this post was submitted on 26 Jul 2023

56 points (93.8% liked)

Ask Lemmy

26238 readers

2334 users here now

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either [email protected] or [email protected]. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email [email protected]. For other questions check our partnered communities list, or use the search function.

Reminder: The terms of service apply here too.

Partnered Communities:

Logo design credit goes to: tubbadu

founded 1 year ago

MODERATORS

[email protected]

candyman337

[email protected]

Can Lemmy and the GDPR walk hand in hand? (lemmy.world)

submitted 1 year ago* (last edited 1 year ago) by [email protected] to c/[email protected]

16 comments fedilink hide all child comments

Hello fellow Lemmings!

Title. Is it possible for Lemmy to abide by the GDPR given that you can't delete info from other instances?

top 16 comments

sorted by: hot top controversial new old

[–] [email protected] 45 points 1 year ago (4 children)

Reposting what I posted here a while ago.

Companies abiding by the GDPR are not required to delete your account or content at all, only Personally Identifiable Information (PII). Lemmy instances are unlikely to ask for info such as real name, phone number, postal address, etc; the only PII I can think of is the email that some (not all) instances request. Since it’s not a required field on all instances, I’m going to guess that the value of this field does not travel to other instances.

Therefore, if you invoked the GDPR to request your PII to be deleted, all that would need to happen is for the admin of your instance to overwrite the email field of your account with something random, and it would all be in compliance. Or they could also choose the delete your account, if they prefer.

Source: I’m a software engineer who was tasked at some point with aligning multi-billion-dollar businesses to the GDPR, who had hundreds of millions of dollars in liability if they did it wrong and therefore took it very seriously. I am not a lawyer or a compliance officer, but we took our directions from them directly and across several companies, that’s what they all told us.

[–] [email protected] 16 points 1 year ago (1 children)

On the other hand, the GDPR's concept of "personal data" is extremely broad, much more so than the US concept of PII. Personal data is any information relating to an identifiable person. Pseudonymous info is still personal under this definition. Online usernames or social media handles are identifiers, and any linked info (e.g. posts, comments, likes) is personal data as well.

So Lemmy and other Fediverse stuff is well within the GDPR's material scope.

However, the GDPR's "right to erasure /to be forgotten" is more nuanced. It doesn't quite always apply (though usually does). OP very likely has the right to request deletion from individual instances.

Posts have been published through federation. The GDPR anticipates this (I think in Art 17(2)): if personal data has been made public by the data controller, and erasure is requested, then the data controller is obliged to take reasonable steps to notify other controllers of this.

The ActivityPub protocol has built-in support for sending out such deletion notifications, and last time I checked Lemmy implements this. Of course the receiving instance might not honor this, but that's outside of the responsibility of the initial data controller.

While I'm not entirely convinced that everything here is 100% compliant, federation is less of a compliance issue than it might seem.

[–] [email protected] 1 points 1 year ago

Right, and in my case to be clear, it was all businesses headquartered in the US, doing business in Europe, and getting compliant with Europe’s GDPR. I have no idea if it was any different if the businesses were headquartered in Europe (guessing no), but I thought I’d confirm that was the situation.

[–] [email protected] 2 points 1 year ago (1 children)

Companies abiding by the GDPR are not required to delete your account or content at all, only Personally Identifiable Information (PII).

That's a Usamerican point of view, and when we are talking about the EU's GDPR, it is wrong.

You need to talk about all data that is, or can be, related to a person.

[–] [email protected] 3 points 1 year ago (1 children)

If I've got it right it's anything that can directly or indirectly identify you. I would've thought most things here wouldn't fall under gdpr except maybe email addresses or if they've specifically mentioned something identifiable in comments or posts. One other thing I think that might be a problem is the data on pictures from a phones camera might indicate where and when it was taken which could narrow down that users location. I know some hosting sites strip this data but some might keep it.

[–] [email protected] 2 points 1 year ago

anything that can directly or indirectly identify you

No.

Anything that is related to you as a person. This is more than the things that identify you. For example things that you have done, places where you have been ... comments that you have written.... You could say: all that your stalker wants to know about you.

I would've thought most things here wouldn't fall under gdpr except maybe email addresses

All things here fall under the GDPR, but maybe not all things must be deleted on user's request. That is a different question then! For example, one could argue that by posting an article or a comment, the user has agreed that it gets published here and then it cannot be taken back.

[–] [email protected] 2 points 1 year ago (1 children)

I'm not a law expert or anything like that, but as far as I understand it, personally identifiable information could potentially also apply to public comments or posts that contain personal information. For example, if I posted revenge-porn of you on lemmy (or any personal information), you would have the right to demand it being deleted.

Is that not a correct interpretation?

[–] [email protected] 1 points 1 year ago

Yeah, there were different interpretations there from different counsels. It went from “well, they put it there and we don’t store it anywhere else, so nobody is preventing them from removing it, we don’t need to do anything”, with some “oh this field is actually durably stored somewhere else (such as an olap db or something), so either we need to scrub it there too when someone changes a value, or we can just add a ‘don’t share personal information in this field’ little label on the form”; to doing that kind of stuff on all fields.

Overall, the feeling was that we needed to do best effort depending on how likely it would be for a field to durably contain personal info, for it to smell a judge’s smell test that it was done in good faith, as is often the case in legal matters.

[–] [email protected] 1 points 1 year ago

Thank you for this valuable information!

[–] [email protected] 18 points 1 year ago

I guess we should have a look at how Mastodon admins deal with this kind of situations

[–] [email protected] 7 points 1 year ago

I might be completely wrong here, but I don't believe that the GDPR requires that the user themselves can delete the information. I imagine that as long as instance owners / admins delete user data upon the user's request to do so, that they'd be operating within GDPR standards.

But again, I probably don't know enough about GDPR to be commenting on it :P

[–] [email protected] 5 points 1 year ago

Well, think about some similar situations.

If you post something on a public website and it gets indexed by search engines, how does that work? Or how about sending email to a mailing list that subsequently sends it on to all the recipients?

In each case those organisations would likely be data controllers rather than processers, so would need a privacy policy, decide on their legitimate basis for processing, mechanisms to handle SAR/RTBF/etc. My guess is Lemmy servers would need the same thing.

[–] [email protected] 3 points 1 year ago (1 children)

Yes, because the same argument can be said with virtually any other website ever that gets cached. Does GDPR no longer exist because InternetArchive, or Google caches your data? When data leaves your server, it's simply out of your hands, and it's impossible to prevent in the current state of the web.

[–] [email protected] -4 points 1 year ago (1 children)

'Impossible' does not change the law, but maybe it tells you what you should (not) start doing

[–] [email protected] 6 points 1 year ago

What, redesign the entire internet? Let me know if you're the first one to invent a way to stop data scraping and caching lmao. That is by design of the internet.