Texas SCOPE act takes effect Sunday. How does Lemmy comply?(www.click2houston.com)

Some of the biggest lemmy instances - lemmy.world, feddit.de - are based in the EU. I don’t understand how EU based instances like these would be able to get away with not following GDPR.

Though, it may be more that GDPR doesn’t apply, as per https://decoded.legal/blog/2022/11/notes-on-operating-fediverse-services-mastodon-pleroma-etc-from-an-english-law-point-of-view/

[The UK GDPR] does not apply to … the processing of personal data by an individual in the course of a purely personal or household activity
But for those spinning up an instance of a fediverse service for them and their friends, for a hobby, I think there’s far more scope for argument.

In any case it seems like asking a fediverse instance to be compliant with the GDPR is possible, see for an example at https://sciences.re/ropa/ and https://mastodon.social/@robin/109331826373808946 for a discussion.

permalink

report

parent

[ - ]

Maalus@lemmy.world

4 points

3 months ago

They won’t be able to the second someone reports them and a spotlight is put onto them. It does apply. Devs just don’t give a shit and admins are hosting what’s available.

permalink

report

parent

[ - ]

abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.us

3 points

2 months ago

It does apply.
admins are hosting what’s available.

After writing my comment above I realized that lemmy.world (an EU based instance) does in fact comply with the GDPR - their policy is described at https://legal.lemmy.world/privacy-policy/

So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

They won’t be able to the second someone reports them and a spotlight is put onto them.

I mean, unless they give in and comply with the GDPR.

Devs just don’t give a shit

I guess you are referring to lemmy here. Considering who they are (they run lemmygrad.ml which is defederated from much of the fediverse) this isn’t surprising. But lemmy isn’t the only software on the fediverse - I’d check out piefed.social and mbin for starters.

The other thing is - if you think there’s some software improvement needed to better comply with the GDPR, instead of asking overworked devs who are donating their free time to fix it - why not raise a pull request yourself with the fixes? (Or if you aren’t much in the way of coding ability but have money burning in your pocket, hire someone to do the same and donate the result!)

permalink

report

parent

[ - ]

General_Effort@lemmy.world

1 point

2 months ago

So it’s possible for fediverse instances to comply with the GDPR. What makes one think it wouldn’t be doable?

That’s not even remotely enough, even assuming that the information is sufficient.

Mastodon is in a much better place, on account of how federation works there. It might still not be enough. Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent. Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

permalink

report

parent

[ - ]

abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.us

2 points

2 months ago

That’s not even remotely enough, even assuming that the information is sufficient.

What’s not enough? lemmy.world’s privacy policy?

Mastodon is in a much better place, on account of how federation works there. It might still not be enough.

Hmm… what’s the difference?

Lemmy instances would have to stop all federation with instances beyond the territorial reach of the GDPR or equivalent.

Oof. This is indeed a tough one.

I recall that this isn’t universally true - in some cases a country or territory may be deemed as GDPR equivalent and after that data transfer is allowed without additional safeguards, see for example https://www.torkin.com/insights/publication/european-commission-approves-of-canada-s-data-protection-regime-(again)#::text=What%20does%20this%20mean%20for,authorizations%20to%20transfer%20the%20data.

Even so, this does impose significant limits on federation due to the risk of transferring data to non-complying terrotories.

Federation within that territory should only happen based on a contractual agreement between the owners, probably with every user given an explicit choice to opt out.

Uh - if this is right, then this is even more restrictive and seems to suggest a fundamental incompatibility between federation and the GDPR overall.

But, this has got to be an already solved problem. Usenet has been around since the 1980s at least, and NNTP was basically federating before there was ActivityPub. I’m missing something obvious here I’m sure, but what?

permalink

report

parent

[ - ]

General_Effort@lemmy.world

1 point

2 months ago

What’s not enough? lemmy.world’s privacy policy?

There’s way more to do than writing a privacy policy. And I don’t think the policy meets the requirements but getting that right certainly needs a specialist.

Hmm… what’s the difference?

On mastodon, you follow a person, which they can refuse. Only then the data is automatically sent to your instance. On lemmy, you subscribe to a community and everyone’s posts and comments are sent to yours. At least, that’s how I understand it.

seems to suggest a fundamental incompatibility between federation and the GDPR overall.

You could say that there is a fundamental incompatibility between the internet and the GDPR, but that’s by design. The internet is about sharing (ie processing) data. The GDPR says, you mustn’t (unless).

Take the “right to be forgotten”. Before the internet, people read their newspapers, threw them away, and forgot about it. The articles were still available in some dusty archive, but you finding them was laborious. With search engines, you could easily find any unflattering press coverage. So you get the right to make search engines remove these links and it’s like back in the good old days. The fact that the GDPR is incompatible with existing technology is a feature, not a bug.

Bear in mind, that few of the people who passed the GDPR have any technical background. Of the people who interpret it - judges and lawyers - fewer still have one. They are not aware of how challenging any of these requirements are.

The main problem for the fediverse is that compliance requires a lot of expert legal knowledge. There’s not just the GDPR but also the DSA and other regulations to follow.

Federation itself may also be problematic, since many more people get to be in control of the data than strictly necessary. The flow of data must be controlled and should be limited as much as possible. That would be much easier with a central authority in charge. But that’s not a deal-breaker.

permalink

report

parent

Show more comments

[ - ]

General_Effort@lemmy.world

2 points

2 months ago

a purely personal or household activity

No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

permalink

report

parent

[ - ]

abff08f4813c@j4vcdedmiokf56h3ho4t62mlku.srv.us

1 point

2 months ago

a purely personal or household activity
No chance. This is what makes it legal to share data within a family and, to a degree, among friends. Running an open social media platform is neither a personal nor a household activity.

Hmm.

So running a single user instance for my own personal use (and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write) is absolutely not covered by the above?

The UK is not part of the EU. They kept the GDPR when they left, but it should not be assumed that the UK interpretation is always the same.

That is a very good point indeed.

The GDPR is not very thoroughly enforced; much to the chagrin of some people. This may or may not change in the future. It would be politically quite unpopular, a bit like thoroughly enforcing no-parking zones.

Seems risky to rely on low enforcement though. For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

permalink

report

parent

[ - ]

General_Effort@lemmy.world

1 point

2 months ago

(and keeping in mind the nature of federation meaning the only stuff my instance sends out is the stuff that I write)

The stuff you write is personal data as long as it can be connected to your identity and so protected under the GDPR. But that’s a problem for other people.

Your problem is the personal data of other people that come under your control. For starters, you need to answer this question: What legal basis do you have for processing that data?

For those of us who love federation and privacy and want to federate while complying with the GDPR - what must be done?

They need legal experts on the team. As GDPR-fans will tell you, data protection is a fundamental human right. We don’t let just anyone perform surgery, so don’t expect that just anyone should be able to run a social media site.

Complying with the GDPR is challenging at the best of times. When you handle personal data, some of it sensitive, at the scale of a fediverse instance, it becomes extremely hard.

Strictly speaking, it’s impossible. EG you need to provide information about what you do with the data in simple language. The information also needs to be complete. If the explanation is too long and people just click accept without reading, that’s not proper consent. You need to square that circle in a way that any judge will accept. That’s impossible for now. Maybe in a few years, when there’s more case law, there’ll be a solid consensus.

Complying as well as possible will require the input of legal experts, specialized in the law of social media sites. The GDPR is not the only relevant law. There’s also the DSA, quite possibly other stuff I am not aware of, and local laws.

Definite problems, I can see:

Under german law, an instance owner has to provide an address, that may be served legal papers.
It’s possible to embed images, but under the GDPR, there must not be connections to 3rd party servers without consent. In fact, all out-going links are a problem.
Federation itself. You can’t federate with instance, if you haven’t made sure that they comply with GDPR.

permalink

report

parent

Show more comments

[ - ]

General_Effort@lemmy.world

1 point

2 months ago

It is a problem. If anyone complains or sues about GDPR compliance, they will get fined and/or have to pay damages.

There’s also other regulations, like the DSA. I’m fairly sure the GDPR isn’t the only legal problem.

permalink

report

parent

[ - ]

Kaboom@reddthat.com

-3 points

2 months ago

It’s going to be a big problem when the EU catches wind. Gpdr is a nasty law, hard to comply with properly, and has harsh fines. And no, “we tried to comply” will not fly

permalink

report

parent

[ - ]

Don_alForno@feddit.org

2 points

2 months ago

hard to comply with properly

Not at all. Don’t collect personal data that’s not technically necessary for the service to work. Tell users what data is collected and for what purposes. Done.

permalink

report

parent

[ - ]

General_Effort@lemmy.world

0 points

2 months ago

That’s not true. Out of curiosity, where did you learn that?

permalink

report

parent

Ask Lemmy

!asklemmy@lemmy.world

Create post

A Fediverse community for open-ended, thought provoking questions

Please don’t post about US Politics. If you need to do this, try !politicaldiscussion@lemmy.world

Rules: (interactive)

1) Be nice and; have fun

Doxxing, trolling, sealioning, racism, and toxicity are not welcomed in AskLemmy. Remember what your mother said: if you can’t say something nice, don’t say anything at all. In addition, the site-wide Lemmy.world terms of service also apply here. Please familiarize yourself with them

2) All posts must end with a '?'

This is sort of like Jeopardy. Please phrase all post titles in the form of a proper question ending with ?

3) No spam

Please do not flood the community with nonsense. Actual suspected spammers will be banned on site. No astroturfing.

4) NSFW is okay, within reason

Just remember to tag posts with either a content warning or a [NSFW] tag. Overtly sexual posts are not allowed, please direct them to either !asklemmyafterdark@lemmy.world or !asklemmynsfw@lemmynsfw.com. NSFW comments should be restricted to posts tagged [NSFW].

5) This is not a support community.

It is not a place for ‘how do I?’, type questions. If you have any questions regarding the site itself or would like to report a community, please direct them to Lemmy.world Support or email info@lemmy.world. For other questions check our partnered communities list, or use the search function.

Reminder: The terms of service apply here too.

Partnered Communities:

Logo design credit goes to: tubbadu

Community stats

11K
Monthly active users
2.5K
Posts
78K
Comments

A Fediverse community for open-ended, thought provoking questions

Rules: (interactive)

Partnered Communities:

Community stats

Community moderators