Re: [Sks-devel] Keyservers and GDPR

[Andrew Gallagher]

On 27/05/2019 14:47, Jim Popovitch wrote:
> On Mon, 2019-05-27 at 14:28 +0100, Andrew Gallagher wrote:
>> On 27/05/2019 12:47, deloptes wrote:
>>> it is a matter of an agreement between the person and the authority
>>> hosting the information of the public key
> 
>> This is the problem though: there is no single identifiable authority
>> (data controller in GDPR jargon) with whom to make such an agreement.
>> Keyservers are distributed not just operationally and geographically,
>> but also legally. Furthermore, it is not always the data owner who
>> uploads it to the keyserver network, so neither party to the GDPR
>> consent model need be present during the transaction, or need even exist.
> 
> Is that a binding legal opinion or a personal one?  I ask, because in
> the USA (and presumably most western countries) there need not be a
> single identifiable entity necessary to bring suit. Doe subpoenas and
> multi-party lawsuits are real things.

Standard disclaimer applies: I am not a lawyer and nothing I say
constitutes legal advice.

I think you misunderstand me. The absence of a single data controller
for the keyserver network is not a legal shield, quite the opposite. The
GDPR "explicit consent" exemption does not readily apply to the
keyserver network, because there is no practical way for an arbitrary
keyserver to ensure that consent has been obtained for all the data it
contains. But remember that explicit consent is only one of the
permitted grounds for processing under GDPR (something that has been
grossly overlooked in much of the public discourse), so this is not by
itself definitive.

-- 
Andrew Gallagher

signature.asc
Description: OpenPGP digital signature