this post was submitted on 06 Mar 2024
307 points (89.1% liked)

Fediverse

28465 readers
551 users here now

A community to talk about the Fediverse and all it's related services using ActivityPub (Mastodon, Lemmy, KBin, etc).

If you wanted to get help with moderating your own community then head over to !moderators@lemmy.world!

Rules

Learn more at these websites: Join The Fediverse Wiki, Fediverse.info, Wikipedia Page, The Federation Info (Stats), FediDB (Stats), Sub Rehab (Reddit Migration), Search Lemmy

founded 1 year ago
MODERATORS
 

Highlighting the recent report of users and admins being unable to delete images, and how Trust & Safety tooling is currently lacking.

you are viewing a single comment's thread
view the rest of the comments
[–] maynarkh@feddit.nl 22 points 8 months ago (2 children)

You can’t and this is a shit article…the GDPR doesn’t apply to instance outside of the EU…

It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.

Literally people using the GDPR like it’s some gotcha thing for admins. If nothing is sold or offered to be sold and their is no financial gain it’s not going to apply.

Yeah it does, as soon as you are providing a service, if you have a user from the EU that's not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of "up to 10 million EUR" for a violation.

On top of that good luck suing a FOSS dev.

Nobody is getting sued. EU data protection agencies don't "sue" people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.

And it's not the devs that will be getting these fines, it's instance admins.

[–] yamanii@lemmy.world 10 points 8 months ago (2 children)

And this is why misskey is a mastodon instance that just blocked access if the person is from the EU, it's too much to ask for devs in a single digit that survive by donations or their own pocket money, this is a hobby for them.

[–] Badeendje@lemmy.world 5 points 8 months ago

Yeah, their main income is from a Dutch based EU fund to help Foss projects. So maybe, just maybe they can then fix issues in following dutch/eu law.

[–] maynarkh@feddit.nl 4 points 8 months ago

Did they defederate from all instances allowing access to EU citizens? If not, they are still liable, as they are scraping EU citizen's data for federation. Even usernames are personal data according to the GDPR.

[–] SupraMario@lemmy.world -3 points 8 months ago (3 children)

It absolutely does, if the company processes data of EU residents. The US enforces GDPR themselves, as they have signed an agreement to do so. To be clear, this means that according to US law, if you are a US web host, you can abuse US customer data and the FBI will not come after you, but if you do so with EU customer data, US authorities will come after you on behalf of the EU.

No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.

Yeah it does, as soon as you are providing a service, if you have a user from the EU that's not you, it applies. And while GDPR fines are defined in a revenue percentage, there is a minimum of "up to 10 million EUR" for a violation.

No it does not, if you do not sell anything to anyone or offer any services or make any money it doesn't apply. Stop repeating bullshit.

Nobody is getting sued. EU data protection agencies don't "sue" people and companies. They fine them. The difference is that a lawsuit is a process where at the end you might need to pay money, but you mostly settle. A GDPR fine looks like you get a letter saying you need to pay an amount, if you want to appeal, you can do so after paying.

Good luck fining a host admin, of a foss instance. I don't know why you think that any admins of instances will be getting fined if they're not selling anything. You need to read up on the GDPR.

And it's not the devs that will be getting these fines, it's instance admins.

Again, no they will not.

[–] maynarkh@feddit.nl 2 points 8 months ago (1 children)

No it does not, the instances are free, no one is making money off user data or selling anything to the user. It does not apply period.

As per official EU communication:

The GDPR applies to:

  • a company or entity which processes personal data as part of the activities of one of its branches established in the EU, regardless of where the data is processed; or
  • a company established outside the EU and is offering goods/services (paid or for free) or is monitoring the behaviour of individuals in the EU.

Lemmy instances are entities that offer free services and are arguably monitoring the behaviour of individuals in the EU through federation. From the perspective of the GDPR, there is no difference between Facebook and a Lemmy instance regarding what they can or cannot do, or whether they get fined for something.

You need to read up on the GDPR yourself.

[–] SupraMario@lemmy.world 1 points 8 months ago (1 children)

What personal data is being processed by a Lemmy instance, what are they processing that's being sold in the EU? The GDPR does not apply here, stop trying to wiggle it into something it's not.

[–] maynarkh@feddit.nl 2 points 8 months ago* (last edited 8 months ago) (1 children)

Usernames at the very least, as online identifiers.

Art. 4 GDPR Definitions

For the purposes of this Regulation:

‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

And they don't need to be sold, just retained. GDPR applies even if there is no payment anywhere, even to non-commercial entities.

[–] SupraMario@lemmy.world 1 points 8 months ago (1 children)

Usernames are not PII...the GDPR only applies if someone is making money from the service. It does not mean just because your site is free but hosts ads or sells user data it's exempt. Lemmy instances do none of this.

[–] maynarkh@feddit.nl 2 points 8 months ago (1 children)

Usernames are not PII

What do you think an online identifier is then? And why would the GDPR only apply if there is money made? It specifically says in multiple places free services also count.

[–] SupraMario@lemmy.world 1 points 8 months ago (1 children)

https://www.ibm.com/topics/pii#:~:text=Personally%20identifiable%20information%20(PII)%20is,email%20address%20or%20phone%20number.

Usernames are not and never have been considered pii

The GDPR states it clearly that the company/entity has to be collecting pii or selling something to the person. Lemmy does neither of these.

[–] maynarkh@feddit.nl 2 points 8 months ago (1 children)

How is IBM authoritative on this subject? And even so, this article doesn't say that usernames are not PII, it even indirectly says it is indirect PII.

Here's another random company's page saying usernames are PII: https://www.keepersecurity.com/blog/2023/06/14/what-is-personally-identifiable-information-pii/

The GDPR says it clearly and explicitly that:

  • online identifiers such as usernames are PII
  • selling data or money transactions of any kind is not a requirement for the GDPR rules to apply
[–] SupraMario@lemmy.world 0 points 8 months ago (1 children)

Usernames that are used in an internal network are, because they're linked to pii, a public username is not pii.

[–] maynarkh@feddit.nl 2 points 8 months ago

And where did you read that? If anything, public usernames are easier to correlate to form identities.

[–] Maalus@lemmy.world 2 points 8 months ago (1 children)

Why are you trying to be an authority on GDPR without even reading about what it is?

GDPR applies to all personal data of people currently in the EU. If you have a service that uses data from a person in the EU, you need to comply with it. It's not some "gotcha" law which goes in effect once you make money.

[–] SupraMario@lemmy.world 0 points 8 months ago (1 children)

What personal data is a Lemmy instance holding onto?

I'm pointing out how much bullshit is being spread in this damn thread by people who don't understand the law. You're the same damn users who get pissy with forums and demand action be taken using a law you don't understand.

[–] Maalus@lemmy.world 2 points 8 months ago (1 children)

You are the one who doesn't understand the law.

[–] SupraMario@lemmy.world 0 points 8 months ago (1 children)

Says the guy who's literally arguing with what lawyers in the USA say about the GDPR...good one.

[–] Maalus@lemmy.world 0 points 8 months ago (1 children)

Show me a lawyer that says "if you are processing data of EU citizens you can't get fined in the US". You don't know anything about GDPR. It's not some toothless law that only works in Europe.

[–] SupraMario@lemmy.world 0 points 8 months ago

What part of personal data do you not understand? Lemmy instances are no processing any personal data

And the link I provided has already stated this, but here it is again.

https://www.dickinson-wright.com/news-alerts/what-usbased-companies-need-to-know#:~:text=The%20GDPR%20even%20applies%20if,language%20of%20an%20EU%20country%2C

[–] dameoutlaw@lemmy.ml 1 points 8 months ago (1 children)
[–] SupraMario@lemmy.world 1 points 8 months ago

Nothing in there about the gdpr... literally 0, because it's not part of hosting a forum that doesn't host private user data or collect non essential cookies.