Have been asking this myself lately.
People always seem to get defensive about this topic, but if an instance gets challenged on a GDPR investigation it could have a huge fine associated to it.
It is good to have this sorted out, so instance owners don't enter a life changing financial risk.
Currently we probably are too small and fly under the radar, but this could become a big problem as the fediverse scales.
Issues I wonder about:
How safe is the Fediverse? Is there a way for a federated instance to misuse the user data? Or can such activity be detected and cause a defedaration.
How easily can all user data be deleted if a request comes in to remove all personal data? Wouldn't that request have to be extended to all instances your instance is currently federated with?
Instances probably wouldn't be able to handle a bad actor (for example Meta, or spez) that decides to start a mass request attack.
Corporations have lawyers that deal with this stuff, I don't feel like most instance owners have the same kind of protection here.
Totally agree, there is really valuable discussion to be had and collectively it needs to be resolved and approached holistically and consistently across as many instances as possible. Just because you’re someone running a tiny server doesn’t mean you can’t get absolutely dragged over the coals for breach and or non-compliance.
Even things like reporting incidents and breaches of the service for each instance - it is very unlikely tiny servers can or will comply with so many aspects of GDPR.
I think the fact that someone could maliciously (or actually, genuinely) report instances now using a relatively straightforward process should be grounds to get the wheels moving on this really!
For example, you can report non-compliance with cookie information in a one page form here: ico.org.uk/…/report-cookie-concerns/. The process for consumers to kick off a potentially serious enforceable action is very straightforward.
GDPR states you must have a specific GDPR policy. It’s absurd all theses comments from uneducated users. Like 1 in 10 have brought in useful pertinent information. This is stuff a privacy office would know on day one fresh out of school.
You can request and download an archive of your content, including your posts, media attachments, profile picture, and header image.
You may irreversibly delete your account at any time.
If this server is in the EU or the EEA: Our site, products and services are all directed to people who are at least 16 years old. If you are under the age of 16, per the requirements of the GDPR (General Data Protection Regulation) do not use this site.
Your IP address and EMail address could be classified as personal data from my point of view. But this won’t be shared or processed outside of the instance as far as I can tell. If your username and associated posts are classified as personal data I can’t say, but there seems no connection of these to your IP or Mail outside the instance. According to this TechDispatch (edps.europa.eu/…/2022-07-26-techdispatch-12022-fe…) the instances still must adhere to GPDR, but as there is not much or no processing of personal data taking place this should pose no issue.
All of this is based on a bit of research, so please enlighten me if I made any mistakes.
In the UK a screen name is an identifier. See ICO here. I am in the UK. Therefore combined with other data being collected, e.g. IP. Lemmy and instances I interact with are handling personal data. If it is transferred between instances when I search or view content from one instance to another, there are GDPR implications.
But e-mail is sent from one entity to another, through servers providing service for one or the other party. Most of Lemmy and Mastodon activities are publicly broadcasted and can be received and collected by any federated server.
Just to be clear - I don't think it is in breach but you have federated servers in various countries, some of which may be owned by entities that do business in the EU making copies of and forwarding messages that contain PII .
Not if they are compliant and handle the data correctly, but yes it is a minefield and pretty strict with potential huge fines for non compliance and breaches! I would not want to be in charge of trying to get it all straight for Lemmy!
Non-federated services keep data on their servers or share it with well-defined set of partners. This can be be done in accordance to GDPR. In fediverse that data is broadcasted to anybody who wants to listen (this make the network open). That is a big difference.
Then message the server admins or you create a PR on the lemmy github page with the missing information. The missing legal footnotes is an issue you have to take up with them or the upstream lemmy repo on github.
This is just at a really high level. Take for example lemdro.id. I am in the UK.
I do not get cookie information / consent
How do I make a SAR request, it isn’t stated
What is their data retention and privacy policy, it isn’t stated
How do I make a data sharing request as a member of law enforcement or government
How is data processed if I am under 16/13
Is data transferred from an EU to non-EU server if I search their content from another instance? Are the correct controls and risk assessments in place
If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
If I use an account from another instance and post an image on .id, and then delete my account, is the image I posted deleted from their server and backups etc
GDPR is very serious and an absolute minefield. I am pretty sure Lemmy and individual instances are not compliant, and I am not sure they can be fully - it may have to be on a best-endeavours basis. Be interesting to see how that holds up under a challenge.
If I delete my .id account under right to be forgotten, how is my request propagated between other instances to ensure my data isn’t retained somewhere on another instance which has pulled the data
There's no way GDPR can tell we hosts they are responsible for other platform's copy of data, right? Wouldn't that mean Twitter has to remove tweets from every news article that makes copies, for example, if someone deleted their account under that right?
I mean… It’s pretty explicit in gdpr that the “transfer to non-eu servers” part means you can’t send it via federation in the first place to non-eu servers unless those servers also adhere to gdpr: …europa.eu/…/what-rules-apply-if-my-organisation-…
The answer is that currently federation and Lemmys use of it are not gdpr compliant and the first gdpr case against any Lemmy instance in the eu will force that instance to defederate from all non-eu servers.
I actually question whether GDPR is up for the task of distributed systems like this.
Like, if you put in a right to be forgotten request to your host server, it's not at all clear that they're responsible for the copies of your content that are being hosted elsewhere, any more than asking a news website to remove your personal information from an article requires them to also hunt down anyone else who has copied and spread the story to remove it, too.
Different Lemmy websites are independently owned and operated, and your local admin holds no authority over other admins. They can request deletion on your behalf, if that's a legal requirement, but they cannot compel action. I'm not even sure they can act as your proxy, given that there's no formal relationship between admins.
Yes, I know Yet, can you be more specific as to which parts of those laws (or better groups of laws, GDPR is not one single law as every EU member state does things slightly differently) Lemmy instances are at odds with?
Add comment