this post was submitted on 05 Mar 2024
68 points (86.2% liked)

Privacy

31942 readers
612 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

I dont really use it much tbf just thought it was a cool project but I've just read about how lemmy instances can be fined for not complying with GDPR Read more

top 28 comments
sorted by: hot top controversial new old
[–] [email protected] 79 points 8 months ago* (last edited 8 months ago) (1 children)

Nobody has actually fined any instance yet, and they are not going after your little instance if they start doing it.

It would be Lemmy.world first as a target because of their size and the entire lemmy network would not stop talking about it for weeks.

[–] [email protected] 24 points 8 months ago (1 children)

Sometimes establishing a precedent with a weaker party is a good strategy though. It even went as far as litigating known parties for piracy issues. Anything is fair game to some actors.

Thought for GDPR most actors are legit and the actions have merits. Shoutout to Mr Schrems for example.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago) (1 children)

AFAIK European law isn't often based on common law, but Napoleonic Code / civil law. Ie. precedent is less relevant.

Also, given Meta's been fined 2.5 billion euros in the past few years, it sounds like they're going after the big guys first.

[–] [email protected] 1 points 8 months ago

It’s absolutely not based on common law indeed but you can be sure that precedents are still a big thing especially for such regulations… we are watching like awks what’s happening everywhere because we know there will be a lot of consistency both on decisions but also on the topics being pursued.

[–] [email protected] 38 points 8 months ago

I mean, if nobody uses the instance, you absolutely can delete it. Oh and the Lemmy devs should fix the deletion issues asap. It's really not ok for quite a big social media to have them

[–] [email protected] 20 points 8 months ago (2 children)

Is this a private instance with no other user accounts? If so I would not worry.

[–] [email protected] 15 points 8 months ago* (last edited 8 months ago) (1 children)

Technically he must still comply especially with data subject rights / request for deletion.

Now I wonder how that would work in practice, considering the underlying technology which is akin to what I manage (telco / isp) and where a lot of principles are still vague to implement.

Like when we get request to delete personal data sometimes some has been transmitted by nature of the service and a lot of actors have legitimate interest in processing / keeping the data for a while.

But generally it’s not about the content of a transmission but more the attached metadata used for billing and such.

Anyway it’s very interesting to watch, preferably from a distance.

[–] [email protected] 6 points 8 months ago (1 children)

Unless he gets a direct request he’s not bound by the requests other instances get. Which actually brings up something interesting. Because of the way the data is shared, someone wanting to delete data would have to contact all instances one by one which is function impossible.

[–] [email protected] 2 points 8 months ago (2 children)

Yeaahhhh I don’t know about that… likely all instances are processors. And the on he subscribe to would be controller. Somewhat because to my knowledge no one really decides of particular treatment of the user data (it’s all rather communist architecturally). So maybe every instance would be join controller…

And in the end up to the (join) controller to cascade the request. That’s part of why it’s a thing of beauty to watch it happen on the feddiverse 😅

[–] [email protected] 1 points 8 months ago

It's definitely not impossible to contact all instances; it's a finite list. But we should have a tool to make this easier. Something that can take a given username or post, do a search, find out all the instances that it federated-to, get the contact for all of those instances, and then send-out a formal "GDPR Erasure Request" to all of the relevant admins.

[–] [email protected] 0 points 8 months ago (1 children)

And for any of those “processors” outside of the EU? Good luck. I could stand up a processor anywhere outside the EU, get all of the feed data and 1) good luck finding it, me, or where it’s at. And 2) removing it. There’s no centralized authority to fine.

[–] [email protected] 2 points 8 months ago (1 children)

As long as they process data of European citizens it’s applicable. See all gdpr fines imposed…. Now the execution / collection would be a bitch but I could imagine à order to stop processing the data imposed to European instances…

I mean pretty crazy things can happen. See the various adequacy decisions / appeals by Mr Schrems; I cannot give guidance with a life expectancy of more than 1 year given the instability of the application of the regulation.

Not that I’m complaining ; it feeds me :)

[–] [email protected] 1 points 8 months ago

“Now the execution / collection would be a bitch”. That’s my point. It’s basically unenforceable as they would have to go after every federated instance on the internet, including knowing every single person that spun up their own instance, so basically this law would be pointless. It’s better leveraged against companies, not small individual entities, so good luck utilizing it.

[–] [email protected] 3 points 8 months ago

Im the only one that uses this instance but its federated

[–] [email protected] 12 points 8 months ago (1 children)

While the post you link to is new to me, thank you for sharing, the underlying issues associated with running your own instance are what has stopped me from running my own at this stage.

If the only person on your own instance is you, then none of this really matters, since you are the master of your own destiny. As I understand it, the GDPR doesn't apply.

The moment you let anyone else create an account however, there's a liability. You become exposed to whatever they say in their account on your instance and other laws start applying.

What I mean by that is as I understand it, any illegal or undesirable activity conducted by an account holder on something you control becomes a legal minefield for you. And you'll be stuck in the middle between the account holder and the world. Things like the GDPR may apply, but that likely depends on their location.

So, if your instance is just you, no need to delete it. If it's more, then I'd be thinking long and hard about who else is there with you.

Finally, consider the implications of taking money from account holders to finance your instance, now there's a financial contract between you and them.

[–] [email protected] 1 points 8 months ago (1 children)

That would be true if their instance wasn't federating. If the instance is federating, then it's downloading content from other users, even if the user isn't registered on the instance. And that content is publicly available.

So if someone discovers their content on their instance and sends them a GDPR request (eg Erasure), then they are legally required to process it.

[–] [email protected] 1 points 8 months ago

I do not believe that is true, but I'm happy to be wrong.

[–] [email protected] 2 points 8 months ago (1 children)

IMO the fines are made to sound scary, and are relevant for large corpos, but the ICO or whatever body for your country, has no interest in prosecuting an individual. What is a ‘percentage of revenue’ on something that makes no revenue anyway.

Even if they did take interest it would start with an opportunity to correct things before prosecution.

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

The fines usually are a percent of revenue or millions of Euros, whichever is higher.

So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases -- billions of Euros for a single GDPR violation).

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

Personally I wouldn't run a lemmy instance because of this (and also many other concerns)

I recommend [a] letting the lemmy devs know (eg on GitHub) that this issue is preventing you from running a lemmy instance and [b] donating to alternative projects that actually care about data privacy rights.

[–] [email protected] 0 points 8 months ago* (last edited 8 months ago) (1 children)

Can't you simply wait for a complaint to actually make that call?

From a privacy perspective, owning a federated server doesn't really do much for your data except for providing a "home base" that's a little more under your control.

A little.

AFAIK if you get banned from a community, you lose the ability to delete your content on it. If your post on a community gets removed, it also seems to vanish (so I'm not sure how deleting it works)...

Edit: apparently this answer is wrong, now if people could reply with reasons, that would be more helpful.

[–] [email protected] 2 points 8 months ago (1 children)

if you get a letter because you violate the gdpr thing you have to pay. there is no 'it looks like you do something wrong. stop it or you will be fined'

then again the fine is based on yearly profit, if op is not a company the gdpr should not be a big problem. (but still could be)

[–] [email protected] 1 points 8 months ago* (last edited 8 months ago)

The fines usually are a percent of revenue or millions of Euros, whichever is higher.

So if your revenue is 0 EUR then they can fine you the millions of Euros instead. The point of the “percent of revenue” alternative was for larger corporations that can get fined tens or hundreds of millions of Euros (or, as it happened to Meta, in some cases -- billions of Euros for a single GDPR violation).