Asklemmy

43810 readers

1592 users here now

A loosely moderated place to ask open-ended questions

Search asklemmy 🔍

If your post meets the following criteria, it's welcome here!

Open-ended question
Not offensive: at this point, we do not have the bandwidth to moderate overtly political discussions. Assume best intent and be excellent to each other.
Not regarding using or support for Lemmy: context, see the list of support communities and tools for finding communities below
Not ad nauseam inducing: please make sure it is a question that would be new to most members
An actual topic of discussion

Looking for support?

Looking for a community?

Lemmyverse: community search
sub.rehab: maps old subreddits to fediverse options, marks official as such
!lemmy411@lemmy.ca: a community for finding communities

~Icon~ ~by~ ~@Double_A@discuss.tchncs.de~

founded 5 years ago

MODERATORS

How can an instance comply with GDPR if they're federated? (lemmy.world)

submitted 1 year ago by firipu@lemmy.world to c/asklemmy@lemmy.ml

51 comments fedilink hide all child comments

So if I understand GDPR correctly: If I want a service/business to remove all my personal data, they have to comply with it in a certain timespan or get in trouble with the law.

If I understand federation correctly: All posts get replicated on federated instances all over the fediverse.

My question: If I e.g. want lemmy.world to remove my data, all my posts etc are still up on lemmy.ml right? As they just have a copy of these posts?

Would I as a customer have to contact every single instance to get my data removed? Or how does GDPR compliance work with lemmy?

Or am I completely misunderstanding how GDPR works?

you are viewing a single comment's thread
view the rest of the comments

[–] Hotzilla@sopuli.xyz 4 points 1 year ago

If archive.org, or any other web scraper is able to pull personal information from a site, it means that the site is already breaking the GDPR.

GDPR protects personal information, not public texts.

Because instance holds identifying information about EU citizens (email, nickname), it means that the instance owner is the registery holder, and they must comply with GDPR.

I believe email address of the user is not shared between the instances, what makes things quite good. Nicknames are bit more problematical, because they can be considered as personal identifier.

Some GDPR experts maybe should write template registery document that instances can use. And the delete of account should be handled between instances. Posts do not need to be deleted, but nick should be changed to [deleted]