this post was submitted on 15 May 2025
638 points (99.7% liked)

Technology

70268 readers
5384 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 2 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
638
EU ruling: tracking-based advertising by Google, Microsoft, Amazon, X, across Europe has no legal basis (www.iccl.ie)
submitted 1 week ago by [email protected] to c/[email protected]
45 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 1 week ago* (last edited 1 week ago) (33 children)

What is legally defined as personal data in this case? Public usernames, public posts, or private messages to another instance, which states clearly that messages aren't private and to use Matrix instead? Or is there something else?

[–] [email protected] -1 points 1 week ago (32 children)

For the purposes of this Regulation:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

GDPR

Anything connected to your username is personal data. Your votes, posts, comments, settings subscriptions, and so on, but only as long as they are or can be actually connected to that username. Arguably, the posts and comments that you reply to also become part of your personal data in that they are necessary context. Any data that can be connected to an email address, or an IP address, is also personal data. When you log IPs for spam protection, you're collecting personal data.

It helps to understand the GDPR if you think about data protection rights as a kind of intellectual property. In EU law, the right to data protection is regarded as a fundamental right of its own, separate from the right to privacy. The US doesn't have anything like it.

[–] [email protected] 11 points 1 week ago* (last edited 5 days ago) (31 children)

no, that's wrong.

hi, i work in the EU, and the GDPR and related legislation is a big thing we regularly have to consider in our work.

"personal data" is NOT "anything connected to your username".

"personal data" (more correctly, and usually, called PID; Personally Identifiable Data) is data that can be used to identify you, the natural person, not your online persona.

that means: your Social Security Number, your Passport Info, your Drivers License, your Date of Birth in combination with your Birth-Name/Real Name, your Home Address, your religious affiliation, your gender, your sex, your fingerprints, your DNA, etc.

anything that can be used to clearly identify you in real life.

so, for example, if a company requires your phone number and passport to register, they are not allowed to give that to any third party, without the users explicit consent. "Mr. Karl Marx, born 05. May, 1818 in Trier is our customer and here is his passport, phone number, home address, and all the associated data we have on him" <-- this is NOT ok under the GDPR.

on the other hand "OGcommunist1818 posted {seize the means of production today, comrades!}, at 10:30 am, CET, on server 127.0.0.1, which was sent to 10.0.0.1, 10.0.0.2, and 10.0.0.3, into their respective local storage" <-- this is perfectly fine under the GDPR, because none of that is clearly tied to the natural person: "Karl Marx, born 05. May in Trier", even if it really was Karl that posted that, and even if we can guess from the username that it was probably Karl that posted that comment.

sending comments you make, your votes, your posts, etc., to another server is completely fine by the EUs data protection laws for 2 reasons:

  • 1: ~~it's not personally identifying data in the first place~~ whoops, that needs more clarification: IP addresses can be considered personal data, usernames too. but that's about it. everything else lemmy (or Fediverse in general) related in the upstream comment is not considered personal data (upvotes, comments, etc.)
  • 2: you agreed to this information being sent {wherever} when you made your account, so you gave your consent to your data being used in this way.

Our data protection/privacy laws are mostly concerned with data being sent WITHOUT user consent (through sale to third parties, data dumps, data leaks, hacks, etc.), they do not protect you from sharing your personal info with strangers of your own volition.

so, no, the EU does not forbid the fediverse and there certainly are no laws to support that notion.

edit: clarification of something in list point (1). largely irrelevant to the overall discussion, because users always agree to the privacy statement of the instance that hosts their account, but still, technically needed clarification.

[–] WolfLink 1 points 1 week ago

IP addresses could be used to identify someone

load more comments (30 replies)
load more comments (30 replies)
load more comments (30 replies)