this post was submitted on 06 Jul 2023
64 points (98.5% liked)

Asklemmy

43913 readers
1510 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

  1. Open-ended question
  2. Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
  3. Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
  4. Not ad nauseam inducing: please make sure it is a question that would be new to most members
  5. An actual topic of discussion

Looking for support?

Looking for a community?

~Icon~ ~by~ ~@Double_[email protected]~

founded 5 years ago
MODERATORS
 

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

top 32 comments
sorted by: hot top controversial new old
[–] [email protected] 27 points 1 year ago* (last edited 1 year ago) (1 children)

It sorta depends on the relationship between federated servers. If your server acts as a data controller and the servers it federated with act as a data processor, then yes indeed your admin would have to contact all those servers to get that data removed.

But I don’t think that’s what the relationship really is. I think your server publishes that data effectively publicly. At that point other servers can take a copy if they want (ie each would be a controller). So you’d have to make a request to each server to get the data removed.

Think about it like this, if you allow some print publication to print your name for some reason, some other companies might keep a copy of that data. Eg an archival company, or perhaps something less nice like a sales leads company. The publication doesn’t have a responsibility to contact them all. Even if, say, they have some relationship, like federation, or for example archival company has a subscription to the newspaper.

So if you want that data deleting you’re going to have to contact every sever that has it.

[–] firipu 10 points 1 year ago (1 children)

Yeah, that sounds like the most correct take. I don't think the EU will be happy with that if ActivityPub really blows up. e.g. if Threads joins the federation (and we don't defederate from their data leeching service), that would become really really complex :)

[–] [email protected] 7 points 1 year ago

Yeah that really could end up being problematic!

Actually not sure how that’s going to go.. presumably it’ll work the same way search engines do cos it’s kinda like holding a copy of public data like they do…

[–] [email protected] 6 points 1 year ago (1 children)

It isn’t a single site or host, and there is no owner. Wouldn’t that be like saying “e-mail must be GDPR compliant”?

[–] firipu 1 points 1 year ago (1 children)

Not as if the GDPR cares about that specifically. Whatever excuse or justification you might have, the law still applies... Mail servers also have to comply with the law.

[–] [email protected] 5 points 1 year ago

To the point of the person you're replying to, I think it may be treated the same as email. For example, if you send an email and it gets forwarded somewhere else, all the "custodian of your data" (lets say google in this example) can do is delete any copies they have on their server. Anything outside of that is outside their responsibility/capacity.

[–] [email protected] 6 points 1 year ago* (last edited 1 year ago) (2 children)

Think of it this way. The way I see it federation is similar to an archival service storing a copy of the data. If reddit deletes all info when requested, but archive.org doesn't delete it. Well it ain't reddit's problem anymore.

Similarly, if a user request data deletion of data in their home instance located in the EU, and as long as the instance honors the request and delete their copy, that instance is not liable for other instances not honoring the deletion request. You might have to request data deletion with each individual instance that has a copy of your data, and it's only enforceable if the instance is in the EU where GDPR applies.

That's my interpretation, correct me if I'm wrong.

[–] [email protected] 3 points 1 year ago

If archive.org, or any other web scraper is able to pull personal information from a site, it means that the site is already breaking the GDPR.

GDPR protects personal information, not public texts.

Because instance holds identifying information about EU citizens (email, nickname), it means that the instance owner is the registery holder, and they must comply with GDPR.

I believe email address of the user is not shared between the instances, what makes things quite good. Nicknames are bit more problematical, because they can be considered as personal identifier.

Some GDPR experts maybe should write template registery document that instances can use. And the delete of account should be handled between instances. Posts do not need to be deleted, but nick should be changed to [deleted]

[–] firipu 1 points 1 year ago

That sounds like a good take. I have no idea if it's correct, but it sounds reasonable.

So I'd have to contact every single instance to get rid of my data, which sounds reasonable, but is practically speaking absolutely impossible.

Lemmy just sounds like a GDPR nightmare for the EU tbh.

[–] [email protected] 5 points 1 year ago (3 children)

GDPR only applies if the data can be linked to individual.

Only thing in Lemmy that identifies you, is your email. Nickname is not personal information, you cannot be identified from it. If the email is not transferred to another instances, there should not be problem with federation. If user requests GDPR erase, instance just deletes the account, and email linked to it. After this the user is not anymore identifiable, and GDPR is happy.

[–] firipu 14 points 1 year ago

It seems the GDRP does not agree with you:

To what data do the EEA GDPR and the UK GDPR apply?

The EEA GDPR and the UK GDPR apply to all "personal data,” which includes any information relating to a living, identified or identifiable person. Examples include name, SSN, other identification numbers, location data, IP addresses, online cookies, images, email addresses, and content generated by the data subject.

Source

[–] [email protected] 3 points 1 year ago

That's not correct. The nickname is personal data, because it is possible to connect it to the person.

[–] ritswd 0 points 1 year ago* (last edited 1 year ago)

That is the correct answer. Companies abiding by the GDPR are not required to delete your account or content at all, only Personally Identifiable Information (PII). Lemmy instances are unlikely to ask for info such as real name, phone number, postal address, etc; the only PII I can think of is the email that some (not all) instances request. Since it’s not a required field on all instances, I’m going to guess that the value of this field does not travel to other instances.

Therefore, if you invoked the GDPR to request your PII to be deleted, all that would need to happen is for the admin of your instance to overwrite the email field of your account with something random, and it would all be in compliance. Or they could also choose the delete your account, if they prefer.

Source: I’m a software engineer who was tasked at some point with aligning multi-billion-dollar businesses to the GDPR, who had hundreds of millions of dollars in liability if they did it wrong and therefore took it very seriously. I am now a lawyer or a compliance officer, but we took our directions from them directly and across several companies, that’s what they all told us.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago) (1 children)

Someone correct me if I’m wrong but GDPR doesn’t apply fully to small organizations (less than 250 employees) and mostly only applies if you offer goods and services which is not the case if you’re running a Lemmy instance. If you’re an instance owner with no employees because you’re not a registered business of any sort, you’re not on the hook for anything

Then again, I am neither European or knowledgeable in GDPR so someone please correct me if I’m wrong.

Edit: I am wrong see below

[–] [email protected] 9 points 1 year ago (1 children)

This is incorrect, GDPR is any registery, company size or even profit/nonprofit is not relevant. Even it being digital/in paper is not relevant. If EU citizen is identifiable in registery, it must comply with GDPR.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

Apologies and thank you for the clarification, I was reading an earlier draft of GDPR that had information on companies with fewer than 250 employees. Not sure how Lemmy instances fall under this though, do you know?

Businesses that are not engaged in processing of the personal data listed in Article 9 or Article 10 do not need to appoint a data protection officer (DPO or DPO as a Service) unless they are engaged in regular and systematic monitoring of data subjects on a “large scale”.

I would also assume that deleting your information would only apply to the information located on the server and anything that’s already been propagated is up for grabs unless you request it from someone. Not sure how Lemmy as a software is responsible for being GDPR compliant. Again, I don’t know anything about GDPR teehee

[–] [email protected] 2 points 1 year ago (1 children)

That quote from GDPR talks about specific job role that large company is by-law requires to have, called data protection officer. He/She is responsible that company is GDPR compliant.

[–] [email protected] 1 points 1 year ago

Ahh! Thank you

[–] firipu 3 points 1 year ago

Not sure if this is the right community to ask? It's not really a technical support question, just a general lemmy question.

[–] kromem 3 points 1 year ago* (last edited 1 year ago) (1 children)

The solution will be really simple and probably arrive in the next 12 months.

You just federate the removal requests too as part of the Lemmy API.

[–] [email protected] 1 points 1 year ago (1 children)

That feels potentially incomplete, because there's still the question of how to deal with an instance that refuses to honor federated removal requests, or which claims to but lies and secretly keeps a backup. If for example the legal/regulatory system was to decide that the original instance was responsible for ensuring user data is deleted even from federated servers, then the potential existence of such non-deleting servers would be a huge problem for the network as a whole.

[–] kromem 3 points 1 year ago* (last edited 1 year ago)

As soon as the content moves to another server, it's their liability to comply.

If you scrape a website, the website removing a user's PII in response to a GDPR request is not contingent on you also deleting what you scraped.

Federation of removal requests would simply ease the flow of compliance for both hosts and users.

If certain hosts decide to ignore the requests and the GDPR, that's up to them.

[–] [email protected] 1 points 1 year ago

I think you might have to contact all the instances yourself, depending on what the relationship between the instances is. Neither instance is really contracting with the other for data processing; it's more like one instance publishes something and the other instances download and republish it, and everyone agrees that that is what they are supposed to do. So if you and your affiliates have to delete someone's data from a GDPR demand, it can't really apply to just other people who copied it?

I am, of course, three European lawyers in a trench coat, and this is impeccable legal advice that physically cannot be wrong.

[–] [email protected] 1 points 1 year ago (1 children)

Lemmy was created before GDPR.

Volunteers probably have not implemented GDPR and may not, or might.

[–] [email protected] 0 points 1 year ago (1 children)

GDPR was made in 2016. Lemmy is 4 years old

[–] [email protected] 1 points 1 year ago

And you know the first thing devs do when they start writing code? They look up laws drafted by non technical people to ensure they are fully in compliance. The priority of lemmy all this time has been GDPR compliance, the fact that the app looks and functions similar to reddit is an afterthought.

[–] [email protected] 0 points 1 year ago

This was discussed in depth yesterday, removing per rule #4.

[–] [email protected] -1 points 1 year ago (1 children)

Why do you think Lemmy is GDPR compliant?

[–] firipu 3 points 1 year ago (2 children)

No idea. That's why I am asking.

I just feel that if Lemmy keeps growing, the EU will eventually take notice and consider implementing requirements/measures/regulations...

But I guess it's not just lemmy, but also any other fediverse (or any other decentralized) service. Just curious

[–] [email protected] 4 points 1 year ago (1 children)

Practically speaking, can they actually regulate it, beyond going after instance owners that are themselves based in the EU? I mean, they can pass laws, but given that instances are not large companies that might want to do business in Europe, I'm not sure what stops an instance owner not located within their jurisdiction from just ignoring them and not paying any levied fines or similar. They could require ISPs then block that instance or something I suppose but keeping up with an evolving list of tiny websites that don't necessarily advertise themselves much and so might slip under regulator's radar for awhile is probably much more difficult to block compared to a single corporate run site.

Not that I'm suggesting that Lemmy shouldn't make an effort to comply with regulations requiring people be able to delete their data, if anything, such a system if successful would make it harder for companies to take advantage of it by setting up servers to secretly collect what data they can, for example, I'm just questioning if it's really possible for a government to meaningfully enforce rules on some small group of random mostly volunteer people who may likely be operating from another country anyway.

[–] firipu 1 points 1 year ago

Haha, that's also very true :).

[–] [email protected] 1 points 1 year ago

the EU will eventually take notice and consider implementing requirements/measures/regulations...

The regulation is already here LOL. The GDPR is the regulation.

If somebody accuses you, then some court is going to judge.

load more comments
view more: next ›