Re: [Sks-devel] Withdrawal of Service - keys.flanga.io

[dirk astrath]

Hello,

I didn' read all mails of this topic, but the GDPR-issue was already
named over half a year ago:

I somebody orders me (directly or via a lawyer) to remove personal data
like special key-data from the keyserver-database, I have two choices:

(a) Shutdown my keyserver (to avoid any lawsuits)
(b) Fight a lawsuit

Here in germany it's possible for individuals or organisations to send a
so-called "Unterlassungserklärung" (declaration of discontinuance) from
a layer, which is quite expensive.

Even if I sign this declaration and take immediate actions, there may be
costs (for the lawyer of the "other" site), which can be quite high
(several hundreds/thousands of euros).

Therefore I decided to shut down my own keyservers ... and advised the
association I ran more keyservers to either take the risk or shut down
their keyservers, too (Both decisions have been: Shutdown and monitor
the mailingist/... to activate it later again).

Back to the topic:

As an individual (especially in germany) the risk for a lawsuit for
GDPR-issues is too high ... and I assume, that most keyservers are run
by individuals and not by companies.

While reading several mails having this subject another issue was named:

Assume, somebody adds copyrighted material (like an image, a small
sound-file etc.) to a key and uploads this key to a server within the
keyserver-network.

As soon as this key can be downloaded from this (and due to
synchronisation) from any keyservers the keyserver-network distributes
this copyrighted material.

How can this issue be handled? Who will take the risk for fighting a
lawsuit?

If necessary, I can talk to a lawyer and ask about his viewpoint about
the GDPR and copyright-issue. (He is active within our local
opensource/free-software-community, so this will be free-of-charge)

Kind regards,

dirk

On 16.11.2018 16:29, Andrew Gallagher wrote:
> On 16/11/2018 16:19, Keith Erekson wrote:
>> Standard "I am not a lawyer" disclaimer applies, but it is my impression
>> (both from speaking to people who know more than I do about this, and
>> from reading article 17 of the GDPR) that the "right to be forgotten"
>> isn't necessarily absolute.
> 
> That is also my understanding.
> 
>> Meaning that if one were to receive such a request, and it is *not
>> possible* to remove the data, this doesn't automatically mean that the
>> only recourse is to shut down the service. Specifically, this language
>> is the part that catches my attention: "the controller, taking account
>> of available technology and the cost of implementation, shall take
>> reasonable steps, including technical measures, to inform controllers..."
> 
> "Reasonable" is a commonly encountered word in data protection law, and
> what is or is not "reasonable" is a matter of interpretation.
> 
> The answer to this and many other questions about GDPR is that nobody
> really knows for sure, not even the experts, and the only way to find
> out is to wait for a test case to bring enlightenment. Until that
> happens, even the most learned advice will be hedged with a thicket of
> qualified assumptions.
> 
> 
> 
> _______________________________________________
> Sks-devel mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/sks-devel
>

signature.asc
Description: OpenPGP digital signature