GDPR requirements will include submitters info, and in many instances their IP ADDRESS. You are right transfer of privacy controlled info but courts in the US and EU have already constrained session connection info as part of that.
These clearly impact rights under the existing IETF ipr scheme, and here is the real ticker, it must be integrated into the "LEGAL Aspects section" of each protocol project (ID, RFC, BCP) pertaining to the uses of IETF protocols.
This is the first time such a time bomb has ever been attached to the standard practices focuments itself, but IETF standards have never had to have a "publication use control" pertaining to localization before, which this new hurdle is tied to, and they do now.
It might make sense to create a blanket "GDPR localization" boilerplate , but localization use rules for protocols are now a reality, and they definitely impact BCP79.
Also in considering GDPR localization and the scope of its importance, the EU EECC which goes into effect in 3 months, makes most all IETF protocols regulated under EU law there in the EU/EEA as well "as what they refer to as OVER THE TOP communication instances", so there is also a requirement to address that change as well in that same context.
FWIW The Court of Justice of the European Union ruling against Facebook in Schrems2 has serious "protocol specific use instances" for blocking under GDPR communications between non GDPR entities and those practicing GDPR methods. The issue is when there is no control practice acknowledgement or methods capable in the protocol it makes the protocol standard itself unusable in those jurisdictions.
As I mentioned above, this type of thing was never contemplated when the boilerplate copyright and IPR rights were done as BCP79 by Scott Bradener and Jorge Contreras esq. but they are certainly here now.
At the very least BCP79 must be updated, but I would suggest more is needed and that is a protocol data flow auditing practice for each key protocol, security and dns ones especially. Finally new TLS and other certificate management routines as well, because personal connection certificates and per-session keys used by individuals are clearly controlled by these new mandates. In fact any published instances of those protocols should be updated with at least a "we are capable of being used under GDPR and EECC" or a statement saying the obvious.
There is a lot of stuff to be updated. Just my two cents...
Best to you sir, and the group.
//Todd Glassey
-------- Original Message --------
On Sep 25, 2020, 18:28, Nick Hilliard < nick@xxxxxxxxxx> wrote:
[cc: trimmed to ietf@xxxxxxxx]
Tglassey1 wrote on 24/09/2020 16:36:
> There are serious reasons pending why IETF needs to reopen the IPR group
> to address these issues, and ongoing ones as well in global Internet
> compliance.Todd,
ianal.
As I understand it, GDPR (General Data Protection Regulations) refers
only to protection of personally identifiable information (PII).Can you identify how PII concerns intersect with intellectual property
concerns, and what shortcomings you see at the IETF that need to be
addressed?Nick
