On 27/05/2019 14:47, Jim Popovitch wrote: > On Mon, 2019-05-27 at 14:28 +0100, Andrew Gallagher wrote: >> On 27/05/2019 12:47, deloptes wrote: >>> it is a matter of an agreement between the person and the authority >>> hosting the information of the public key > >> This is the problem though: there is no single identifiable authority >> (data controller in GDPR jargon) with whom to make such an agreement. >> Keyservers are distributed not just operationally and geographically, >> but also legally. Furthermore, it is not always the data owner who >> uploads it to the keyserver network, so neither party to the GDPR >> consent model need be present during the transaction, or need even exist. > > Is that a binding legal opinion or a personal one? I ask, because in > the USA (and presumably most western countries) there need not be a > single identifiable entity necessary to bring suit. Doe subpoenas and > multi-party lawsuits are real things.
Standard disclaimer applies: I am not a lawyer and nothing I say constitutes legal advice. I think you misunderstand me. The absence of a single data controller for the keyserver network is not a legal shield, quite the opposite. The GDPR "explicit consent" exemption does not readily apply to the keyserver network, because there is no practical way for an arbitrary keyserver to ensure that consent has been obtained for all the data it contains. But remember that explicit consent is only one of the permitted grounds for processing under GDPR (something that has been grossly overlooked in much of the public discourse), so this is not by itself definitive. -- Andrew Gallagher
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Sks-devel mailing list Sks-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/sks-devel