New keyserver at keys.openpgp.org - what's your take?

Thu Jun 27 03:18:55 CEST 2019

> Please cite the section from the GDPR

I assume you have looked into this already and are not asking this out of
uninformedness. But, I'll bite.

Article 2, "Material Scope":

> (1) This Regulation applies to the processing of personal data wholly or
> partly by automated means (...).

There are four exceptions to general applicability, none of which even possibly
apply to this scenario. We are obviously operating in the EU, so territorial
scope (Article 3) also applies. Let's look at the definitions of "processing"
and "personal data", then:

The definition of personal data, Article 4:

> (1) ‘personal data’ means any information relating to an identified or
> identifiable natural person (‘data subject’); an identifiable natural person
> is one who can be identified, directly or indirectly, in particular by
> reference to an identifier such as a name, (...), or an online identifier
> (...);

Given that there is legal commentary that even IP addresses in logs already
count as personal data, I don't find it contestable that e-mail addresses do
constitute personal data.

Here's what "processing" means, same article:

> (2) ‘processing’ means any operation or set of operations which is performed
> on personal data or on sets of personal data, whether or not by automated
> means, such as collection, recording, organisation, structuring, storage,
> adaptation or alteration, retrieval, consultation, use, disclosure by
> transmission, dissemination or otherwise making available, alignment or
> combination, restriction, erasure or destruction;

This is most certainly what we are doing.

So assuming that e-mail addresses are personal data, and we process this data,
there is an (exhaustive!) list of possible situations in which we are lawfully
allowed to do so, two of which can potentially apply. Article 6:

> 1. Processing shall be lawful only if and to the extent that at least one of
> the following applies:
>
> (a) the data subject has given consent to the processing of his or her
>    personal data for one or more specific purposes;
>
> (...)
>
> (e) processing is necessary for the performance of a task carried out in the
> public interest (...);

The first is clear - if we have consent, we're good. The second *could* possibly
be argued, but I have a hard time believing the haphazard handling of e-mail
addresses on traditional keyservers serves the public interest. Even if we did
assume this, there is the "right to object", which allows data subjects to
object to the use of their data. Article 21:

> 1. The data subject shall have the right to object, (...) to processing of
> personal data concerning him or her which is based on point (e) or (f) of
> Article 6(1), (...). The controller shall no longer process the personal data
> unless the controller demonstrates compelling legitimate grounds for the
> processing which override the interests, rights and freedoms of the data
> subject (...).

All in all, I find it pretty clear that GDPR does apply to processing of e-mail
addresses on public keyservers. There are various nuanced conclusions one may
draw, for example "it applies, but you probably won't get sued, so just keep on
running them pool servers". It is unclear to me how one could look at this and
conclude that keyservers aren't affected by GDPR.

> and the, say, German implementation

GDPR is a [regulation], not a [directive]. As such, it is an immediately
enforcable law that does not require a per-country implementation to be
effective.

> along with relevant commentary to show why this is a legal requirement.

I'm aware of work on this by folks with legal background, but due to funny
academic publishing culture I'm not at liberty to share.  Hopefully something
will be available to the public soon.

 - V

[regulation]: https://en.wikipedia.org/wiki/Regulation_(European_Union)
[directive]: https://en.wikipedia.org/wiki/Directive_(European_Union)