On 28/01/2022 20:02, jonkomer via Gnupg-users wrote: >> A. G. via <gnupg-users@gnupg.org>: >> The short answer is "no", or at best "not yet"... > > Thank you very much for the response and comprehensive > comments. > > In this case, the mail domain owner is actually the one > that needs this level of control: he insists on the ability > to positively respond to individual e-mail users' GDPR > "forget me" requests. ... > Domain owner intends to operate a "members only" public key > dissemination and fingerprint verification mechanism. When > the user is removed from the "membership", (either by the > domain owner action or by his or her own request), the mail > address (and any/all other personal data) is deleted and > promptly removed from the publicly exposed Internet domain > presence.
This sounds like a perfect use case for WKD. It is under the full control of the domain owner (the data controller), and RTBF does not arise. Publication of the key is necessary to provide the service, and the data controller deletes personal data immediately on cessation of that service. > After the user removal the domain owner is ipso facto > GDPR compliant. However, he would prefer that a naive user > (rightly or not) does not consider him unresponsive, and both > sides Both sides? > have some interest in preventing any Internet server > from keeping an active and publicly exposed user's name > and (now defunct) e-mail-address, thus indiscriminately > advertising forever the fact that John Doe was at some point > in time a member of Example.org. This is not an OpenPGP-specific concern - anyone with John Doe's name and email in their address book can potentially "leak" the fact that JD was once associated with example.com, even if he never creates a public key. These are presumably the same people that he is corresponding with using OpenPGP. GDPR actively helps you here, by ensuring that if you are corresponding with a company that does business in the EU, they must have internal processes to minimise such leaks. Otherwise, you are at the mercy of your correspondents, GDPR or not. What is to stop them posting JD's contact details on Twitter, for example? Or synchronising their address books with a badly-run cloud service? > How do individual key-server owner/operators react to > formal GDPR "forget me" requests; either by e-mail users, or > by mail domain owners? Any known legal precedents? The mail domain owner cannot make an RTBF request on behalf of a user; GDPR applies to personal data, and the domain owner is not the data owner. Hockeypuck server operators can add the fingerprint of the offending key to their block list. SKS operators have to recompile, but in theory can also comply. A
OpenPGP_signature
Description: OpenPGP digital signature
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org https://lists.gnupg.org/mailman/listinfo/gnupg-users