this post was submitted on 04 Jul 2023
61 points (93.0% liked)

sh.itjust.works Main Community

7733 readers
1 users here now

Home of the sh.itjust.works instance.

Matrix

founded 2 years ago
MODERATORS
TheDude
manifex
biela
imaqtpie
61
Deleted comments can still be read by apps (sh.itjust.works)
submitted 1 year ago by FlagonOfMe to c/main
11 comments fedilink hide all child comments
 

I understand that very few (or no) websites actually delete anything. They just mark them as "deleted". But this usually means that once something is deleted, users have no ability to see the deleted data. This doesn't seem to be the case with Lemmy.

I've been trying out the Android app called Connect for Lemmy, and it shows the contents of all deleted comments with a "DELETED" word on them. See the uploaded screenshot.

This seems bad to me. Users expect that deleted comments are no longer viewable, and won't be returned by Lemmy's API. Lemmy still shows the username of the deleted comments, which was bad enough, but now I'm seeing that it doesn't prevent apps from seeing the deleted comments.

What are your thoughts on this?

you are viewing a single comment's thread
view the rest of the comments
[–] mod 12 points 1 year ago* (last edited 1 year ago) (2 children)

This seems to be non-compliant to the GDPR:

Under Article 17 of the UK GDPR individuals have the right to have personal data erased. This is also known as the ‘right to be forgotten’.

[–] Enkers 4 points 1 year ago* (last edited 1 year ago)

I wonder if Lemmy instances run by a person (and for personal reasons, i.e. with no intent to generate profit) would qualify for Article 2(c) exemption from the GDPR:

This Regulation does not apply to the processing of personal data:

by a natural person in the course of a purely personal or household activity;

I'm not sure how a judge would interpret "purely personal" in this context. There seems to be some discussion of the matter at the following link, which leads me to think it would not be exempt:

https://law.stackexchange.com/questions/28070/would-gdpr-affect-my-own-personal-website

[–] [email protected] 4 points 1 year ago

This is also non-compliant with Brazilian's LGPD

Art. 3 This Law applies to any processing operation carried out by natural persons or legal entities of public or private law, regardless of the medium, the country of their headquarters or the country where the data is located, provided that:

...

III - the personal data object of the treatment have been collected in the national territory.

§ 1 - Personal data is considered to be collected in the national territory if the data subject is located there at the time of collection.

...

Art. 18 The holder of personal data has the right to obtain from the controller, in relation to the data subject's data processed by the controller, at any time upon request:

...

VI - erasure of personal data processed with the consent of the data subject, except in the cases foreseen in art. 16 of this Law;

Not that I care about what my country's law says, but I fond it ironic that a free, decentralized platform violates laws of data protection