this post was submitted on 06 Jul 2023
10 points (100.0% liked)

Asklemmy

44323 readers
1232 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]
10
How can an instance comply with GDPR if they're federated? (lemmy.world)
submitted 2 years ago by [email protected] to c/[email protected]
14 comments fedilink hide all child comments
 

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

top 14 comments
sorted by: hot top controversial new old
[–] planish 1 points 1 year ago

I think you might have to contact all the instances yourself, depending on what the relationship between the instances is. Neither instance is really contracting with the other for data processing; it's more like one instance publishes something and the other instances download and republish it, and everyone agrees that that is what they are supposed to do. So if you and your affiliates have to delete someone's data from a GDPR demand, it can't really apply to just other people who copied it?

I am, of course, three European lawyers in a trench coat, and this is impeccable legal advice that physically cannot be wrong.

[–] [email protected] 0 points 2 years ago* (last edited 2 years ago) (1 children)

Someone correct me if I’m wrong but GDPR doesn’t apply fully to small organizations (less than 250 employees) and mostly only applies if you offer goods and services which is not the case if you’re running a Lemmy instance. If you’re an instance owner with no employees because you’re not a registered business of any sort, you’re not on the hook for anything

Then again, I am neither European or knowledgeable in GDPR so someone please correct me if I’m wrong.

Edit: I am wrong see below

[–] [email protected] 1 points 2 years ago

This is incorrect, GDPR is any registery, company size or even profit/nonprofit is not relevant. Even it being digital/in paper is not relevant. If EU citizen is identifiable in registery, it must comply with GDPR.

[–] rarely -1 points 1 year ago (2 children)

Lemmy was created before GDPR.

Volunteers probably have not implemented GDPR and may not, or might.

[–] newIdentity 2 points 1 year ago (2 children)

GDPR was made in 2016. Lemmy is 4 years old

[–] rarely 2 points 1 year ago (1 children)

And you know the first thing devs do when they start writing code? They look up laws drafted by non technical people to ensure they are fully in compliance. The priority of lemmy all this time has been GDPR compliance, the fact that the app looks and functions similar to reddit is an afterthought.

[–] newIdentity 1 points 1 year ago* (last edited 1 year ago) (1 children)

It's not like the devs care about laws since one of the main motivations of creating Lemmy was to create a space where pirated media could be shared. That's why [email protected] exists

Dessaline said that multiple times in the past before Lemmy gained such traction. He's also the dev of TorrentCSV

[–] rarely 0 points 1 year ago (1 children)

1 contributor’s opinion and the existence of one community does not an argument make.

the devs don’t care about laws, if you want to put it so broadly, because the devs aren’t the ones who would get in trouble here, anyway. instance owners would likely catch the most trouble, especially because you can also add your own gdpr compliance if you want to.

also most devs aren’t facebook. most devs don’t really care too much about tracking users. the commercial sector on the other hand…

[–] newIdentity 1 points 1 year ago (1 children)

But the devs are also instance owners.

[–] rarely 0 points 1 year ago (1 children)

Not all of them are! I could contribute to the code base right now and I don’t have an instance.

[–] newIdentity 1 points 1 year ago (1 children)

Lemmy.ml is and Lemmygrad.ml was

[–] rarely 0 points 1 year ago

My point still stands.

[–] bernieecclestoned 1 points 1 year ago

Lemmy is based on stuff that's a lot older I think

https://en.wikipedia.org/wiki/ActivityPub

[–] Ziggurat 1 points 1 year ago

Many countries had laws regarding personal data long before GDPR, which is basically EU countries agreeing on the lowest acceptable common minimal.

At least in french law it's still the 70's that you can access your personal data and get them deleted on request, at the time of phpBB forum, you had to fill a form informing the data-protection authority that you were collecting some user data.

I don't know enough how lemmy works internally, but I believe that activity pub includes a synchronization aspect, if you erase a post it will get erased from other instance's cache too. Moreover, one has to check the definition of personal data. An e-mail address or an IP address + timestamp are personal data. But is an internet nickname an unique identifier ?