU businesses or individuals.

• ARIN’s customer organizations are responsible for the timely and accurate maintenance of any personal data provided to ARIN for the registry.

ARIN Personal Data Privacy Principles

While ARIN’s general activities do not fall within the scope of GDPR, ARIN has taken this opportunity to review ARIN’s data privacy practices.  As part of this review, we also would like to more clearly and succinctly express ARIN Personal Data Privacy Principles, as follows:

• ARIN will process personal data only for specific lawful purposes.

• ARIN obtains personal data by lawful and fair means and, where required with the knowledge or consent of the individual to these specific lawful purposes at the time of collection.

• ARIN stores personal data with appropriate protections for its integrity and confidentiality.

• ARIN data retention practices call for not storing personal data for longer than necessary for the purposes for which it was collected.

• ARIN will use reasonable efforts to provide requesters with a copy of their personal data at ARIN upon request, and process requests for correction or deletion where feasible.

• ARIN will require any agents acting on its behalf to adhere to these (or equivalent) personal data privacy principles.

ARIN staff will shortly issue a revised and updated ARIN draft privacy policy that incorporates these principles, but presently ARIN’s current privacy policy remains version 2.0, posted October 4, 2008.  The refreshed ARIN Personal Data Privacy Policy will further elaborate on ARIN’s collection and processing of personal data with due regard to evolving privacy norms on the Internet.

ARIN will continue to monitor and follow the privacy laws and regulations of Canada, the United States, the Commonwealth of Virginia (where ARIN is headquartered), and the local law of the Caribbean countries within the ARIN service area.  ARIN notes that the local law of some of the Caribbean countries may adopt GDPR or other privacy-related requirements.  But given ARIN’s special role and the context, these laws and regulations will be the beginning, not the end, of ARIN’s considerations.