Asklemmy

43394 readers

1826 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

123

Lemmy and GDPR - What is the current state? (lemmy.world)

submitted 1 year ago* (last edited 1 year ago) by NewBrainWhoThis@lemmy.world to c/asklemmy@lemmy.ml

88 comments fedilink hide all child comments

As the Fediverse grows more and more, rules and regulations become more important. For example, is Lemmy GDPR compliant? If not, are admins aware of the possible consequence? What does this mean for the growth of Lemmy?

Edit: The question "is Lemmy GDPR compliant" should mean, does the software stack provide admins with means to be GDPR compliant.

Edit2: Similar discussion with many interesting opinions on lemmy.ml by /u/infamousbelgian@waste-of.space--> https://lemmy.ml/post/1409164

Edit3: direct link to philpo great answer-->https://feddit.de/comment/840786

you are viewing a single comment's thread
view the rest of the comments

[–] skullgiver@popplesburger.hilciferous.nl 8 points 1 year ago (2 children)

The GDPR applies to any instance collecting personal data about EU citizens (and probably adjacent countries with similar laws). You can choose to ignore the law if you don't do any business in the EU and don't plan on ever going there, but you can't decide whether or not it applies to you.

I think the general consensus on GDPR compliance for federated networks is "we'll see about it when someone complains". I doubt any DPA is going to waste time on a random hobby instance or even a medium sized public instance since the only personal information you're even collecting on here is either public data (your posts), your username and password, and your IP address. Federating instances don't even receive the last bits of information.

I can see someone starting a lawsuit against a standards incompliant server that ignores deletes and edits, though.

As for portability, such an export should be quite easy to accomplish; fetch someone's account data from the database, add in that person's ActivityPub outbox, and you're pretty much done. The GDPR provides you with 30 days to comply with requests but this data shouldn't take more than a few seconds to extract.

Seeing as the development of Lemmy is sponsored by NLNet (a Dutch organisation) I'm sure someone will have thought about it at some point at least!

[–] cakeistheanswer@lemmy.fmhy.ml 2 points 1 year ago (3 children)

Isn't the key operating word here business?

With no advertising on the line and no operations currently in place operating at anything but a loss there isn't a commercial interest at stake.

[–] skullgiver@popplesburger.hilciferous.nl 3 points 1 year ago

Charities and other types of non profits have to comply with the GDPR too. Just because you're not making any money doesn't mean you can ignore privacy law.

I think it also depends on how you tell the tax authority about your donations. There are tax rules about gifts versus donations versus income. It can easily be beneficial to report donations as income for some small company rather than pay tax over donations, depending on the country where you live. Alternatively, you could commit tax fraud and not report the donations at all, but then privacy law is probably not your biggest concern.

[–] firipu@lemmy.world 3 points 1 year ago

Governments also have to comply with GDPR. They also have no commercial interest in the personal data.

[–] philpo@feddit.de 2 points 1 year ago

Nope, GDPR does not limit itself on businesses. It applies to all data collection.

[–] seacocker@lemmy.world 1 points 1 year ago* (last edited 1 year ago) (1 children)

My statement about it being up to those running instances is mean in terms of it's up to them to read the legislation and come to a conclusion. If I were hosting an instance I'd certainly assume it applied, though I doubt there has been any case testing its implementation in this sort of situation.

I can see someone starting a lawsuit against a standards incompliant server that ignores deletes and edits, though.

I wonder if the first data breach will draw the attention of a regulator. We're all using essentially alpha software, with no privacy notice, I doubt there are RoPAs or DPIAs, I doubt there is a DPO.. all those things might upset someone like the ICO in the UK if a breach were to occur.

Edit: saying that, I'm not sure any breach would even be reportable given what data is collected by Lemmy.

[–] skullgiver@popplesburger.hilciferous.nl 1 points 1 year ago

I'm not even sure what a data breach would look like. I'm guessing the server logs which include the IP addresses, usernames, and password hashes?

If this does go wrong, I'm wary of what will happen. I'm pretty sure Fediverse servers are on thin ice.