8
GDPR
(lemmy.world)
A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).
If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!
Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy
Disclaimer: I have no law degree and everything in this post is speculative.
After reading up on GDPR (https://en.wikipedia.org/wiki/General_Data_Protection_Regulation) it deals with the transfer of personal data to entities outside the EU or EEA for processing. The definition of personal data would be the main point to see if/how GDPR is applicable to lemmy instances. (https://en.wikipedia.org/wiki/Personal_data)
Your IP address and EMail address could be classified as personal data from my point of view. But this won't be shared or processed outside of the instance as far as I can tell. If your username and associated posts are classified as personal data I can't say, but there seems no connection of these to your IP or Mail outside the instance. According to this TechDispatch (https://edps.europa.eu/data-protection/our-work/publications/techdispatch/2022-07-26-techdispatch-12022-federated-social-media-platforms_en) the instances still must adhere to GPDR, but as there is not much or no processing of personal data taking place this should pose no issue.
All of this is based on a bit of research, so please enlighten me if I made any mistakes.
In the UK a screen name is an identifier. See ICO here. I am in the UK. Therefore combined with other data being collected, e.g. IP. Lemmy and instances I interact with are handling personal data. If it is transferred between instances when I search or view content from one instance to another, there are GDPR implications.
Here is the information I have on your user ID as an operator of a remote instance.
1: Your username and home instance (and a separate link to your profile page on your home instance)
2: Your avatar
3: Your about info
4: Date/time of your last activity (but that I think will be the last time you were seen by my instance, interacting in a community I also have here), so not shared really.
I took a look at the json returned from your home instance, and again the info is profile page, username, information required for communication between instances with the only PII present being the username, the about and an icon and image.
Here's why I'm going to say this isn't likely to be a problem as such. This is the same as on reddit, if I look at a post a user makes I can click on the user and get access to this level of public information. Also under GDPR and DPA based on advice from the ICO data sharing isn't forbidden, but the minimum required to fulfil the function of that sharing should be sent. I think the above data meets that. There isn't information we don't need to work a distributed network like this.
I think the point about making a privacy policy visible is a good one. It should make it clear how the network works, and what kind of information is shared with federated instances (and also available to the public, the user query is publicly available). But the data that is federated is the same as is publicly available.
Now I do feel like there's the scope for a lot of manual work. For example, federation sometimes means that edits/deletes don't make it. It can be caused by problems on both sides of the connection. So if you want all your data deleted. Sure I could delete all posts and your user info here. And even make requests to the home instances that they delete them too. But, some might remain on remote instances, and I don't know who would be responsible for that. Some grey areas remain.
This is really interesting, thank you - I definitely agree there is grey areas and work to be done to ensure compliance as far as is possible!
It will be interesting to see how it all unpacks.
I agree, there is definitely work to be done regarding compliance.
If a screen name is an identifier doesn't that make literally every social website or forum a potential breach? That seems a bit harsh
Not if they are compliant and handle the data correctly, but yes it is a minefield and pretty strict with potential huge fines for non compliance and breaches! I would not want to be in charge of trying to get it all straight for Lemmy!
Non-federated services keep data on their servers or share it with well-defined set of partners. This can be be done in accordance to GDPR. In fediverse that data is broadcasted to anybody who wants to listen (this make the network open). That is a big difference.
I hope you never send an e-mail overseas. Your e-mail provider would be in breach.
Just to be clear - I don't think it is in breach but you have federated servers in various countries, some of which may be owned by entities that do business in the EU making copies of and forwarding messages that contain PII .
How would they be in breach?
Your email address (personal identifier) is right there in the from field. And in many cases, in the header there might be your IP address.
How is that a breach of GDPR?
Our point is, sharing the information required to make a network like this work is allowed provided you're not sending information not required. If you right a post on a community that is shared the information about you (user id, avatar etc) is required to render that message on other federated instances. In the same way as when you send an email the from address is required so that people can reply to the email.
If we were sending IP addresses and data on your browsing preferences to other instances, there would be an argument because it is not required operate the federated network (although you know the corporate players are all justifying their sharing of exactly that data and more). But we don't do that.
Thank you! Understand - I think the issue is there there is no documented policy on some instances, I don't know how each instance handles / shares my data and what the retention policies etc are. I seem to remember there are more controls required depending on where the data is being transferred to. Anyway, that's getting beyond what I am familiar with!
Yes, definitely and this has prompted me to write one up for mine. Even though right not it is just me, I am open to having around 100 active users on my instance. So this should be clear I think.
Awesome! I'm pretty sure there are some great websites with resources if you need it, although they likely come with a caveat they are not legal guidance :)
The ICO have a template. But now I need to go through and see what data is collected and check/adjust retention where relevant (http logs for example).
You send the exact same kind of information when you send an email.
Username, host, and IP.
But e-mail is sent from one entity to another, through servers providing service for one or the other party. Most of Lemmy and Mastodon activities are publicly broadcasted and can be received and collected by any federated server.
How do you know that? No registered entities, no policies, no assurance what so ever.
At least use the whole sentence when quoting to avoid confusion.
Looking through the activityStreams definition it seems only Usernames are shared (https://www.w3.org/TR/activitystreams-core/#actors), which is already personal Data according to another comment (https://lemmy.world/comment/929906)