On May 25, the GDPR (General Data Protection Regulation) will come into effect.
Does Let’s Encrypt planned to respect the letter or the spirit of the GDPR?
In summary, this European law create new rights and obligations regarding the processing of personal data:
For individuals, rights to know which personal data is processed, and under some circumstances, the right to refuse the processing, correct the data or ask for the deletion.
For companies processing personal data, the obligation of protection, and to answer the requests of individuals.
In United States, “PII” (Personally identifiable information) often refer to data that can identify a person (like a full name, or a passport number). “personal data” in that legislation is broader: it’s any information linked to a PII:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Even if the IRSG is in the USA, the GDPR may apply:
This Regulation applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the Union.
(disclaimer: I’m not a lawyer)
Let’s encrypt store multiple identifier which may be associated to individuals:
- IP address
- email address
- domain name
- account id
Any data associate to these identifiers must then be considered as personal data.
Here is the list of processing I’ve identified:
- For the delivery of certificates (account information, certificates requests, …)
- The information on visitors of letsencrypt.org
- The https://community.letsencrypt.org/ forum
- The requests of OCSP responses queried by the visitors of websites using Let’s Encrypt
Other companies with whom some data may be shared:
Other relevant link:
5.5.2. Retention Period for Archive
The CA SHALL retain all documentation relating to certificate requests and the verification thereof, and all Certificates and revocation thereof, for at least seven years after any Certificate based on that documentation ceases to be valid