this post was submitted on 06 Jul 2023
64 points (98.5% liked)

Asklemmy

44151 readers
2841 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 5 points 2 years ago (3 children)

GDPR only applies if the data can be linked to individual.

Only thing in Lemmy that identifies you, is your email. Nickname is not personal information, you cannot be identified from it. If the email is not transferred to another instances, there should not be problem with federation. If user requests GDPR erase, instance just deletes the account, and email linked to it. After this the user is not anymore identifiable, and GDPR is happy.

[–] firipu 14 points 2 years ago

It seems the GDRP does not agree with you:

To what data do the EEA GDPR and the UK GDPR apply?

The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.

Source

[–] [email protected] 3 points 2 years ago

That's not correct. The nickname is personal data, because it is possible to connect it to the person.

[–] ritswd 0 points 2 years ago* (last edited 2 years ago)

That is the correct answer. Companies abiding by the GDPR are not required to delete your account or content at all, only Personally Identifiable Information (PII). Lemmy instances are unlikely to ask for info such as real name, phone number, postal address, etc; the only PII I can think of is the email that some (not all) instances request. Since it’s not a required field on all instances, I’m going to guess that the value of this field does not travel to other instances.

Therefore, if you invoked the GDPR to request your PII to be deleted, all that would need to happen is for the admin of your instance to overwrite the email field of your account with something random, and it would all be in compliance. Or they could also choose the delete your account, if they prefer.

Source: I’m a software engineer who was tasked at some point with aligning multi-billion-dollar businesses to the GDPR, who had hundreds of millions of dollars in liability if they did it wrong and therefore took it very seriously. I am now a lawyer or a compliance officer, but we took our directions from them directly and across several companies, that’s what they all told us.