this post was submitted on 21 Jun 2023

40 points (76.3% liked)

Lemmy

2172 readers

26 users here now

Everything about Lemmy; bugs, gripes, praises, and advocacy.

For discussion about the lemmy.ml instance, go to [email protected].

founded 4 years ago

MODERATORS

[email protected]

Lemmy (and the fediverse) and GDPR: a clusterfuck waiting to happen? (lemmy.ml)

submitted 1 year ago by [email protected] to c/[email protected]

108 comments fedilink hide all child comments

So, I’m kinda new to this Lemmy thingy and the fediverse. I like the fediverse from a technological standpoint. However, I think that, if we gain more and more traction, Lemmy (and by extend the entire fediverse) is a GDPR clusterfuck waiting to happen. With big and expensive repercussions…

Why? Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data. An e-mail address is personal data. I don’t think there is jurisprudence regarding usernames, so that might be up for discussion.

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place. Resulting in a giant GDPR breach. And I have no idea who will be held responsible… The people hosting an instance? The developers of Lemmy? The developers of ActivityPub?

Large corporations are getting hefty fines for GDPR breaches. And since Lemmy is growing, Lemmy might be “in the spotlights” in the upcoming years.

I don’t like GDPR, and I’m all for the technological setup of the fediverse. However, I definitely can see a “competitor” (that is currently very large but loosing ground quickly) having a clear eye out to eliminate the competition…

What do y’all thing about this?

top 50 comments

sorted by: hot top controversial new old

[–] apfel 78 points 1 year ago (9 children)

"don't like GDPR"? What's not to like? Best thing that came out of EU regulation in a long time. And as others have noted you seem to be misinformed about what it actually says...

[–] [email protected] 17 points 1 year ago

I also can't wrap my head around “not liking” GDPR

As a relevant example, seems like only citizens covered by GDPR will be able to request Reddit to remove all of their data from Reddit's servers since comment deleting tools and scripts are being bypassed, with loads of comments and even entire profiles getting restored by Reddit admins

load more comments (8 replies)

[–] [email protected] 26 points 1 year ago (38 children)

Well, according to GDPR, all personal data from EU users must remain in the EU. And personal data goes really far. Even an IP-address is personal data.

Thankfully, Lemmy instances do not transport this kind of information about their users to other instances!

load more comments (38 replies)

[–] ulu_mulu 26 points 1 year ago (6 children)

all personal data from EU users must remain in the EU

Create your account on a EU server, problem solved.

Lemmy (fediverse in general) doesn't send account data away, and posts don't qualify as personal data, when you publish something to the internet, it's public by definition.

[–] FantasticFox 4 points 1 year ago (3 children)

I'm not sure this is true. Like imagine someone posts their address in a Lemmy post - I'm pretty sure that counts as PII and they have the right to request its deletion.

[–] ulu_mulu 8 points 1 year ago (1 children)

Like imagine someone posts their address in a Lemmy post

As you write it you can also delete it.

It's still you willingly doing it, not the server spreading your data without your consent, this last case is where GDPR applies.

But it's a very stupid thing to do, never post your personal data in comments.

[–] FantasticFox 2 points 1 year ago (1 children)

If you delete your account are your comments deleted? That's really where the potential problem lies.

load more comments (1 replies)

load more comments (2 replies)

load more comments (5 replies)

[–] [email protected] 14 points 1 year ago (5 children)

I'm not an expert in GDPR and will leave the technical side to those who are, but the fact that the EU actively present at the Fediverse with among others the @EU_Commission represented at their official Mastodon instance, I would be surprised if the GDPR was suddenly weaponised against it.

GDPR was written with the intention of empowering users over corporations. The Fediverse has the same goal.

load more comments (5 replies)

[–] [email protected] 9 points 1 year ago (1 children)

IMO it's pretty much the same case as email. With email you send data to some remote server which may or may not reside in the EU.

I'm not really sure what argument you can make that fediverse apps but not email break gdpr.

Or even something as simple as putting your email on a public website that may be visited by someone in the US.

[–] [email protected] 7 points 1 year ago

You are correct. That's why email is a big topic in GDPR: https://gdpr.eu/email-encryption/

[+] [email protected] 6 points 1 year ago* (last edited 1 year ago) (3 children)

[deleted]

[–] [email protected] 5 points 1 year ago (1 children)

I don't think a TOS will hold up. GDPR (and the implementation per country) is a law. You can't bypass a law with a TOS, I think.

However, I'm definitely not a GDPR expert...

load more comments (1 replies)

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

I second this. Personal data doesn't have to be kept within the boundaries of the EU, but cross-borders transfers has to comply with art. 45, art. 49 (art. 49-1,a. might be useful to back the TOS) and the Schrems ruling of the CJUE.

I don't see much troubles for the fediverse, here.

Edit. Missing word.

[–] [email protected] 2 points 1 year ago

Ok, so I did some checking regarding the location and stuff, since I'm clearly not informed enough about this. However, my point still stands (I think).

Copy pasted from Twilio. I guess they are better aware than I am about the rules...

The general principle for transfers is outlined in Article 44, which can be summed up as saying, if you transfer EU personal data out of the EU, make sure that this data still enjoys the same level of protection it gets under GDPR. In other words, the entity or company that you pass the data to outside the EU must be under a legally binding obligation to follow GDPR data protection principles or the equivalent. (Unlike an outright prohibition on extraterritorial data transfers, this actually makes sense. No point if having rules if those rules get tossed out the window just by moving the data out of the EU.)

and also:

This legally binding obligation can be achieved in multiple ways. Here is a sampling:

1. The entity to whom you pass the data to happens to be in a country that has data protection laws that are just as strong as GDPR (as determined by the EU Commission).
2. The entity to whom you pass the data to agrees by legally binding contract to follow GDPR principles of data protection.
3. The company has enacted Binding Corporate Rules.
4. There is some regulatory-approved code of conduct to which the entity subscribes.

So, if someone opens up an instance in, let's say, Ethiopia or the US, it is not compliant, afaik.

However, question remains about the proxy thingy of the fediverse. Is data copied/stored on other instances OR does it remain on the instance that I subscribed to. And what if that instance is located in a "non-GDPR-compliant-environment"?

[–] [email protected] 5 points 1 year ago (15 children)

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place.

It doesn't work like that, think of your instance being a proxy to the fediverse

[–] [email protected] 6 points 1 year ago (1 children)

Is it? I read somewhere that data effectively gets "copied" to the different instances? But that might be wrong info :p

[–] [email protected] 2 points 1 year ago (3 children)

You're right. If someone from feddit.de subscribes to a lemmy.world community, the entire content of that community is going to be copied to the feddit.de server and that's the exact issue OP is referring to.

[–] [email protected] 3 points 1 year ago (1 children)

the entire content of that community is going to be copied to the feddit.de server

That's not true. The text is being copied, the media is not. Anyone, anywhere in the world, can put tracking pixels on Lemmy posts at any time to log user data. Regardless of the instance used to read it.

load more comments (1 replies)

load more comments (2 replies)

load more comments (14 replies)

[–] nivenkos 5 points 1 year ago

FWIW Hacker News just says it doesn't apply to them as it doesn't count as a service for just a discussion board.

But I think the right of deletion is a bigger issue than where email addresses are stored.

[–] [email protected] 4 points 1 year ago (3 children)

Since the entire goal of the fediverse is “transporting” all data to all servers inside the ActivityPub/fediverse world, the data of a EU member will be transported all over the place.

Not all data is transferred to other servers. That's the point where I think you are wrong.
You mention email and IP addresses as examples of personal data covered by GDPR, but that data is not transferred to other instances, only the instance where you registered holds that data. So you would only need to care about the instance where you registered to be GDPR-compliant.

load more comments (3 replies)

[–] [email protected] 3 points 1 year ago (1 children)

Neil Brown did quite a good write-up on the legal standing of the Fediverse late last year: https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view

There's a section part way down about GDPR, but the answer is "it depends"

[–] [email protected] 3 points 1 year ago

Thanks! The info actually makes sense. Also, do note that every EU country has their own specific implementation of the GDPR law with very small differences. So this is written according to the UK implementation, but the BE implementation might be just a bit different.

All complicated stuff...

[–] [email protected] 3 points 1 year ago

What do y’all thing about this?

This is why I won't ever run any web service with public registration.

The people hosting an instance are responsible for the informed consent. So if you federate with anyone you need to make sure to inform your individual users about all of your peers, what data they process, and who's the contact for that peer.

This is of course impossible.

If anyone ever sues you, they probably effortlessly win the lawsuit.

[–] [email protected] 2 points 1 year ago

"Exchange with non-compliant platforms can be restricted based on a case-by-case analysis. ": I quote this from an article from European data protection supervisor website https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en. I think the platform will evolve to solve the existing issues such as The right to be forgotten.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)

I‘m in the EU and if I would host an instance here anyway I‘d do it somewhere with less restrictive laws and ideally anonymous. Mostly cause I like piracy though.

load more comments (1 replies)

[–] [email protected] 2 points 1 year ago

Kbin.social and feddit.de are hosted in Germany. That's why I signed up there.

load more comments