this post was submitted on 01 Jul 2023
134 points (97.9% liked)

Selfhosted

40750 readers
795 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

I'd be really keen to host a lemmy instance but just wondering with GDPR and everything, if there is anything else to consider outside of the technical setup and provisioning of hardware?

Lemmy is storing users data so is there any requirement to do anything GDPR wise?

Hope this is the right place for this - But seen a lot of posts interested in hosting their own lemmy instance, and this is an extension of that

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 52 points 2 years ago (34 children)

I'd put a legal blob in the Legal section clearly outlining the nature of the fediverse and making it clear to the user that really deleting stuff from Lemmy is near impossible because every instance has a copy of it. That you'll happily comply and purge the user's data upon request but that it will still be cached on every other server.

I'd be interested to see what lawyers have to say about it. Technically the data sharing is absolutely required by the protocol so it might be okay with the GDPR, but it's also possible that as worded it can't possibly be GDPR compliant. It was designed with big companies like Google, Meta and big advertisers in mind, and didn't really account for decentralized services like the fediverse...

[–] danieljackson 37 points 2 years ago (2 children)

The GDPR doesn't apply only to services hosted in the EU, but any services handling the data of an EU citizen.

This is why some news outlets in the US just decided to block EU users all together, out of laziness.

IANAL, but the GDPR doesn't cover pseudonymous data. Actually the GDPR encourages data processors (= services) to use pseudomization.

Personally identifiable information are IPs, email addresses, street address, name, date of birth, ... Lemmy only collect IPs and email addresses. And these are not shared between instances.

Whether the service is hosted in the EU or not, as long as it serves EU users, lemmy should provide a way to delete emails and ip information in a self serving way. (maybe by deleting the account) In the mean time, instances admins have to fulfil requests to delete emails/ips of EU citizens from the database.

[–] [email protected] 5 points 2 years ago

I'm gonna preface this: IANAL either.

There are also different legal bases for different kinds of data processing. For example, I'm pretty sure ensuring your site's security counts as legitimate interest, and it's pretty common that IP addresses are stored and processed as such. You don't need to remove someone's IP from your access logs just because they asked for it, because your interest in keeping your site secure for both yourself and everyone else outweighs their interest in the privacy of their data. Legitimate interest is the fuzziest of the six legal bases and it doesn't help that advertisers have started attempting to qualify their BS as "legitimate interest" especially in consent forms (if they need your consent it's not legitimate interest, it's user consent, and they really should stop lying) but it still exists to keep things viable.

As a rule of thumb, if you're storing data to provide a service you need to export or delete that data upon request, and if you're doing anything over what's strictly necessary for providing your service you need to ask the user about it. And you're right, this applies to anyone whose instance is used by EU citizens.

Also, pseudonymous data still counts as personal data as long as the pseudonym can be linked back to personally identifiable information. You need to sever this link to comply with a deletion request.

[–] [email protected] 3 points 2 years ago

It's not only IPs and emails though. Since users can put whatever they want in comments and posts, all of those must be treated as potential PII, and have to be included in subject access requests and deletion requests.

load more comments (31 replies)