236

"The SCOPE Act takes effect this Sunday, Sept. 1, and will require everyone to verify their age for social media."

So how does this work with Lemmy? Is anyone in Texas just banned, is there some sort of third party ID service lined up...for every instance, lol.

But seriously, how does Lemmy (or the fediverse as a whole) comply? Is there some way it just doesn't need to?

you are viewing a single comment's thread
view the rest of the comments
[-] Kaboom@reddthat.com 49 points 3 months ago

The same way lemmy works with GPDR. Lemmy completely ignores it.

[-] FarFarAway@lemmy.world 12 points 3 months ago

That's the vibe I'm getting. No problem.

At times like this I wish we had /c/LegalAdvice - would love for someone who says "IAAL" to chime in.

Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don't understand how EU based instances like these would be able to get away with not following GDPR.

Though, it may be more that GDPR doesn't apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/

[The UK GDPR] does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there’s far more scope for argument.

In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.

[-] Maalus@lemmy.world 4 points 3 months ago

They won't be able to the second someone reports them and a spotlight is put onto them. It does apply. Devs just don't give a shit and admins are hosting what's available.

It does apply.
admins are hosting what’s available.

After writing my comment above I realized that lemmy.world (an EU based instance) does in fact comply with the GDPR - their policy is described at https://legal.lemmy.world/privacy-policy/

So it's possible for fediverse instances to comply with the GDPR. What makes one think it wouldn't be doable?

They won’t be able to the second someone reports them and a spotlight is put onto them.

I mean, unless they give in and comply with the GDPR.

Devs just don’t give a shit

I guess you are referring to lemmy here. Considering who they are (they run lemmygrad.ml which is defederated from much of the fediverse) this isn't surprising. But lemmy isn't the only software on the fediverse - I'd check out piefed.social and mbin for starters.

The other thing is - if you think there's some software improvement needed to better comply with the GDPR, instead of asking overworked devs who are donating their free time to fix it - why not raise a pull request yourself with the fixes? (Or if you aren't much in the way of coding ability but have money burning in your pocket, hire someone to do the same and donate the result!)

[-] General_Effort@lemmy.world 1 points 3 months ago

So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

That's not even remotely enough, even assuming that the information is sufficient.

Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

That’s not even remotely enough, even assuming that the information is sufficient.

What's not enough? lemmy.world's privacy policy?

Mastodon is in a much better place, on account of how federation works there. It might still not be enough.

Hmm... what's the difference?

Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent.

Oof. This is indeed a tough one.

I recall that this isn't universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.

Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.

Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.

But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I'm missing something obvious here I'm sure, but what?

[-] General_Effort@lemmy.world 1 points 3 months ago

What’s not enough? lemmy.world’s privacy policy?

There's way more to do than writing a privacy policy. And I don't think the policy meets the requirements but getting that right certainly needs a specialist.

Hmm… what’s the difference?

On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone's posts and comments are sent to yours. At least, that's how I understand it.

seems to suggest a fundamental incompatibility between federation and the GDPR overall.

You could say that there is a fundamental incompatibility between the internet and the GDPR, but that's by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn't (unless).

Take the "right to be forgotten". Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it's like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.

Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There's not just the GDPR but also the DSA and other regulations to follow.

Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that's not a deal-breaker.

As GDPR-fans will tell you, data protection is a fundamental human right.

And I completely agree with this. I'm one of those who is a GDPR-fan as well as a fediverse fan.

We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

So this is the fundamental disagreement I feel. Progress generally entails moving things into the hands of the people. We're empowered because we can do things like program our own computers, 3-d print our own devices, and yes run our own social media site.

Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).

As such, my goal here is to figure out how to let ma & pa joe run their own social media site on the fediverse, while staying GDPR compliant.

Of course, the same can be said of surgery but it's still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?

They need legal experts on the team.

I've been thinking about this. You are right of course, but I'd wager that this is outside of what most folks running instances can afford. In particular new devs who want to run their own single user instance.

So what's the way forward? I have come up with an idea for this. Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you'd need to pay for that extra legal firepower).

On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.

I think you have understood correctly. This actually provided me with the epiphany that I needed. On forum-like software that speaks ActivityPub (like pyfedi or mbin), there's no actual need to actually transfer the content. Just send me a notification - with the "user" being a bot account named something like "federation_bot_messenger" with a link to the new post or comment, then bubble it up to the user to open in their browser. No content is shared, and no identifiers like a user name get shared, so there's no risk of a GDPR violation. It's just a link.

One could imagine that fancier web UIs might use an iframe or something to display the content inplace instead of requiring an extra manual click - but it's still only on the end user's browser that the content is transferred.

We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)

Or am I missing anything here?

Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

I think this is a bit unfair. Clearly they had technically knowledgable advisors at the very least. After all, they came up with exceptions like this,

here are two exceptions here: “Involuntary data transfer” is generally seen as not being part of the data handling. But that mainly applies to datascrapers like the web archive and similar usage where the data is transfered through general usage of a page that the DC cannot reasonaby prevent without limiting the usage of their service massively.

That said I think I might have been a bit unfair to the lemmy devs. From https://tech.michaelaltfield.net/2024/03/04/lemmy-fediverse-gdpr/ I can see that pretty much all of the issues raised directly on lemmy itself have since been resolved - by a dev writing code to fix the problem. Even if GDPR isn't the highest priority, the devs are clearly at work trying to address what they can when they can.

[-] General_Effort@lemmy.world 1 points 3 months ago

Deny a person that right, and you take a bit of their power away. By running my own single user instance, I make sure that I always own my own content, no one can take it away from me by suddenly shutting down their website (as has happened to e.g. elle.co for example).

Hold on. You can't keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.

Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance. Or it could be argued that other people's post may be kept (possibly anonymized) because otherwise your personal data would be incomplete. The 2nd is obviously what reddit is doing. That seems to draw more criticism than praise from the lemmy community, to put it mildly.

The GDPR gives you rights over data, like copyright does. It inherently gives you a right to control what other people do on their own with their own physical property.

Of course, the same can be said of surgery but it’s still not allowed. Obviously the harm from letting anyone try it is much worse than strictly regulating it, but is running a social media site on the fediverse likewise so harmful? Is there no way at all to strike the balance?

You don't need to ask me. The GDPR is a terrible mistake, but that's not what people want to hear. People don't know the law and just chose to believe a happy fantasy. I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations. Mind, you also need to comply with the Digital Services Act and other stuff. With some skill, you can probably do a webpage, even with ads, but nothing where you interact with visitors and must collect data.

Basically we need to get some organization like the EU branch of the Electronic Frontier Foundation (EFF) to research this and come up with a HOWTO guide that covers most of the average cases - along with pointers on when something is not covered by the guide (so at least you know going in that you’d need to pay for that extra legal firepower).

Yes. The DPOs issue guidances and send out newsletters. That would be a place to start. Unfortunately, the different DPOs don't agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual. The problem is that this will still require extra time and effort. Well, content moderation also requires a lot of time and effort. Maybe it won't be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.

We could still have traditional federation - but just as you describe, the allow list for that is only for those instances where you know the folks (have contracts you said) and thus are assured that the transfer of content complies with the GDPR. For unknown instances, just do the link sharing. It could be implemented in a way that instances running older software would still see a post by the bot account with just the link inside. (Perhaps as an enhancement, folks could designate a trusted instance as the primary - e.g. my instance trusts lemmy.world as primary, so when it sends the links out, it sends out a lemmy.world link, to take the load off of my own instance from users clicking on links.)

Or am I missing anything here?

I was thinking the same. Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.

You'd only be hosting the communities created on your own instance. Apart from that, you'd simply authenticate the identities of users. One question is what that would do to server load. I don't know.

Unfortunately, confirming the identities also means transferring personal data. It would also mean that the remote instance is able to connect an IP-address to a username; potentially allowing the real life identity to be uncovered. Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.

Clearly they had technically knowledgable advisors at the very least.

Yes. Those are commonly referred to as industry lobbyists.

“Involuntary data transfer”

I don't know what exception that is. There are rules for data breaches. I'm not at all sure how much you have to do to block crawlers.

Sorry for the late response, your last comment didn't federate, so I just saw it.

Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?

You have the right to request a copy of all your personal data from whoever controls it. Apparently that feature is still missing from lemmy.

I run my own single user instance and it's not that hard... I'd have to make some SQL queries to the database directly to retrieve the info but it's straightforward.

Well, in that case, baring credible contradicting information from another source, I think it’s reasonable to accept the note from the former worker of a DPO. Would you agree?

That quote is from here: https://lemmy.world/post/1060627

Yep that's the one.

I think I agree with pretty much everything they wrote. From what I understand, the apostrophes indicate that this is not official jargon. You can’t prevent web-scraping with any reasonable effort, so you don’t have to. The internet already exists. It’s too late to stop it now; better focus on stopping future progress.

Agreed.

Mind that there is nothing involuntary about federation. It’s not like web-scraping in that respect. You can just turn it off. You are left with something like an old school forum or reddit. No problem.

Yes but that also makes it less useful and viable, unfortunately. I guess it really is like email if we consider federation an essential feature. I can set up my own email server that doesn't talk to any other, but then it's not too useful since it'd just me sending emails to myself.

So, federation is a must, but the question is how to make it work.

Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such…

If you take the view that context is a necessary part of your personal data, then merely avoiding quotes is probably not enough.

What more would need to be done?

And now I hit some kind of length limit so I had to break up the post. Moving right along,

That’s why I had the idea of creating and using the federation-bot account - this way there’s no confirmation of identities or transfer of personal data.

But what if someone wants to participate in a community on a different instance?

It would still work. The difference instance would fetch the link containing the requested content and pass that on to the end user, where either the web UI running on the user's browser or the user's app would load the content. (Akin to a web browser loading the web page). It'd be up to to the piece running on the end user's computer to match it all together.

At least, the texts and their context, along with the username and home instance, need to be revealed.

Yes, but the point is that, like an old-school forum, this is not revealed except by (and from) the original instance hosting the content, and only to the end user. It's not revealed until the end user's app/browser fetches the content from the original server. So since only a link is federated, the PII only exists on those two places. Meaning that the server admin has a much easier job to delete data, as they only have to get it deleted off their own instance.

If the end user then does webscraping ... well how can you prevent that?

And if someone creates a malicious instance that follows the link and screenscrapes it ... I assume it also falls under the "cannot prevent" bucket.

Taking a mental step back, it’s probably premature to worry about technological implementations. Sending data around does not have to be a violation. Compliance will require partly better information, and partly different administration. The legal aspects should be worked out before the necessary tools for the administrators are implemented.

The problem here is that means we devs have to sit back and wait. When will we get the answers we need? And how long do we have to be exposed before we can actually work on solving the problem?

We really do need a foundation like the EFF to provide that legal advice and support, but I think coming up with technical fixes is still worthwhile even as we wait...

There are also a lot of regulation for the backend, that instance owners have to comply with but which won’t be noticed by users. Documenting the data processing, who has access, possibly make data impact assessments, maybe notify the local data protection office, …

This seems like a good legal guide for an admin's and instance's jurisdiction is a must.

Oh, and by german law there also needs to be a (physical) address that can be served legal papers.

Interesting. In the US you can hire a lawyer to service that purpose, typically. In some jurisdictions, I wonder if something like https://www.alliancevirtualoffices.com/ may also work.

There’s also more from the DSA, like releasing transparency reports on moderation twice a year, making regular backups and testing those, … I’m not quite sure what all is demanded by the DSA.

You've mentioned this a bunch of times but .. what's the DSA again? I have no doubt it's related but curious to understand exactly what it is and how it fits in.

Could there be jurisdictions that have only DSA and no GDPR, and others with GDPR and no DSA?

Ok, once more, continuing,

Hmm - if different DPOs can’t agree, then I don’t see how we get to the point of a user friendly manual.

I’m thinking about the issue of web-scraping, in particular. Some say that it’s almost always illegal. The European Commission, for one, disagrees.

I pulled this from google: https://www.morganlewis.com/pubs/2024/05/eu-regulator-adopts-restrictive-gdpr-position-on-data-scraping-impacting-ai-technologies

Thank you, that's a really good example! I understand the need to rein in AI, of course. My point stands (and it doesn't seem like you disagree) - a user friendly manual remains difficult to achieve.

Web-scraping is in some ways related. You could also get (almost all of) the data through scraping. If it’s not legal to scrape lemmy without permission, then it’s probably not legal to spin up your own instance and get the data that way. It depends on your purpose, of course.

Interesting. So pyfedi is a good example - the software supports backfilling when the instance discovers a new community/magazine on another instance for the first time, but it does it via API only. This means no backfilling of comments, and sometimes you can see posts from years ago in a stale magazine but which don't get backfilled because the API doesn't return them.

That’s also why I find the whole issue a little silly. Someone outside Europe could just scrape the data from the web interface and not worry about the GDPR.

Clearview AI is a good example of exactly this kind of bad actor, see https://lemmy.world/comment/12151959

But it seems like even then there are ways to enforce.

You’d have to put all of Europe behind a firewall to make it make sense.

Interestingly I've seen the reverse happen - websites blocking access to ip addresses that appear to be based in the EU to avoid having to deal with the GDPR and its ramifications.

That’s a prime example of why I say the people in charge of the GDPR have no idea of the technology they are regulating.

I disagree. The issue you're describing is a common one in terms of extraterritoriality. How does the IRS get US citizens who are dual citizens living abroad to still pay taxes to the US? Enforcing laws extraterritorially is never easy, but as the IRS has proven, it is possible.

I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).

Me too. I'd say this is point one of what I'd like the GDPR to achieve.

Such regulation inherently favors big players. The cost of creating a compliant service/app/etc is fairly constant, regardless of the size of the user base.
This is what’s inherently disturbing to me.

Same here. I'm thinking one way forward may be to add funding to expand the agencies - one side does the regulation, but the other side offers free services to small business and individuals to help them comply.

Besides, the GDPR inherently favors elites. Most people will never have ... the money to hire professionals to do it right.

No, I think that's a plus of the GDPR. Cost is on the company to comply and relevant gov't agency to chase up if the company doesn't. Facebook was brought in line, so it seems like a success so far. An example of point one above working.

Besides, the GDPR inherently favors elites. Has anyone ever ... chased after you to get paparazzi pictures? Some people’s personal data is worth a lot more than that of others. Most people will never have to worry about scrubbing unflattering media stories from search engines,

Isn't this specifically covered by the journalism exception that the GDPR providers? https://verfassungsblog.de/the-gdprs-journalistic-exemption-and-its-side-effects/

Has anyone ever tracked your private jet on twitter?

I can kind of understand this though. What if I want that hidden so militants with missiles can't shoot me down? Easily justifiable by protection of life.

Even if it is flawed it’s still a step in the right direction IMVHO. I’m in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU.

Tell me what you hope the GDPR will achieve and I’ll tell you if there is any chance.

See where I mention point one above.

I’d write what the fundamental problems are, but time is short.

Seeing as it's a couple of months later, I'd add that I'm willing to wait if you think you will ever get around to it. Though you have already brought up some good points - the most salient one beinrg that GDPR compliance is simply too expensive and not user friendly for a small time individual, but I still feel that this is something that can be improved upon without major revisions to the GDPR itself.

Hold on. You can’t keep personal data longer than needed. Making data disappear from the web is one important demand by the GDPR.

Agreed, but - while it might be permissible legally to wipe out my data and content, what if I want to retrieve a copy afterwards?

I wouldn't want to keep control over other people's content, but regarding my own...

“Involuntary data transfer”
I don’t know what exception that is. There are rules for data breaches. I’m not at all sure how much you have to do to block crawlers.

Well, in that case, baring credible contradicting information from another source, I think it's reasonable to accept the note from the former worker of a DPO. Would you agree?

Comments are problematic because they inherently relate to other persons beside yourself. It could be argued that you have to delete your own writings as well when you shut down your instance.

Hmm. Will need a good think about this - perhaps I should adjust my commenting style to avoid direct quoting and such...

Ironically, that is a problem because if there is such an alternative, then it must be used. If you can reach your goal by processing less personal data, then you must do so.

All the more reason to get started on it, I suppose.

You’d only be hosting the communities created on your own instance. Apart from that, you’d simply authenticate the identities of users.

Well, and dealing with responsible for user content from your instance's local users - but since it's just the one instance (or small handful if you trust a few others) it's still much more managable. And it becomes zero for, e.g., single-user instances (since those would have zero other users and thus zero other content to worry about hosting).

Unfortunately, confirming the identities also means transferring personal data.

That's why I had the idea of creating and using the federation-bot account - this way there's no confirmation of identities or transfer of personal data.

One question is what that would do to server load. I don’t know.

Server admin question. Can save that for serverfault.com and the like IMVHO

Proxying the posts/comments may be the better solution, but when and how that should be done has no clear answer.

One of those things that need experimentation and research to determine, but an answer can be found.

Unfortunately, the different DPOs don’t agree on everything. Maybe in a few years, this will all be at a point where ordinary people can be on the safe side by simply following a manual.

Hmm - if different DPOs can't agree, then I don't see how we get to the point of a user friendly manual.

Maybe it won’t be so much extra effort that it becomes impossible for hobbyists, but - on the whole - the future of the European internet belongs to big players.

This is what's inherently disturbing to me. I am one of those hoping that the GDPR would be a tool for the opposite (a way to rein in the big players, so to speak).

People don’t know the law and just chose to believe a happy fantasy.

It was a surprise to read from the former DPO worker that email as a system is not compliant with the GDPR.

I believe, there is no way - at present - that an ordinary person can maintain an internet presence while being compliant with GDPR and other regulations.

Hmm. I am starting to see why you take this view. Not saying I agree, but I can understand the frustration. That said, PIPEDA in Canada came to pass in 2000 - it's considered to have GDPR-equivalency and we've not had the sort of issues that you are raising with PIPEDA, which makes me optimistic that the GDPR can likewise be something that folks can live with.

The GDPR is a terrible mistake, but that’s not what people want to hear.

Even if it is flawed it's still a step in the right direction IMVHO. I'm in Canada, which had PIPEDA back in 2000 - 18 years before the GDPR took effect in the EU. Hence I believe a solution is workable and a balance can be struck - even if in the worst case that means additional legislation to tweak the existing law. (Though I'd not even go that far - for example, from the former DPO, it seems that if EU courts all agreed that the API behind federation was covered by the "involuntary data transfer" exception then Lemmy would already be GDPR compliant (or mostly so) as-is of the time that I write this.)

[-] General_Effort@lemmy.world 2 points 3 months ago

a purely personal or household activity

No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

a purely personal or household activity
No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

Hmm.

So running a single user instance for my own personal use (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write) is absolutely not covered by the above?

The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

That is a very good point indeed.

The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

Seems risky to rely on low enforcement though. For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

[-] General_Effort@lemmy.world 1 points 3 months ago

(and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write)

The stuff you write is personal data as long as it can be connected to your identity and so protected under the GDPR. But that's a problem for other people.

Your problem is the personal data of other people that come under your control. For starters, you need to answer this question: What legal basis do you have for processing that data?

For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

They need legal experts on the team. As GDPR-fans will tell you, data protection is a fundamental human right. We don't let just anyone perform surgery, so don't expect that just anyone should be able to run a social media site.

Complying with the GDPR is challenging at the best of times. When you handle personal data, some of it sensitive, at the scale of a fediverse instance, it becomes extremely hard.

Strictly speaking, it's impossible. EG you need to provide information about what you do with the data in simple language. The information also needs to be complete. If the explanation is too long and people just click accept without reading, that's not proper consent. You need to square that circle in a way that any judge will accept. That's impossible for now. Maybe in a few years, when there's more case law, there'll be a solid consensus.

Complying as well as possible will require the input of legal experts, specialized in the law of social media sites. The GDPR is not the only relevant law. There's also the DSA, quite possibly other stuff I am not aware of, and local laws.

Definite problems, I can see:

  1. Under german law, an instance owner has to provide an address, that may be served legal papers.
  2. It's possible to embed images, but under the GDPR, there must not be connections to 3rd party servers without consent. In fact, all out-going links are a problem.
  3. Federation itself. You can't federate with instance, if you haven't made sure that they comply with GDPR.
[-] General_Effort@lemmy.world 1 points 3 months ago

It is a problem. If anyone complains or sues about GDPR compliance, they will get fined and/or have to pay damages.

There's also other regulations, like the DSA. I'm fairly sure the GDPR isn't the only legal problem.

[-] Kaboom@reddthat.com -3 points 3 months ago

It's going to be a big problem when the EU catches wind. Gpdr is a nasty law, hard to comply with properly, and has harsh fines. And no, "we tried to comply" will not fly

[-] Don_alForno@feddit.org 2 points 3 months ago

hard to comply with properly

Not at all. Don't collect personal data that's not technically necessary for the service to work. Tell users what data is collected and for what purposes. Done.

[-] General_Effort@lemmy.world 0 points 3 months ago

That's not true. Out of curiosity, where did you learn that?

[-] Nibodhika@lemmy.world 7 points 3 months ago

It doesn't exactly ignore it, but in a sense GDPR doesn't apply to Lemmy.

Long story short, GDPR is made to protect private information, and EVERYTHING in Lemmy is public so there is no private information to protect. It's similar to things like pastebin or even public feed in Facebook, companies cannot be penalized for people willingly exposing their information publicly, but private information that is made public is a problem.

[-] General_Effort@lemmy.world 2 points 3 months ago

That is entirely incorrect. It is general data protection regulation, not privacy regulation.

You are given certain rights over data relating to you. For example: you may have it deleted. Have you googled the name of a person? At the bottom, you will find a notice that "some results may have been removed". Under the GDPR, you can make search engines delete links relating to you; for example, links to unflattering news stories (once you are out of the public eye).

[-] Nibodhika@lemmy.world 1 points 3 months ago

Sorry, forgot about answering here. Although the name is General data it is about personal data. I was going to reply with point by point why it either doesn't apply to Lemmy or it follows GDPR, but I think it might be easier to answer directly your point about right to be forgotten.

First of all Lemmy allows you to delete your posts and user so it complies with it, but even if it didn't GEPR has this to say:

Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

Paragraphs 1 and 2 are the right to be forgotten

for exercising the right of freedom of expression and information;

Which one could argue is public forum primary use

for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing;

Which again one could argue is part of the purpose of Lemmy as well.

[-] General_Effort@lemmy.world 1 points 3 months ago

I was going to reply with point by point why it either doesn’t apply to Lemmy or it follows GDPR

It does apply to lemmy and lemmy is not compliant. That is simply a fact as far as the courts have ruled so far.

Which one could argue is public forum primary use

One can argue a lot. But if such hand-wavy arguments work, then why do you think anyone ever has to pay fines or damages?

For this argument to work, you have to argue that erasing the precise personal data in question would infringe on someone else's right to freedom of expression and information.

The original "right to be forgotten" was about links to media reports. The media reports themselves did not have to be deleted because of freedom of information, but google had to delete the links to them to make them harder to find. This is a narrow exception. Under EU law, data protection and these freedoms are both fundamental rights. They must be balanced. The GDPR dictates how. These exceptions will only apply where these freedoms are infringed in a big way.

At least, you have to do like reddit and anonymize the comments and posts. It could be argued that you actually may not even do more. Removing comments that someone else has replied to arguably makes their personal data incomplete. Reddit's approach meets a lot of outspoken criticism on lemmy.

The problem is that the data is duplicated all over the federated instances. So, someone on your instance deletes their data, Other instances also delete their copies. What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That's right. You pay damages to your user because you screwed it up.

[-] Nibodhika@lemmy.world 1 points 3 months ago

Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It's arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay "forever". Otherwise Bitcoin would be completely ilegal since there's no way to delete information there.

What do you do if someone in the US refuses to delete and maybe gives you that argument about freedom of expression? That's right. You pay damages to your user because you screwed it up.

Not really, again, the text of the law states that if the information has been made public the company must inform whoever they made the data public to:

Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

AFAIK Lemmy federated deletions, whether an instance acts on it or not is another matter.

But GDPR doesn't work like you think, let me give you an example, say you sent an email from provider A to someone on provider B, then you decide to delete that email account, the email you sent will still be in provider B, even if company A deletes all of your information that email is still there and won't get deleted. This is fine with GDPR, otherwise no email provider could operate here. Same goes for other federated or decentralized technologies.

[-] General_Effort@lemmy.world 1 points 3 months ago

Still, the archival nature of decentralized communities is one of the primary objectives of the technology. It’s arguably the defining feature of any decentralized thing that no one controls everything so things are meant to stay “forever”. Otherwise Bitcoin would be completely ilegal since there’s no way to delete information there.

Any number of people here will happily tell you where to shove your illegal technology. In truth, the GDPR is explicitly meant to limit what may be done with existing technology.

With crypto, one can make use of some existing exceptions and perhaps create compliant apps. I'm not familiar with those. Much that stuff is not compliant. There isn't a lot of enforcement.


So that's my bad. I pointed out the issue with the right to erasure to highlight the problem, In truth, the probable violation happens when the data is shared. With e-mail, the user sends their own data, just like while clicking links. The transfer of data for lemmy federation is under the control of the instances involved. It might still be okay, like serving the data over the web. But that requires the user to know what's going on.

If you could hand-wave these problems away so easily, Meta would not be paying those huge fines. What do you actually think that's about?

[-] Nibodhika@lemmy.world 1 points 3 months ago

Data in Bitcoin is undeletable, it's impossible for any law to force anything from being deleted on Bitcoin. Then the same exceptions that apply there would apply to Lemmy since the technology is similar in the relevant aspects (besides deletion being theoretically possible on Lemmy).

As for Meta, the problem is that the data they're sharing is not public. Meta is not getting fined for sharing things you posted on your publicly, since they share those regardless by virtue of them existing and being publicly available, they're fined for sharing things you put privately or data derived from non publicly available sources such as how you interact with Meta.

Any information that a user willingly makes public can be processed in any way, even if it includes identifiable medical information (which is the biggest no-no of GDPR). It even has a specific point about it in 9.2.e

processing relates to personal data which are manifestly made public by the data subject;

Essentially saying you can process anything that was made public by the person. GDPR is to protect people from companies doing shady things, not to prevent people from themselves. Because EVERYTHING is public in Lemmy, all data in it has been manifestly made public by the person who created it.

[-] General_Effort@lemmy.world 1 points 3 months ago

Bitcoin.

It may be illegal to operate a bitcoin miner in Europe. That's entirely possible. I don't think the courts would go so far as to outlaw crypto in Europe via that route. But who knows.

the technology is similar in the relevant aspects

No. You can just turn off federation. You can make contracts with the instances you federate with. With crypto, you have to send the whole blockchain around, or else you don't have crypto.

As for Meta, the problem is that the data they’re sharing is not public.

No. Look up what companies and people are fined for.

Any information that a user willingly makes public can be processed in any way

No! NO!!!

You may not process any personal data without a legal basis. It does not matter if public or not.

Certain sensitive personal data may not be processed at all, even with a legal basis. Except in certain circumstances listed in Article 9.

this post was submitted on 30 Aug 2024
236 points (97.6% liked)

Ask Lemmy

27145 readers
2025 users here now

A Fediverse community for open-ended, thought provoking questions

Please don't post about current US Politics. If you need to do this, try !politicaldiscussion@lemmy.world


Rules: (interactive)


1) Be nice and; have funDoxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can't say something nice, don't say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them


2) All posts must end with a '?'This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?


3) No spamPlease do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.


4) NSFW is okay, within reasonJust remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].


5) This is not a support community.
It is not a place for 'how do I?', type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.


Reminder: The terms of service apply here too.

Partnered Communities:

Tech Support

No Stupid Questions

You Should Know

Reddit

Jokes

Ask Ouija


Logo design credit goes to: tubbadu


founded 2 years ago
MODERATORS