> consent requires a "clear affirmative action" by the data subject
Uploading your key to a keyserver and requesting it to be published is pretty clear affirmative action.
The problem is when someone else uploads your key without your permission - or worse, a different key which claims to be yours.
That is why I don't use keyservers: anyone can upload any random key with any random label. There's no assurance it's the right one, unless (a) I got the fingerprint from a trusted source (in which case I could have got the key from that source too); or (b) the key happens to be signed by someone in my web-of-trust, which is pretty small.
Therefore, in general I get keys directly from whoever I'm corresponding with: it's much easier to make a value judgement over whether it's the right key or not.
Back to GDPR: there is an assumption baked into PGP that public keys are, well, public. Simple answer: get rid of keyservers. These days you can publish OpenPGP keys securely in DNS/DANE instead.
One other thing: can anyone give me a good reason why a keyserver should *not* remove a key on request, if the request is signed by that key?
Biting the hand that feeds IT
