Hi Vincent,
thinking about earlier data privacy laws (which were quite similiar to GDPR in
many respects) and pubkey servers got me to no clear conclusion.
If our goal is to automate the common case in an end-to-end crypto
mail communication, then asking the user a data privacy agreement question
is a stumbling block. I would degrate the user experience a lot.

Note that if you use WKD with your email provider and just the email address
in the key id (as supported by a policy option), there is no additional
personal data saved nor communicated. The email provider already has your
email address and the person asking via WKD also. In addition serving of the
public key on behalf of ther user could be added to the terms of service
of the email provider. Overal I think WKD is doing quite well on the data
privacy side and will allow a good user experience by not asking each time to
publish a new pubkey for oneself.

Best Regards,
Bernhard

I'm not a lawyer, but i see this vice versa.

Users upload their keys for the purpose of their usage in the "web of trust" and expect their availability (storage, processing)there for this.

A contract with the server owner/admin IS emerged with the transfer of the data in the conventional keyserver protocol without any further "written" contract.

Extended, written explicite order is required if the keyserver (their owner) want to use that data for other purposes, not covered by the specs.

This is my view. But clearifying this needs a good las expert with a good understanding in the specs and the whole process.


just my two cents.

Niels.

On 22.05.18 21:44, Vincent Breitmoser wrote:
[...]
There are actually two different types of keyservers, which should be
clearly distinguished.

1. the pool of SKS keyservers: as anyone can upload anybody's key, and
as it does not allow to delete keys, it's IMHO by not compatible with GDPR.

2. other types of keyservers like the run by Mailvelope (and possibly
others that I don't know of), that verify the keys they receive and
allow to delete keys, are compatible with GDPR, or can be made
compatible easily.

-Patrick

tl;dr: Keep calm and keep running keyservers.
(I wonder, if this really needs to be an all the four lists. I think
sks-devel@ might be the most appropriate. Having said that, I'm only
replying to gnupg-devel@ because I'm not subscribed to sks-***@. Feel
free to relay my message.)
There is a ton of FUD about the GDPR out there right now. Most of it
frivolous. (Actually, a lot of it is deliberate fearmongering by people
who happen to sell legal advice on the GDPR.)

First of all, the GDPR is not completely new. All EU member states
already have data protection laws, some - like Germany - already very
strong ones. The concepts (PII, responsibilities, technological and
organisational measures, information and documentation obligations) have
already been in place with the old Data Protection Directive from 1995,
which the GDPR is updating. I admit that the GDPR can be read and
interpreted in a fatalist way. But most people leaning that way seem to
not have read the older laws.

Laws are not set in stone. Laws include leeways, deliberate or
unintended. Laws do not depend on their interpretation by laypeople.
There is a huge dedicated system for its interpretation, conflict
resolve, judgement and enforcement.

In the case of the GDPR, the very first step of that system are National
Data Protection Authorities (DPA). They have the power - and the
responsibility - to investigate possible violations of the GDPR. They
have been understaffed for years, in many countries dangerously so. They
are getting a lot more powers and responsibilities with the GDPR, but
their resources are growing way slower than their tasks. They are
simply understaffed and overworked. So from all the possible GDPR
violations they will be notified about, they will work off the biggest
and most obvious ones first. Their focus will be on the Facebooks - and
not on small nerd projects or personal websites. They have the power to
say "we don't care about this weird thing called keyserver" - and the
probably will.

Now even if someone found data protection law infringements with a
keyserver, filed a specific and well-worded legal complaint with a DPA,
and a DPA found the resources to look into it, and the DPA found some
violation of the GDPR (four big IFs!) - the DPAs will not go around and
issue sanctions and fine people. First of all, their job is not to
generate revenues by fines. Their job is to enforce data protection law.
If a DPA did find an issue with a keyserver - or the very concept - they
would reach out and talk to the people running the servers. They would
hear their perspective, learn more about the very concept - and try to
work out a viable solution to provide the service without possible data
protection infringements. This is their job and their goal.

The most feared sanction of some undefined GDPR violation is a fine. As
I layed out, DPAs don't want to issue fines, they want to stop privacy
violations. And they will not blindly issue a fine without talking to
you first. That being said, they obviously do have the power to issue
fines. After due process. However, this power is also not new, it has
also existed in many countries. And DPAs don't run around and fine
people left and right (you would have heard about that), they exercise
their power in a balanced way. And fines are always in relation to the
economic and personal circumstances of the - then guilty and obstinate -
data protection violators. I guess most keyservers are run by
non-profit individuals or institutions. Even if a company runs a
keyserver, it doesn't make money with that service. Therefore, I think
the chance of *any* fine is negligible - and the chance of an
unreasonably high fine is almost zero. And if it ever came to this, the
community and public alarmed by public outcry would probably donate more
than the fine issued.

To sum up: Keep calm and keep running keyservers. You'll be fine.

More elaboration in German:
https://netzpolitik.org/2018/bussgelder-bei-datenschutzverstoessen-angst-vor-einem-phantom/

Disclaimer: IANAL. This is not legal advice.

The right-to-be-forgotten (RTBF) and the design of append-only logs like
keyservers and blockchain™ obviously present a challenge on how to
combine both. But this is also nothing to panic about. Especially since
virtually all German DPAs use OpenPGP themselves:

https://www.bfdi.bund.de/SharedDocs/Publikationen/BfDIKey.asc?__blob=publicationFile&v=1
https://www.lda.bayern.de/media/pgp_schluessel_dsa.asc
https://www.datenschutz-berlin.de/email/mailbox_blnbdi.asc
http://www.lda.brandenburg.de/media_fast/4055/LDABbgpublickey.asc
https://www.datenschutz-hamburg.de/fileadmin/user_upload/documents/pgp-schluessel_hmbbfdi.asc
https://datenschutz.hessen.de/sites/datenschutz.hessen.de/files/PGP-Schluessel.txt
https://www.datenschutz-mv.de/static/DS/Dateien/pgp_lds_mv.asc
https://www.lfd.niedersachsen.de/download/32009/Unser_PGP-Schluessel_neu_ab_01.09.2015_.txt
https://www.ldi.nrw.de/metanavi_Kontakt/key_ldi.asc
https://www.datenschutz.rlp.de/fileadmin/lfdi/Dokumente/pubkey_lfdi-rlp.asc
https://datenschutz.saarland.de/fileadmin/pgp/datenschutzzentrum-key_.asc
https://www.saechsdsb.de/images/stories/sdb_inhalt/behoerde/SaechsDSB.txt
https://www.datenschutzzentrum.de/uploads/uld/uld.asc
https://www.tlfdi.de/mam/tlfdi/start/tlfdi_schluessel_ab_dez_2015.txt

Also, all of those keys are also on the keyserver pool. As they should
be. I just "checked". :)

Again: Don't panic.