Hi SM I will answer for the IETF LLC in the first instance as this all within my delegated responsibilities. Also, as an aside, I recommend using the admin-discuss list for this type of discussion as it is admin related. > On 31 Mar 2025, at 22:02, S Moonesamy <sm+ietf@xxxxxxxxxxxx> wrote: > > Dear IETF Administration LLC Board, > > The terms and conditions for registering for a meeting states that: > > "The IETF and related organizations are committed to transparency and so > some of your registration data will be made public. For information about > the personal data that is collected, and how it is managed, please see > the Privacy Statement." > > The privacy statement, dated July 2024, states that: > > "By providing us with your Personal Data, you are consenting to our disclosure > and use of it for the purposes as described in this Statement." > > During a discussion in October 2024 about the "Legally required disclosure" section of the statement, it was revealed that there was a database match being performed by the IETF Administration LLC. If you could point me to that discussion, it would help me trying to understand your following points. The database match that we do, we are legally required to do, and we document in this policy: https://www.ietf.org/media/documents/IETF_LLC_OFAC_Compliance_Policy_2022-09-26.pdf > 1. It's also good to state one's commitment to transparency. There isn't > adequate information about the processing of the personal data for the > database. It would be quite onerous for a person from a technology limited > country who is not employed by a high revenue organization to seek expert > advice on the "legally required" section. It also does not seem transparent. I don’t properly understand the points being made - are you suggesting that the privacy statement needs to reference the OFAC policy above? - are you suggesting the privacy statement is not legally compliant? > > 2. A person who registers for the meeting will be consenting to the database > match even though there is any information about that in the privacy policy. > I don't think that it is fair to say that "you are consenting" when the > other party did not disclose information about the database match As it is a legal requirement that we perform this match, no consent is needed and nobody can refuse or withdraw consent. > 3. The list of attendees for the last IETF meeting which was held in Ireland > is at https://datatracker.ietf.org/meeting/121/proceedings/attendees/ It > would likely take less than one minute for a person to verify whether I > gave my consent. The lack of attendance has a negative impact on fulfilling > the qualifications for a nomination committee (RFC 8713, Section 4.14) or > signing a recall petition (RFC 8713, Section 7.1.1). As far as I can tell, you appear to be saying that consent is needed for someone’s name to appear in this list and there are consequences if they do not give that consent - if I have misunderstood please correct me. Consent is not required for meeting participant names to be published. The entire manner in which the standards are developed is designed around the requirement for a transparent and accurate archive of the standards development process. Jay -- Jay Daley IETF Executive Director exec-director@xxxxxxxx
