As the Fediverse grows more and more, rules and regulations become more important. For example, is Lemmy GDPR complient? If not, are admins aware of the possible consequence? What does this mean for the growth of Lemmy?

  • MentalEdge@sopuli.xyz
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    Lemmy is GDPR compliant, as far as I know.

    Admins can entirely purge you off their instance, should you ask them to, and other servers do not store any personal details that GDPR would require be deletable. By most interpretations.

    It can be argued that previously federated data that is now out of reach and as such cannot be deleted, could constitute a breach of GDPR.

    • Many versions of Lemmy haven’t been deleting data at all, merely setting a flag in the database that a post has been deleted rather than actually getting rid of the contents.

      As for federated data, deletes do federate. I would say that a server ignoring an authorized delete request would be in violation of the law, but then there’s the matter of a lack of any data processing agreements with other servers.

      I do wonder what the legal implications of servers ignoring deletion requests are. Would Facebook be on the hook for deleted data still being stored on a scraper’s server? Would LinkedIn be liable for all of those sketchy mirrors online? I personally don’t think so. On the other hand, federation is push based, rather than the result of responding to a request from a third party.

      • MentalEdge@sopuli.xyz
        link
        fedilink
        arrow-up
        1
        ·
        1 year ago

        There’s not just ignoring the request.

        An instance can simply be offline when the request is made. Or be defederated.

        • Defederation is an interesting issue. Perhaps deletes and updates should always be federated, as long as they’re authorized with the proper signature. I honestly don’t know how that’s implemented.

          That said, I’m sure someone contacting the server admin will be able to get their data corrected or deleted.

          Offline servers should get the deletes in most federated software. I’ve seen some slightly troubling modifications to Lemmy (disabling the retry queue because offline servers were clogging up the scheduling mechanism) but that’s not standard as far as I know.

    • Contend6248@feddit.de
      link
      fedilink
      arrow-up
      2
      ·
      edit-2
      1 year ago

      Personal data posted by the user also falls into this, so they might have to force deleting on any instance hosted by organizations. Individuals or small teams running instances which don’t take money don’t need to comply to GDPR.

      • aski3252@lemmy.world
        link
        fedilink
        arrow-up
        3
        ·
        1 year ago

        Individuals or small teams running instances which don’t take money don’t need to comply to GDPR.

        Are you sure about that? So if I hosted a website that shows your name and address, you could do nothing to make me take it down because I’m not an organisation or company?

    • HobbitFoot @thelemmy.club
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Yeah, but I imagine that could be handled via email. The tricky thing is to verify that the email is coming from the account in question, but that could be done by posting or commenting a specific phrase.

    • randomaccount43543@lemmy.world
      link
      fedilink
      arrow-up
      1
      ·
      1 year ago

      Other servers do store personal data. Any post or comment made by a user is personal data as it contains the thoughts/ideas of that user.

      GDPR Art 4.(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

      • MentalEdge@sopuli.xyz
        link
        fedilink
        arrow-up
        2
        ·
        1 year ago

        That’s one interpretation. One I illuded to.

        But you can also argue that if the person who made the comment is unidentifiable, there is no “natural person” to make the data GDPR related.

        • aski3252@lemmy.world
          link
          fedilink
          arrow-up
          1
          ·
          1 year ago

          Well that depends on the comment, doesn’t it? As far as I understand it, if I posted personal information about you, such as your name, home address, etc, in a comment, you could demand from the admin to remove that comment as it would contain personal information you don’t want in the open.