Re: [Sks-devel] GDPR (equine corpse) (WAS: Re: The pool is shrinking)

[brent s.]

On 8/20/19 6:05 AM, Tobias Mueller wrote:
(SNIP)
>> This means not only are keydumps allowed for research (§2), but the
>> SKS in general (ESPECIALLY US servers and operators, which I'll get to
>> in a moment) is exempt - we provide "...archiving purposes in the
>> public interest" (§3). Frankly put, we make GPG *work*. GPG is a
>> *very* valuable public tool - zero-trust-model public cryptography is
>> impossible without the Web-of-Trust. Ergo, exempt. It's that simple.
> No. And no, it's not.
> You are reading this wrongly.
> §89 says that member states *can* enact laws which exempt controllers
> from their duties with respect to erasure or correction *iff* the
> legitimate ground is the public interest (which itself is highly
> questionable).
> You don't gain anything from this §89 GDPR if member states do not
> create a law. And even then you wouldn't be fully exempt (as you
> suggest), but rather have an easier life as a controller.
> If we require member states to enact laws, then we're better off
> pursuing laws based on §85 GDPR, but that'd go too far for this
> discussion here.  I'm happy to have this elsewhere.
> 
> Cheers,
>   Tobi
> 


Sure; while §17(d) makes allowance via §89, it would - for example -
require a UK operator to associate with the Nat'l Registry of
Archives[0] to get the furthest extent of legal coverage (under §89
*specifically*).

However, the GDPR also makes exemption for TEU, Title V (2)(b) as well
without requiring a member state to make allowance. So an EU operator
could, should they fear GDPR repercussions, either 1.) pursue enacted
legislation/established archival status within their member state to
come under protection of §89 OR 2.) appeal to be a provider a service
under TEU Title V.

Worth noting that Article 23 of GDPR also allows derogations for public
security as well.

HOWEVER, also note that *processing* of keys would fall under Article 6
(1)(f) (legitimate interest being defined via Recital 49) which requires
no explicit derogation of member states. Being that the public key is
necessary for the operation of the processing of keys in the duties of
"...preventing .. malicious code distribution"(Recital 49)(though GPG
itself serves a much broader use to protect the rights and freedoms of
EU citizens as well, which are widely covered throughout the GDPR) -
such as GPG signatures on release tarballs, for instance - the erasure
situation can be considered covered as well.

GPG *also* enables compliance with Article 32(1)(a) and (b).

Of course, this is all untested because to my knowledge an EU keyserver
operator hasn't been challenged and it hasn't been brought to an EU
court yet, so there's no established example. But the case is quite
strong for the keyserver operator, I'd say.



[0] https://www.nationalarchives.gov.uk/

-- 
brent saner
https://square-r00t.net/
GPG info: https://square-r00t.net/gpg-info

signature.asc
Description: OpenPGP digital signature