The Call of the Open Sidewalk

From a place slightly to the side of the more popular path

User Tools

Site Tools

pgpfan:gdpr

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision		Previous revision
pgpfan:gdpr [2026/03/10 20:31] – created b.walzerpgpfan:gdpr [2026/03/21 17:33] (current) – [Personal Data] Was too abrupt. b.walzer
Line 52: Line 52:
  
 The GDPR is about protecting the rights of people over their data. So we have to consider what data in a PGP identity actually belongs to a user in a GDPR sense. Such data is called "personal data" (GDPR art 4(1)). If there is no data relevant to the GDPR here then we can skip the rest of the discussion. The GDPR is about protecting the rights of people over their data. So we have to consider what data in a PGP identity actually belongs to a user in a GDPR sense. Such data is called "personal data" (GDPR art 4(1)). If there is no data relevant to the GDPR here then we can skip the rest of the discussion.
 +
 +What is, and is not, personal data under the GDPR depends on context. Here are two numbers:
 +
 +<ff:ocr-b,monospace><fs:large>
 +57592 57592
 +</fs></ff>
 +
 +The number on the left is my employee identification number. It identifies me in multiple employment related contexts. It counts as personal data under the GDPR. The number on the right is from an anonymized database. It identifies a particular person, but there is no way to relate it to an actual physical person. It does not count as personal data under the GDPR. So you may distribute, store or further process the rightmost number without my knowledge or consent. You can only distribute, store or further process the leftmost number with consideration of my rights under the GDPR.
 +
 +But the numbers are the same! That is why this is such a good example; the actual value is not important, only the context((For another example of this sort of thing, see: [[https://ansuz.sooke.bc.ca/entry/23|What Colour are your bits?]])).
  
 It seems fairly clear that a public key used for identification can count as personal data under the GDPR. The question came up with respect to the public key used to identity users of blockchains((See section 3.3 of: [[https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf|Blockchain and the General Data Protection Regulation]])). Does it count for the public key(s) in PGP identities? It seems fairly clear that a public key used for identification can count as personal data under the GDPR. The question came up with respect to the public key used to identity users of blockchains((See section 3.3 of: [[https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf|Blockchain and the General Data Protection Regulation]])). Does it count for the public key(s) in PGP identities?
Line 105: Line 115:
 ====In Support of Legitimate Interests==== ====In Support of Legitimate Interests====
  
-  * The possible consequences (GDPR art 6(4)(d)) are trivial. The right to be forgotten normally only concerns things like serious criminal convictions that could negatively affect a person's reputation. The sort of thing that could destroy a person's life((See paragraph 231-235 from: [[https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-225814%22]}|CASE OF HURBAIN v. BELGIUM]]))+  * The possible consequences (GDPR art 6(4)(d)) are trivial. The right to be forgotten normally only concerns things like serious criminal convictions that could negatively affect a person's reputation. The sort of thing that could destroy a person's life((See paragraphs 231-235 from: [[https://hudoc.echr.coe.int/eng#{%22itemid%22:[%22001-225814%22]}|CASE OF HURBAIN v. BELGIUM]]))
   * A PGP identity is not "special data" (GDPR art 6(4)%%(c)%% => GDPR art 9).   * A PGP identity is not "special data" (GDPR art 6(4)%%(c)%% => GDPR art 9).
   * An important context here is that the "controller" and the "data subjects" are effectively the same group (GDPR art 6(4)(b)).   * An important context here is that the "controller" and the "data subjects" are effectively the same group (GDPR art 6(4)(b)).
Line 136: Line 146:
  
 That is why this is important. A legal theory can act as a sort of attack on a project/system. The result can be a loss of interest in the project/system. It might seem easier to resolve the claimed legal problem in a technical way rather than having to engage fully with the legal aspects. That approach often does not work and can waste a lot of time and effort. That is why this is important. A legal theory can act as a sort of attack on a project/system. The result can be a loss of interest in the project/system. It might seem easier to resolve the claimed legal problem in a technical way rather than having to engage fully with the legal aspects. That approach often does not work and can waste a lot of time and effort.
 +
 +Projects/systems without access to legal resources are particularly vulnerable to this sort of attack ... most notably, open source based projects.
  
 SKS server operators actually received (receive?) requests for erasure that they obviously could not fulfill(([[https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e|SKS Keyserver Network Attack: Consequences]])). This might be a good place to mention that the GDPR has an explicit anti-trolling provision (GDPR art 12(5)) that is specifically intended to be used against such an attack. SKS server operators actually received (receive?) requests for erasure that they obviously could not fulfill(([[https://gist.github.com/rjhansen/f716c3ff4a7068b50f2d8896e54e4b7e|SKS Keyserver Network Attack: Consequences]])). This might be a good place to mention that the GDPR has an explicit anti-trolling provision (GDPR art 12(5)) that is specifically intended to be used against such an attack.
pgpfan/gdpr.1773174666.txt.gz · Last modified: by b.walzer