keys require a user-id

Werner Koch wk at gnupg.org
Wed May 20 18:07:35 CEST 2020 

On Tue, 19 May 2020 10:29, Robert J. Hansen said:

> * PII-free UIDs are possible today

Well, according to European law this is not that easy because a public
key is in most cases an attribute which identifies a natural person.
This is the same as with phone numbers and mail addresses.  In Germany
even dynamically assigned IP addresses are attributes which can be used
to identify a person and thus are subject to GDPR.

OTOH, the GDPR does not forbid the use of this data, there are just
rules on how they can be used.  WP describes the basic rules as:

  Unless a data subject has provided informed consent to data processing
  for one or more purposes, personal data may not be processed unless
  there is at least one legal basis to do so. Article 6 states the
  lawful purposes are:

  (a) If the data subject has given consent to the processing of his or
      her personal data;
    
  (b) To fulfill contractual obligations with a data subject, or for
      tasks at the request of a data subject who is in the process of
      entering into a contract;

  (c) To comply with a data controller's legal obligations;
  
  (d) To protect the vital interests of a data subject or another
      individual;

  (e) To perform a task in the public interest or in official authority;

  (f) For the legitimate interests of a data controller or a third
      party, unless these interests are overridden by interests of the
      data subject or her or his rights according to the Charter of
      Fundamental Rights (especially in the case of children).

IMHO, point d covers the case of distributing and using a public key for
the purpose of securing the communication with the data subject.  The
key may of course not be used for any other purpose (i.e. tracking
behaviour etc).  Hacker be aware, the lay is not a machine, it works
different than we tend to assume.


Shalom-Salam,

   Werner

-- 
Die Gedanken sind frei.  Ausnahmen regelt ein Bundesgesetz.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 227 bytes
Desc: not available
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200520/f4dfa98a/attachment.sig>

More information about the Gnupg-users mailing list