Keyservers and GDPR

ilf ilf at
Wed May 23 11:27:15 CEST 2018

tl;dr: Keep calm and keep running keyservers.

Vincent Breitmoser:
> (cross-posting on all the cool pgp lists)

(I wonder, if this really needs to be an all the four lists. I think 
sks-devel@ might be the most appropriate. Having said that, I'm only 
replying to gnupg-devel@ because I'm not subscribed to sks-devel at . Feel 
free to relay my message.)

> My personal conclusion is that keyservers that support user id packets 
> are, quite simply, incompatible with GDPR law.

There is a ton of FUD about the GDPR out there right now. Most of it    
frivolous. (Actually, a lot of it is deliberate fearmongering by people 
who happen to sell legal advice on the GDPR.)

First of all, the GDPR is not completely new. All EU member states 
already have data protection laws, some - like Germany - already very  
strong ones. The concepts (PII, responsibilities, technological and 
organisational measures, information and documentation obligations) have 
already been in place with the old Data Protection Directive from 1995, 
which the GDPR is updating. I admit that the GDPR can be read and 
interpreted in a fatalist way. But most people leaning that way seem to 
not have read the older laws.

Laws are not set in stone. Laws include leeways, deliberate or 
unintended. Laws do not depend on their interpretation by laypeople. 
There is a huge dedicated system for its interpretation, conflict 
resolve, judgement and enforcement.

In the case of the GDPR, the very first step of that system are National 
Data Protection Authorities (DPA). They have the power - and the 
responsibility - to investigate possible violations of the GDPR. They 
have been understaffed for years, in many countries dangerously so. They 
are getting a lot more powers and responsibilities with the GDPR, but 
their resources are growing way slower than their tasks. They are 
simply understaffed and overworked. So from all the possible GDPR 
violations they will be notified about, they will work off the biggest 
and most obvious ones first. Their focus will be on the Facebooks - and 
not on small nerd projects or personal websites. They have the power to 
say "we don't care about this weird thing called keyserver" - and the 
probably will.

Now even if someone found data protection law infringements with a 
keyserver, filed a specific and well-worded legal complaint with a DPA, 
and a DPA found the resources to look into it, and the DPA found some 
violation of the GDPR (four big IFs!) - the DPAs will not go around and 
issue sanctions and fine people. First of all, their job is not to 
generate revenues by fines. Their job is to enforce data protection law. 
If a DPA did find an issue with a keyserver - or the very concept - they 
would reach out and talk to the people running the servers. They would 
hear their perspective, learn more about the very concept - and try to 
work out a viable solution to provide the service without possible data 
protection infringements. This is their job and their goal.

The most feared sanction of some undefined GDPR violation is a fine. As 
I layed out, DPAs don't want to issue fines, they want to stop privacy 
violations. And they will not blindly issue a fine without talking to 
you first. That being said, they obviously do have the power to issue 
fines. After due process. However, this power is also not new, it has 
also existed in many countries. And DPAs don't run around and fine 
people left and right (you would have heard about that), they exercise 
their power in a balanced way. And fines are always in relation to the 
economic and personal circumstances of the - then guilty and obstinate - 
data protection violators. I guess most keyservers are run by  
non-profit individuals or institutions. Even if a company runs a 
keyserver, it doesn't make money with that service. Therefore, I think 
the chance of *any* fine is negligible - and the chance of an 
unreasonably high fine is almost zero. And if it ever came to this, the 
community and public alarmed by public outcry would probably donate more 
than the fine issued.

To sum up: Keep calm and keep running keyservers. You'll be fine.

More elaboration in German:

Disclaimer: IANAL. This is not legal advice.


If you upload your address book to "the cloud", I don't want to be in it.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <>

More information about the Gnupg-devel mailing list