Differences

This shows you the differences between two versions of the page.

--- pgpfan:gdpr [2026/03/12 15:56] – [The Attack Against the SKS network] b.walzer
+++ pgpfan:gdpr [2026/03/21 17:33] (current) – [Personal Data] Was too abrupt. b.walzer
@@ Line 52: / Line 52: @@
 The GDPR is about protecting the rights of people over their data. So we have to consider what data in a PGP identity actually belongs to a user in a GDPR sense. Such data is called "personal data" (GDPR art 4(1)). If there is no data relevant to the GDPR here then we can skip the rest of the discussion.
+What is, and is not, personal data under the GDPR depends on context. Here are two numbers:
+<ff:ocr-b,monospace><fs:large>
+57592
+</fs></ff>
+The number on the left is my employee identification number. It identifies me in multiple employment related contexts. It counts as personal data under the GDPR. The number on the right is from an anonymized database. It identifies a particular person, but there is no way to relate it to an actual physical person. It does not count as personal data under the GDPR. So you may distribute, store or further process the rightmost number without my knowledge or consent. You can only distribute, store or further process the leftmost number with consideration of my rights under the GDPR.
+But the numbers are the same! That is why this is such a good example; the actual value is not important, only the context((For another example of this sort of thing, see: [[https://ansuz.sooke.bc.ca/entry/23|What Colour are your bits?]])).
 It seems fairly clear that a public key used for identification can count as personal data under the GDPR. The question came up with respect to the public key used to identity users of blockchains((See section 3.3 of: [[https://www.europarl.europa.eu/RegData/etudes/STUD/2019/634445/EPRS_STU(2019)634445_EN.pdf|Blockchain and the General Data Protection Regulation]])). Does it count for the public key(s) in PGP identities?