[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Sks-devel] Implications of GDPR
From: |
chris |
Subject: |
Re: [Sks-devel] Implications of GDPR |
Date: |
Sun, 29 Apr 2018 13:06:51 +0100 |
My short response to all of that is: "meh".
Less briefly: Technically, I think you're right. The whole keyserver system
doesn't appear to work at all against GDPR. But equally, a _system_ like ours
doesn't seem a very likely target of any regulators. The law was mostly
envisioned to keep *companies* in line - not a disparate collection of
individuals running a service as a hobby. After all, most European countries
already had existing individual privacy laws that the keyservers were
theoretically already in breach of.
I'll personally risk it - but as you note - I'm not a lawyer either. 😉
Regards,
Chris
-----Original Message-----
From: Sks-devel [mailto:address@hidden On Behalf Of Moritz Wirth
Sent: 29 April 2018 12:03
To: Fabian A. Santiago <address@hidden>; sks-devel <address@hidden>
Subject: Re: [Sks-devel] Implications of GDPR
Hi Fabian,
first of all, I am not a lawyer so you should not rely on my response as it may
be wrong :)
- The GDPR applies to all persons and companies who are located in the EU or
offering goods, services or who monitor the behavior of EU data subjects - this
means that all keyservers are affected regardless where they are physically
located. (https://www.eugdpr.org/gdpr-faqs.html)
- Personal Data includes Names, Photos, social posts, IP-Addresses.. (so it
seems that everything that can be connected to a person is included here).
- The Right to be forgotten: People have the right to get their data deleted if
it is no longer necessary in relation to the purpose they were collected. I
think this means that if someone wants to have their data deleted, you have to
delete it - given the fact above that some keys include personal name or even
photos, you would be required to delete them (even if you are in the USA).
However, I am not sure - the text says "the controller, taking account of
available technology and the cost of implementation, shall take reasonable
steps, including technical measures, to inform controllers which are processing
the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data."
<-- Given the fact that it is not possible to delete data from a keyserver, I
am not sure how this would be handled. (Same applies to for reasons of public
interest in the area of public health in accordance with points (h) and (i) of
Article 9(2) as well as Article 9(3) but I didnt check on that).
(https://gdpr-info.eu/art-17-gdpr/)
- I heard that you must sign (physical) contracts with data processing
companies (this may also include Google and Google Analytics, I am not sure
about Google Fonts etc but since Google gets your IP...) if you share the data
of your user with them (e.g using GA on your site).
("Controller will need to have in place an appropriate contract with any other
Controller that it jointly shares data with if that Controller particularly is
outside the EU."). Should not really matter (except for Google Fonts) - at the
end the use of Tracking services is up to the keyserver admin itself
(https://www.netskope.com/blog/gdpr-data-processing-agreements/)
The first thing I would do is to include a checkbox in the webtemplate that
every person who queries or uploads a key via the webinterface agrees to your
data policy - in the data policy you should explain what happens when a key is
uploaded, that it is distributed to other keyservers, (IPs are collected
whatever you do) and that it is not possible to delete keys once they are
uploaded.
If someone has more information on this or something to correct feel free to do
so :)
Best regards,
Moritz
Am 29.04.18 um 12:24 schrieb Fabian A. Santiago:
> So,
>
> As I understand it, GDPR concerns all EU citizen users of a site, regardless
> of where the site is hosted. How does this affect keyservers? I've seen at
> least one server going offline due to it. Should I be concerned as an
> American keyserver host?
> --
>
> Fabian A. Santiago
>
> OpenPGP:
>
> 0x643082042dc83e6d94b86c405e3daa18a1c22d8f (current key)
> 0x3c3fa072accb7ac5db0f723455502b0eeb9070fc (to be retired / revoked)
>
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
- [Sks-devel] Implications of GDPR, Fabian A. Santiago, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, Moritz Wirth, 2018/04/29
- Re: [Sks-devel] Implications of GDPR,
chris <=
- Re: [Sks-devel] Implications of GDPR, Klaus-Uwe Mitterer, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, robots.txt fan, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, Moritz Wirth, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, Ari Trachtenberg, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, H Visage, 2018/04/29
- Re: [Sks-devel] Implications of GDPR, Andrew Gallagher, 2018/04/30
- Re: [Sks-devel] Implications of GDPR, Kristian Fiskerstrand, 2018/04/30