Re: [Sks-devel] Implications of GDPR

[Klaus-Uwe Mitterer]

Hi Moritz,

My understanding is that the section you quoted on the "right to be forgotten" refers to the controller's (i.e. your) obligation to inform _other_ controllers processing the data (in this case: other keyserver operators who, through gossip, have a "copy or replication" of the personal data) about the data subject's request for deletion. "Technical measures" in this context would, for instance, be a way to automatically propagate the deletion to other servers; as this is not possible, you only have to take "reasonable steps" to inform others, like sending an email to your peers. If somebody wants you to delete their data, you will definitely have to delete it, regardless of how difficult this is to achieve with SKS.

A whole different issue is how you would get a data subject's permission to process their data in the first place, and how you would notify them about the fact that you are processing their data, both of which are required by the GDPR.

Regards

Klaus-Uwe

On 2018-04-29 13:02, Moritz Wirth wrote:

Hi Fabian,

first of all, I am not a lawyer so you should not rely on my response as
it may be wrong :)

- The GDPR applies to all persons and companies who are located in the
EU or offering goods, services or who monitor the behavior of EU data
subjects - this means that all keyservers are affected regardless where
they are physically located. (https://www.eugdpr.org/gdpr-faqs.html)

- Personal Data includes Names, Photos, social posts, IP-Addresses.. (so
it seems that everything that can be connected to a person is included
here).

- The Right to be forgotten: People have the right to get their data
deleted if it is no longer necessary in relation to the purpose they
were collected. I think this means that if someone wants to have their
data deleted, you have to delete it - given the fact above that some
keys include personal name or even photos, you would be required to
delete them (even if you are in the USA). However, I am not sure - the
text says "the controller, taking account of available technology and
the cost of implementation, shall take reasonable steps, including
technical measures, to inform controllers which are processing the
personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal
data." <-- Given the fact that it is not possible to delete data from a
keyserver, I am not sure how this would be handled. (Same applies to for
reasons of public interest in the area of public health in accordance
with points (h) and (i) of Article 9(2) as well as Article 9(3) but I
didnt check on that). (https://gdpr-info.eu/art-17-gdpr/)

- I heard that you must sign (physical) contracts with data processing
companies (this may also include Google and Google Analytics, I am not
sure about Google Fonts etc but since Google gets your IP...) if you
share the data of your user with them (e.g using GA on your site).
("Controller will need to have in place an appropriate contract with any
other Controller that it jointly shares data with if that Controller
particularly is outside the EU."). Should not really matter (except for
Google Fonts) - at the end the use of Tracking services is up to the
keyserver admin itself
(https://www.netskope.com/blog/gdpr-data-processing-agreements/)

The first thing I would do is to include a checkbox in the webtemplate
that every person who queries or uploads a key via the webinterface
agrees to your data policy - in the data policy you should explain what
happens when a key is uploaded, that it is distributed to other
keyservers, (IPs are collected whatever you do) and that it is not
possible to delete keys once they are uploaded.

If someone has more information on this or something to correct feel
free to do so :)

Best regards,

Moritz


Am 29.04.18 um 12:24 schrieb Fabian A. Santiago:

So,

As I understand it, GDPR concerns all EU citizen users of a site, regardless of where the site is hosted. How does this affect keyservers? I've seen at least one server going offline due to it. Should I be concerned as an American keyserver host? 
--

Fabian A. Santiago

OpenPGP:

0x643082042dc83e6d94b86c405e3daa18a1c22d8f (current key)
 0x3c3fa072accb7ac5db0f723455502b0eeb9070fc (to be retired / revoked)

_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

_______________________________________________
Sks-devel mailing list
address@hidden
https://lists.nongnu.org/mailman/listinfo/sks-devel

-- 
Klaus-Uwe Mitterer

Email: address@hidden  

XMPP: address@hidden  
Twitter: @kumitterer  
Threema: PEBXP4H3
Telegram: @kumitterer

Skype: kumitterer  
Mobile: +43 660 6340166  

*** DISCLAIMER ***
This document is only intended for the person to whom it is 
addressed. If you have received it, it was obviously addressed to you. 
Therefore, you are free to read it, even if I didn't mean to send it to 
you. However, if the contents of this email sound gibberish to you, you 
were probably not the intended recipient - or you're just a mindless 
cretin. If either is the case, you should immediately delete yourself 
and destroy your computer. After doing this, please contact me 
immediately. Well, obviously you can't use your computer for this, as 
you have destroyed it. Also, you deleted yourself. Sorry, I digress...

In case I didn't send this email to you, I sincerely apologize. In 
case of non-receipt of this email, I do not take any responsibility, 
because it means that either you or your email provider or both use a 
Microsoft Windows operating system. You know how glitchy that is, right?

Nor will I accept any liability, tacit or implied, for any damage 
you may or may not incur as a result of receiving, or not, as the case 
may be, from time to time, notwithstanding all liabilities implied or 
otherwise and... erm... you know... whatever the case may be... IT 
WASN'T ME. YOU'RE MEAN.